Analysis
-
max time kernel
63s -
max time network
170s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe
Resource
win10-en-20211208
General
-
Target
b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe
-
Size
7.6MB
-
MD5
d12ffcd4fdf8820c753e597f9bbb4249
-
SHA1
95ed9a95a4ec01e07d172f258d930dad41d05ff1
-
SHA256
b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0
-
SHA512
0541989282c92da758ed7b5dc529d23a0312a2c45255d78d44de5f906f3defbd97d7396b9262df7fc3ebb1a206f931dbe2d6972101014ec681a50ae582f2761c
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
raccoon
164fb74855c13a4287d8fe7ac579a35bdf7002ab
-
url4cnc
http://194.180.174.53/takecareandkeepitup
http://91.219.236.18/takecareandkeepitup
http://194.180.174.41/takecareandkeepitup
http://91.219.236.148/takecareandkeepitup
https://t.me/takecareandkeepitup
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4896 4584 rundll32.exe 138 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/4216-371-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4600-390-0x0000000000419332-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab69-179.dat family_socelars behavioral2/files/0x000500000001ab69-215.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab68-190.dat WebBrowserPassView behavioral2/files/0x000500000001ab68-202.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab68-190.dat Nirsoft behavioral2/files/0x000500000001ab68-202.dat Nirsoft behavioral2/files/0x000400000001ab50-286.dat Nirsoft behavioral2/memory/3604-287-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000400000001ab50-285.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1392-291-0x0000000002210000-0x00000000022E9000-memory.dmp family_vidar behavioral2/memory/1392-296-0x0000000000400000-0x0000000000536000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000200000001ab50-125.dat aspack_v212_v242 behavioral2/files/0x000200000001ab50-127.dat aspack_v212_v242 behavioral2/files/0x000700000001ab54-130.dat aspack_v212_v242 behavioral2/files/0x000700000001ab54-131.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3b-126.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3b-136.dat aspack_v212_v242 behavioral2/files/0x000600000001ab3b-135.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 26 IoCs
pid Process 1184 setup_installer.exe 3516 setup_install.exe 3592 Sat167c8d2a2ad.exe 1032 Sat166587ce542f4081.exe 1392 Sat1616f4fdcffa5fe.exe 1688 Sat160f3eef83e07cf3a.exe 2980 Sat160387988bf6.exe 3040 Sat162e27781f4.exe 3468 Sat16ec4a145f.exe 3716 Sat1632049d9fe71f9c.exe 1912 Sat16391fb04cc7c106.exe 4076 Sat160a606e591dcbf39.exe 3568 Sat16cfe72a18.exe 1860 Sat1679fedabf32e9e.exe 3612 Sat16f0c9fe4357bd5.exe 3748 Sat1633393229bac.exe 3600 Sat166a2d0352f0def.exe 3184 Sat161d014284dc2.exe 1904 Sat166a2d0352f0def.exe 2228 Sat16391fb04cc7c106.exe 1780 @.cmd 68 Sat161d014284dc2.tmp 1184 Sat161d014284dc2.exe 3808 @.cmd 3592 Sat161d014284dc2.tmp 3604 11111.exe -
resource yara_rule behavioral2/files/0x000900000001ab54-242.dat upx behavioral2/files/0x000900000001ab54-241.dat upx behavioral2/files/0x000900000001ab54-273.dat upx -
Loads dropped DLL 10 IoCs
pid Process 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 3516 setup_install.exe 68 Sat161d014284dc2.tmp 3592 Sat161d014284dc2.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Sat160387988bf6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Sat160387988bf6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3600 set thread context of 1904 3600 Sat166a2d0352f0def.exe 101 PID 1780 set thread context of 3808 1780 @.cmd 114 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3856 3808 WerFault.exe 114 4692 4216 WerFault.exe 131 -
Delays execution with timeout.exe 1 IoCs
pid Process 4436 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 5108 taskkill.exe 3144 taskkill.exe 4188 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1780 @.cmd 1780 @.cmd -
Suspicious use of AdjustPrivilegeToken 38 IoCs
