Analysis
-
max time kernel
87s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe
Resource
win7-en-20211208
General
-
Target
8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe
-
Size
6.9MB
-
MD5
0dbb370bd9561bebde04a63c0a967fac
-
SHA1
c9dab70144d92a29c46921581174cf85eda44147
-
SHA256
8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf
-
SHA512
5355290e6439ef568782d340778fe54184db7249f3619633ebebef51a6810b762be07c9cc82ef8c033896686d358b54e114764d17038a7cf9386b0f4fe77577a
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4268 2184 rundll32.exe 120 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/4332-340-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4736-371-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab22-169.dat family_socelars behavioral2/files/0x000500000001ab22-205.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab29-167.dat WebBrowserPassView behavioral2/files/0x000500000001ab29-187.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab29-167.dat Nirsoft behavioral2/files/0x000500000001ab29-187.dat Nirsoft behavioral2/memory/2448-243-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab3f-242.dat Nirsoft behavioral2/files/0x000600000001ab3f-241.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2296-265-0x0000000000DE0000-0x0000000000EB9000-memory.dmp family_vidar behavioral2/memory/2296-274-0x0000000000400000-0x000000000088B000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab2b-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2a-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2a-132.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2a-129.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2b-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2d-131.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2d-135.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 24 IoCs
pid Process 2196 setup_installer.exe 1516 setup_install.exe 2024 Fri1851cb1bc629c3ac0.exe 2016 Fri1894cce7d386.exe 2232 Fri18e44ec8c2.exe 2148 Fri189c37bee8c29eb6.exe 2296 Fri184baf2e5e45.exe 3100 Fri18083e5484e3b1125.exe 3956 Fri18046280a7b776.exe 3180 Fri18cee95a1359570.exe 3200 Fri18002ecda8e9b.exe 2464 Fri187c9124f51b.exe 3244 Fri1845451c00c99718b.exe 2364 Fri182efa7c2ad75046.exe 3900 Fri185ef293d31.exe 3656 Fri18b5451cab3.exe 1896 Fri1845451c00c99718b.exe 3524 Fri185ef293d31.exe 2800 Fri18b5451cab3.tmp 1208 Fri1851cb1bc629c3ac0.tmp 3632 Fri18b5451cab3.exe 2448 11111.exe 1928 Fri18b5451cab3.tmp 2492 Tougay.exe -
Loads dropped DLL 14 IoCs
pid Process 1516 setup_install.exe 1516 setup_install.exe 1516 setup_install.exe 1516 setup_install.exe 1516 setup_install.exe 1516 setup_install.exe 1516 setup_install.exe 1208 Fri1851cb1bc629c3ac0.tmp 2800 Fri18b5451cab3.tmp 1928 Fri18b5451cab3.tmp 2448 regsvr32.exe 2448 regsvr32.exe 2540 rundll32.exe 2540 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com 88 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3244 set thread context of 1896 3244 Fri1845451c00c99718b.exe 105 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri1894cce7d386.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri1894cce7d386.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri1894cce7d386.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 352 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 68 taskkill.exe 4252 taskkill.exe 4644 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Fri18002ecda8e9b.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 37 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2016 Fri1894cce7d386.exe 2016 Fri1894cce7d386.exe 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found 2892 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2016 Fri1894cce7d386.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeCreateTokenPrivilege 2464 Fri187c9124f51b.exe Token: SeAssignPrimaryTokenPrivilege 2464 Fri187c9124f51b.exe Token: SeLockMemoryPrivilege 2464 Fri187c9124f51b.exe Token: SeIncreaseQuotaPrivilege 2464 Fri187c9124f51b.exe Token: SeMachineAccountPrivilege 2464 Fri187c9124f51b.exe Token: SeTcbPrivilege 2464 Fri187c9124f51b.exe Token: SeSecurityPrivilege 2464 Fri187c9124f51b.exe Token: SeTakeOwnershipPrivilege 2464 Fri187c9124f51b.exe Token: SeLoadDriverPrivilege 2464 Fri187c9124f51b.exe Token: SeSystemProfilePrivilege 2464 Fri187c9124f51b.exe Token: SeSystemtimePrivilege 2464 Fri187c9124f51b.exe Token: SeProfSingleProcessPrivilege 2464 Fri187c9124f51b.exe Token: SeIncBasePriorityPrivilege 2464 Fri187c9124f51b.exe Token: SeCreatePagefilePrivilege 2464 Fri187c9124f51b.exe Token: SeCreatePermanentPrivilege 2464 Fri187c9124f51b.exe Token: SeBackupPrivilege 2464 Fri187c9124f51b.exe Token: SeRestorePrivilege 2464 Fri187c9124f51b.exe Token: SeShutdownPrivilege 2464 Fri187c9124f51b.exe Token: SeDebugPrivilege 2464 Fri187c9124f51b.exe Token: SeAuditPrivilege 2464 Fri187c9124f51b.exe Token: SeSystemEnvironmentPrivilege 2464 Fri187c9124f51b.exe Token: SeChangeNotifyPrivilege 2464 Fri187c9124f51b.exe Token: SeRemoteShutdownPrivilege 2464 Fri187c9124f51b.exe Token: SeUndockPrivilege 2464 Fri187c9124f51b.exe Token: SeSyncAgentPrivilege 2464 Fri187c9124f51b.exe Token: SeEnableDelegationPrivilege 2464 Fri187c9124f51b.exe Token: SeManageVolumePrivilege 2464 Fri187c9124f51b.exe Token: SeImpersonatePrivilege 2464 Fri187c9124f51b.exe Token: SeCreateGlobalPrivilege 2464 Fri187c9124f51b.exe Token: 31 2464 Fri187c9124f51b.exe Token: 32 2464 Fri187c9124f51b.exe Token: 33 2464 Fri187c9124f51b.exe Token: 34 2464 Fri187c9124f51b.exe Token: 35 2464 Fri187c9124f51b.exe Token: SeDebugPrivilege 68 taskkill.exe Token: SeDebugPrivilege 3956 Fri18046280a7b776.exe Token: SeDebugPrivilege 2364 Fri182efa7c2ad75046.exe Token: SeDebugPrivilege 2148 Fri189c37bee8c29eb6.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 2196 3136 8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe 69 PID 3136 wrote to memory of 2196 3136 8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe 69 PID 3136 wrote to memory of 2196 3136 8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe 69 PID 2196 wrote to memory of 1516 2196 setup_installer.exe 70 PID 2196 wrote to memory of 1516 2196 setup_installer.exe 70 PID 2196 wrote to memory of 1516 2196 setup_installer.exe 70 PID 1516 wrote to memory of 1252 1516 setup_install.exe 73 PID 1516 wrote to memory of 1252 1516 setup_install.exe 73 PID 1516 wrote to memory of 1252 1516 setup_install.exe 73 PID 1516 wrote to memory of 1124 1516 setup_install.exe 74 PID 1516 wrote to memory of 1124 1516 setup_install.exe 74 PID 1516 wrote to memory of 1124 1516 setup_install.exe 74 PID 1516 wrote to memory of 604 1516 setup_install.exe 75 PID 1516 wrote to memory of 604 1516 setup_install.exe 75 PID 1516 wrote to memory of 604 1516 setup_install.exe 75 PID 1516 wrote to memory of 1140 1516 setup_install.exe 76 PID 1516 wrote to memory of 1140 1516 setup_install.exe 76 PID 1516 wrote to memory of 1140 1516 setup_install.exe 76 PID 1516 wrote to memory of 1088 1516 setup_install.exe 77 PID 1516 wrote to memory of 1088 1516 setup_install.exe 77 PID 1516 wrote to memory of 1088 1516 setup_install.exe 77 PID 1516 wrote to memory of 2452 1516 setup_install.exe 78 PID 1516 wrote to memory of 2452 1516 setup_install.exe 78 PID 1516 wrote to memory of 2452 1516 setup_install.exe 78 PID 1516 wrote to memory of 512 1516 setup_install.exe 79 PID 1516 wrote to memory of 512 1516 setup_install.exe 79 PID 1516 wrote to memory of 512 1516 setup_install.exe 79 PID 1516 wrote to memory of 1224 1516 setup_install.exe 80 PID 1516 wrote to memory of 1224 1516 setup_install.exe 80 PID 1516 wrote to memory of 1224 1516 setup_install.exe 80 PID 1516 wrote to memory of 1148 1516 setup_install.exe 81 PID 1516 wrote to memory of 1148 1516 setup_install.exe 81 PID 1516 wrote to memory of 1148 1516 setup_install.exe 81 PID 1516 wrote to memory of 2592 1516 setup_install.exe 82 PID 1516 wrote to memory of 2592 1516 setup_install.exe 82 PID 1516 wrote to memory of 2592 1516 setup_install.exe 82 PID 1516 wrote to memory of 2484 1516 setup_install.exe 84 PID 1516 wrote to memory of 2484 1516 setup_install.exe 84 PID 1516 wrote to memory of 2484 1516 setup_install.exe 84 PID 1516 wrote to memory of 1316 1516 setup_install.exe 83 PID 1516 wrote to memory of 1316 1516 setup_install.exe 83 PID 1516 wrote to memory of 1316 1516 setup_install.exe 83 PID 1516 wrote to memory of 1440 1516 setup_install.exe 88 PID 1516 wrote to memory of 1440 1516 setup_install.exe 88 PID 1516 wrote to memory of 1440 1516 setup_install.exe 88 PID 1516 wrote to memory of 2368 1516 setup_install.exe 87 PID 1516 wrote to memory of 2368 1516 setup_install.exe 87 PID 1516 wrote to memory of 2368 1516 setup_install.exe 87 PID 1516 wrote to memory of 1780 1516 setup_install.exe 85 PID 1516 wrote to memory of 1780 1516 setup_install.exe 85 PID 1516 wrote to memory of 1780 1516 setup_install.exe 85 PID 1516 wrote to memory of 1968 1516 setup_install.exe 86 PID 1516 wrote to memory of 1968 1516 setup_install.exe 86 PID 1516 wrote to memory of 1968 1516 setup_install.exe 86 PID 1140 wrote to memory of 2016 1140 cmd.exe 89 PID 1140 wrote to memory of 2016 1140 cmd.exe 89 PID 1140 wrote to memory of 2016 1140 cmd.exe 89 PID 1224 wrote to memory of 2024 1224 cmd.exe 95 PID 1224 wrote to memory of 2024 1224 cmd.exe 95 PID 1224 wrote to memory of 2024 1224 cmd.exe 95 PID 2452 wrote to memory of 2148 2452 cmd.exe 94 PID 2452 wrote to memory of 2148 2452 cmd.exe 94 PID 2452 wrote to memory of 2148 2452 cmd.exe 94 PID 2484 wrote to memory of 2232 2484 cmd.