description pid Process Token: SeCreateTokenPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeAssignPrimaryTokenPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeLockMemoryPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeIncreaseQuotaPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeMachineAccountPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeTcbPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeSecurityPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeTakeOwnershipPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeLoadDriverPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeSystemProfilePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeSystemtimePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeProfSingleProcessPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeIncBasePriorityPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeCreatePagefilePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeCreatePermanentPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeBackupPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeRestorePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeShutdownPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeDebugPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeAuditPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeSystemEnvironmentPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeChangeNotifyPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeRemoteShutdownPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeUndockPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeSyncAgentPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeEnableDelegationPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeManageVolumePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeImpersonatePrivilege 3612 Sat16f0c9fe4357bd5.exe Token: SeCreateGlobalPrivilege 3612 Sat16f0c9fe4357bd5.exe Token: 31 3612 Sat16f0c9fe4357bd5.exe Token: 32 3612 Sat16f0c9fe4357bd5.exe Token: 33 3612 Sat16f0c9fe4357bd5.exe Token: 34 3612 Sat16f0c9fe4357bd5.exe Token: 35 3612 Sat16f0c9fe4357bd5.exe Token: SeDebugPrivilege 1032 Sat166587ce542f4081.exe Token: SeDebugPrivilege 1688 Sat160f3eef83e07cf3a.exe Token: SeDebugPrivilege 3040 Sat162e27781f4.exe Token: SeDebugPrivilege 4076 Sat160a606e591dcbf39.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3536 wrote to memory of 1184 3536 b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe 69 PID 3536 wrote to memory of 1184 3536 b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe 69 PID 3536 wrote to memory of 1184 3536 b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe 69 PID 1184 wrote to memory of 3516 1184 setup_installer.exe 70 PID 1184 wrote to memory of 3516 1184 setup_installer.exe 70 PID 1184 wrote to memory of 3516 1184 setup_installer.exe 70 PID 3516 wrote to memory of 1504 3516 setup_install.exe 73 PID 3516 wrote to memory of 1504 3516 setup_install.exe 73 PID 3516 wrote to memory of 1504 3516 setup_install.exe 73 PID 3516 wrote to memory of 912 3516 setup_install.exe 74 PID 3516 wrote to memory of 912 3516 setup_install.exe 74 PID 3516 wrote to memory of 912 3516 setup_install.exe 74 PID 3516 wrote to memory of 372 3516 setup_install.exe 75 PID 3516 wrote to memory of 372 3516 setup_install.exe 75 PID 3516 wrote to memory of 372 3516 setup_install.exe 75 PID 3516 wrote to memory of 1156 3516 setup_install.exe 76 PID 3516 wrote to memory of 1156 3516 setup_install.exe 76 PID 3516 wrote to memory of 1156 3516 setup_install.exe 76 PID 3516 wrote to memory of 684 3516 setup_install.exe 110 PID 3516 wrote to memory of 684 3516 setup_install.exe 110 PID 3516 wrote to memory of 684 3516 setup_install.exe 110 PID 3516 wrote to memory of 1172 3516 setup_install.exe 77 PID 3516 wrote to memory of 1172 3516 setup_install.exe 77 PID 3516 wrote to memory of 1172 3516 setup_install.exe 77 PID 3516 wrote to memory of 1764 3516 setup_install.exe 109 PID 3516 wrote to memory of 1764 3516 setup_install.exe 109 PID 3516 wrote to memory of 1764 3516 setup_install.exe 109 PID 3516 wrote to memory of 2124 3516 setup_install.exe 108 PID 3516 wrote to memory of 2124 3516 setup_install.exe 108 PID 3516 wrote to memory of 2124 3516 setup_install.exe 108 PID 1764 wrote to memory of 3592 1764 cmd.exe 107 PID 1764 wrote to memory of 3592 1764 cmd.exe 107 PID 1764 wrote to memory of 3592 1764 cmd.exe 107 PID 3516 wrote to memory of 1424 3516 setup_install.exe 78 PID 3516 wrote to memory of 1424 3516 setup_install.exe 78 PID 3516 wrote to memory of 1424 3516 setup_install.exe 78 PID 3516 wrote to memory of 1476 3516 setup_install.exe 105 PID 3516 wrote to memory of 1476 3516 setup_install.exe 105 PID 3516 wrote to memory of 1476 3516 setup_install.exe 105 PID 1504 wrote to memory of 64 1504 cmd.exe 104 PID 1504 wrote to memory of 64 1504 