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe"C:\Users\Admin\AppData\Local\Temp\8bc509f1ebfdf011b63c6a88571f683444ca974e7de0595e18632b9118b70adf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS49830E66\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1252
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1124
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18083e5484e3b1125.exe4⤵PID:604
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18083e5484e3b1125.exeFri18083e5484e3b1125.exe5⤵
- Executes dropped EXE
PID:3100 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S .\BXNQ.FG6⤵
- Loads dropped DLL
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1894cce7d386.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1894cce7d386.exeFri1894cce7d386.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18046280a7b776.exe4⤵PID:1088
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18046280a7b776.exeFri18046280a7b776.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18046280a7b776.exeC:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18046280a7b776.exe6⤵PID:4332
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri189c37bee8c29eb6.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri189c37bee8c29eb6.exeFri189c37bee8c29eb6.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Users\Admin\AppData\Local\f618c5f4-faec-497a-8813-068d617dbc5c.exe"C:\Users\Admin\AppData\Local\f618c5f4-faec-497a-8813-068d617dbc5c.exe"6⤵PID:4408
-
-
C:\Users\Admin\AppData\Local\10f7d71b-828b-4247-b0f2-d8fb60048061.exe"C:\Users\Admin\AppData\Local\10f7d71b-828b-4247-b0f2-d8fb60048061.exe"6⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\61609880\2257259222572592.exe"C:\Users\Admin\AppData\Roaming\61609880\2257259222572592.exe"7⤵PID:5024
-
-
-
C:\Users\Admin\AppData\Local\63ec453e-c60c-45cf-bc90-28a710ce5b38.exe"C:\Users\Admin\AppData\Local\63ec453e-c60c-45cf-bc90-28a710ce5b38.exe"6⤵PID:4748
-
-
C:\Users\Admin\AppData\Local\ac353c01-ab08-452b-bd06-d85da49a653c.exe"C:\Users\Admin\AppData\Local\ac353c01-ab08-452b-bd06-d85da49a653c.exe"6⤵PID:4960
-
-
C:\Users\Admin\AppData\Local\a0351b65-a9cd-4d11-85fe-7865c3f9b572.exe"C:\Users\Admin\AppData\Local\a0351b65-a9cd-4d11-85fe-7865c3f9b572.exe"6⤵PID:5012
-
C:\Users\Admin\AppData\Roaming\951200.exe"C:\Users\Admin\AppData\Roaming\951200.exe"7⤵PID:5088
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:4632
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:4328
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18cee95a1359570.exe4⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18cee95a1359570.exeFri18cee95a1359570.exe5⤵
- Executes dropped EXE
PID:3180
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1851cb1bc629c3ac0.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1851cb1bc629c3ac0.exeFri1851cb1bc629c3ac0.exe5⤵
- Executes dropped EXE
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\is-N3324.tmp\Fri1851cb1bc629c3ac0.tmp"C:\Users\Admin\AppData\Local\Temp\is-N3324.tmp\Fri1851cb1bc629c3ac0.tmp" /SL5="$2014C,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1851cb1bc629c3ac0.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\is-A0SVE.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-A0SVE.tmp\Tougay.exe" /S /UID=917⤵
- Executes dropped EXE
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\71-3b979-80f-581b0-35c392d64feab\Luwalyliwu.exe"C:\Users\Admin\AppData\Local\Temp\71-3b979-80f-581b0-35c392d64feab\Luwalyliwu.exe"8⤵PID:2752
-
-
C:\Users\Admin\AppData\Local\Temp\a5-3e783-5cb-da6ba-74e14618957a2\Jaenalopudy.exe"C:\Users\Admin\AppData\Local\Temp\a5-3e783-5cb-da6ba-74e14618957a2\Jaenalopudy.exe"8⤵PID:4420
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5zccmcqz.r5h\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\5zccmcqz.r5h\installer.exeC:\Users\Admin\AppData\Local\Temp\5zccmcqz.r5h\installer.exe /qn CAMPAIGN="654"10⤵PID:5916