cmd.exe 104 PID 1504 wrote to memory of 64 1504 cmd.exe 104 PID 912 wrote to memory of 348 912 cmd.exe 79 PID 912 wrote to memory of 348 912 cmd.exe 79 PID 912 wrote to memory of 348 912 cmd.exe 79 PID 2124 wrote to memory of 1032 2124 cmd.exe 91 PID 2124 wrote to memory of 1032 2124 cmd.exe 91 PID 3516 wrote to memory of 3288 3516 setup_install.exe 80 PID 3516 wrote to memory of 3288 3516 setup_install.exe 80 PID 3516 wrote to memory of 3288 3516 setup_install.exe 80 PID 3516 wrote to memory of 1212 3516 setup_install.exe 89 PID 3516 wrote to memory of 1212 3516 setup_install.exe 89 PID 3516 wrote to memory of 1212 3516 setup_install.exe 89 PID 1476 wrote to memory of 1392 1476 cmd.exe 81 PID 1476 wrote to memory of 1392 1476 cmd.exe 81 PID 1476 wrote to memory of 1392 1476 cmd.exe 81 PID 3516 wrote to memory of 2304 3516 setup_install.exe 82 PID 3516 wrote to memory of 2304 3516 setup_install.exe 82 PID 3516 wrote to memory of 2304 3516 setup_install.exe 82 PID 3516 wrote to memory of 3636 3516 setup_install.exe 88 PID 3516 wrote to memory of 3636 3516 setup_install.exe 88 PID 3516 wrote to memory of 3636 3516 setup_install.exe 88 PID 372 wrote to memory of 1688 372 cmd.exe 84 PID 372 wrote to memory of 1688 372 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe"C:\Users\Admin\AppData\Local\Temp\b0c02a35dcd8b8c7eff54599d1a1ec1d8ca401b90fa4b8a0d66bbad8e6bbb7f0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:348
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat160f3eef83e07cf3a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat160f3eef83e07cf3a.exeSat160f3eef83e07cf3a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Users\Admin\AppData\Local\d86b1f01-6a36-49d8-a211-53b2f8dc2437.exe"C:\Users\Admin\AppData\Local\d86b1f01-6a36-49d8-a211-53b2f8dc2437.exe"6⤵PID:500
-
-
C:\Users\Admin\AppData\Local\a33f5743-5733-4e6a-9765-81885dcf4a72.exe"C:\Users\Admin\AppData\Local\a33f5743-5733-4e6a-9765-81885dcf4a72.exe"6⤵PID:788
-
C:\Users\Admin\AppData\Roaming\14897418\7901599379015993.exe"C:\Users\Admin\AppData\Roaming\14897418\7901599379015993.exe"7⤵PID:4236
-
-
-
C:\Users\Admin\AppData\Local\e98e3bae-53bc-45f3-ae1e-1d90626d01ba.exe"C:\Users\Admin\AppData\Local\e98e3bae-53bc-45f3-ae1e-1d90626d01ba.exe"6⤵PID:3588
-
-
C:\Users\Admin\AppData\Local\91006af7-73de-46de-9ecd-d5e56f1af915.exe"C:\Users\Admin\AppData\Local\91006af7-73de-46de-9ecd-d5e56f1af915.exe"6⤵PID:4284
-
-
C:\Users\Admin\AppData\Local\0049819e-e18c-47d3-8144-ac1ea92a3116.exe"C:\Users\Admin\AppData\Local\0049819e-e18c-47d3-8144-ac1ea92a3116.exe"6⤵PID:4392
-
C:\Users\Admin\AppData\Roaming\7458573.exe"C:\Users\Admin\AppData\Roaming\7458573.exe"7⤵PID:1812
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:4460
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:2888
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat160387988bf6.exe4⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat160387988bf6.exeSat160387988bf6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd7⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 6008⤵
- Program crash
PID:3856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"7⤵PID:4044
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16cfe72a18.exe4⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16cfe72a18.exeSat16cfe72a18.exe5⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\u0VMOCA.KE66⤵PID:1028
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat166a2d0352f0def.exe /mixtwo4⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat166a2d0352f0def.exeSat166a2d0352f0def.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3600
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1679fedabf32e9e.exe4⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat1679fedabf32e9e.exeSat1679fedabf32e9e.exe5⤵
- Executes dropped EXE
PID:1860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16f0c9fe4357bd5.exe4⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16f0c9fe4357bd5.exeSat16f0c9fe4357bd5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4368
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:5108
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16391fb04cc7c106.exe4⤵PID:2120
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16391fb04cc7c106.exeSat16391fb04cc7c106.exe5⤵
- Executes dropped EXE
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16391fb04cc7c106.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16391fb04cc7c106.exe" -u6⤵