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\t0erxibn.2xb\any.exe & exit9⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\t0erxibn.2xb\any.exeC:\Users\Admin\AppData\Local\Temp\t0erxibn.2xb\any.exe10⤵PID:5940
-
C:\Users\Admin\AppData\Local\Temp\t0erxibn.2xb\any.exe"C:\Users\Admin\AppData\Local\Temp\t0erxibn.2xb\any.exe" -u11⤵PID:6092
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5jbm4w4x.src\autosubplayer.exe /S & exit9⤵PID:5436
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1845451c00c99718b.exe /mixtwo4⤵PID:1148
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1845451c00c99718b.exeFri1845451c00c99718b.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3244 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1845451c00c99718b.exeFri1845451c00c99718b.exe /mixtwo6⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri1845451c00c99718b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri1845451c00c99718b.exe" & exit7⤵PID:3744
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri1845451c00c99718b.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:68
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18002ecda8e9b.exe4⤵PID:2592
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18002ecda8e9b.exeFri18002ecda8e9b.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:3200 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\fFBFHI.cPL",6⤵PID:860
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\fFBFHI.cPL",7⤵
- Loads dropped DLL
PID:2540
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri187c9124f51b.exe4⤵PID:1316
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri187c9124f51b.exeFri187c9124f51b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1428
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4252
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18e44ec8c2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18e44ec8c2.exeFri18e44ec8c2.exe5⤵
- Executes dropped EXE
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri184baf2e5e45.exe4⤵PID:1780
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri184baf2e5e45.exeFri184baf2e5e45.exe5⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri184baf2e5e45.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri184baf2e5e45.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2224
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fri184baf2e5e45.exe /f7⤵
- Kills process with taskkill
PID:4644
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:352
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri185ef293d31.exe4⤵PID:1968
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri185ef293d31.exeFri185ef293d31.exe5⤵
- Executes dropped EXE
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri185ef293d31.exe"C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri185ef293d31.exe" -u6⤵
- Executes dropped EXE
PID:3524
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri18b5451cab3.exe4⤵PID:2368
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18b5451cab3.exeFri18b5451cab3.exe5⤵
- Executes dropped EXE
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\is-JNI87.tmp\Fri18b5451cab3.tmp"C:\Users\Admin\AppData\Local\Temp\is-JNI87.tmp\Fri18b5451cab3.tmp" /SL5="$5006C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18b5451cab3.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18b5451cab3.exe"C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18b5451cab3.exe" /SILENT7⤵
- Executes dropped EXE
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\is-QSRUL.tmp\Fri18b5451cab3.tmp"C:\Users\Admin\AppData\Local\Temp\is-QSRUL.tmp\Fri18b5451cab3.tmp" /SL5="$601D6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri18b5451cab3.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri182efa7c2ad75046.exe4⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri182efa7c2ad75046.exeFri182efa7c2ad75046.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri182efa7c2ad75046.exeC:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri182efa7c2ad75046.exe6⤵PID:4344
-
-
C:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri182efa7c2ad75046.exeC:\Users\Admin\AppData\Local\Temp\7zS49830E66\Fri182efa7c2ad75046.exe6⤵PID:4736
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4292
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4444
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:5332