- Executes dropped EXE
PID:2228
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat160a606e591dcbf39.exe4⤵PID:3204
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat160a606e591dcbf39.exeSat160a606e591dcbf39.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4076 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat160a606e591dcbf39.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat160a606e591dcbf39.exe6⤵PID:4216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 247⤵
- Program crash
PID:4692
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat16ec4a145f.exe4⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat16ec4a145f.exeSat16ec4a145f.exe5⤵
- Executes dropped EXE
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:3604
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:3580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat161d014284dc2.exe4⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat161d014284dc2.exeSat161d014284dc2.exe5⤵
- Executes dropped EXE
PID:3184 -
C:\Users\Admin\AppData\Local\Temp\is-EI4AJ.tmp\Sat161d014284dc2.tmp"C:\Users\Admin\AppData\Local\Temp\is-EI4AJ.tmp\Sat161d014284dc2.tmp" /SL5="$101F0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat161d014284dc2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:68 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat161d014284dc2.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat161d014284dc2.exe" /SILENT7⤵
- Executes dropped EXE
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\is-3V9I6.tmp\Sat161d014284dc2.tmp"C:\Users\Admin\AppData\Local\Temp\is-3V9I6.tmp\Sat161d014284dc2.tmp" /SL5="$2020E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat161d014284dc2.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3592
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1633393229bac.exe4⤵PID:3636
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat1633393229bac.exeSat1633393229bac.exe5⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",6⤵PID:2660
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",7⤵PID:2240
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",8⤵PID:3224
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\K7IbNX.cpL",9⤵PID:3140
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1632049d9fe71f9c.exe4⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat1632049d9fe71f9c.exeSat1632049d9fe71f9c.exe5⤵
- Executes dropped EXE
PID:3716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1616f4fdcffa5fe.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat166587ce542f4081.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2124
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat167c8d2a2ad.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat162e27781f4.exe4⤵PID:684
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat1616f4fdcffa5fe.exeSat1616f4fdcffa5fe.exe1⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat1616f4fdcffa5fe.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat1616f4fdcffa5fe.exe" & del C:\ProgramData\*.dll & exit2⤵PID:4076
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat1616f4fdcffa5fe.exe /f3⤵
- Kills process with taskkill
PID:3144
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:4436
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat166587ce542f4081.exeSat166587ce542f4081.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat162e27781f4.exeSat162e27781f4.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat162e27781f4.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat162e27781f4.exe2⤵PID:4208
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat162e27781f4.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat162e27781f4.exe2⤵PID:4600
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat166a2d0352f0def.exeSat166a2d0352f0def.exe /mixtwo1⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat166a2d0352f0def.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat166a2d0352f0def.exe" & exit2⤵PID:2888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat166a2d0352f0def.exe" /f3⤵
- Kills process with taskkill
PID:4188
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4BD326\Sat167c8d2a2ad.exeSat167c8d2a2ad.exe1⤵
- Executes dropped EXE
PID:3592
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4920
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5100