Analysis
-
max time kernel
82s -
max time network
196s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe
Resource
win7-en-20211208
General
-
Target
ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe
-
Size
7.0MB
-
MD5
55c7250db5e7794266eecb4e2b0ec0bd
-
SHA1
85b2a7a7a7aa3abe70aa84804deb1f40cfbba07f
-
SHA256
ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238
-
SHA512
9dc28e57c00b36f7eb7304529ee4b14a81bbd58be8ebccecd2f10e04c4b7994b396dde9ddf9ed617029ba2a44ac5ea8e62ea211daf8c2a1f3464b8d3daaba50a
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
media18n
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 4144 rundll32.exe 126 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral2/memory/1392-316-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1392-318-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/900-317-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/900-315-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4280-323-0x0000000001250000-0x000000000141F000-memory.dmp family_redline behavioral2/memory/4280-330-0x0000000001250000-0x000000000141F000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab36-158.dat family_socelars behavioral2/files/0x000500000001ab36-194.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab34-176.dat WebBrowserPassView behavioral2/files/0x000500000001ab34-160.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab34-176.dat Nirsoft behavioral2/files/0x000500000001ab34-160.dat Nirsoft behavioral2/memory/1504-278-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab57-277.dat Nirsoft behavioral2/files/0x000600000001ab57-276.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2308-265-0x0000000000DB0000-0x0000000000E89000-memory.dmp family_vidar behavioral2/memory/2308-270-0x0000000000400000-0x000000000088C000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000700000001ab41-123.dat aspack_v212_v242 behavioral2/files/0x000800000001ab43-127.dat aspack_v212_v242 behavioral2/files/0x000700000001ab41-124.dat aspack_v212_v242 behavioral2/files/0x000800000001ab43-122.dat aspack_v212_v242 behavioral2/files/0x000200000001ab4c-128.dat aspack_v212_v242 behavioral2/files/0x000200000001ab4c-129.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 3560 setup_install.exe 60 Fri144567c7f86b7511.exe 1176 Fri143c500f61323d.exe 3464 Fri14c6d5d2017a22.exe 2308 Fri14fed4dd4c.exe 1488 Fri149ff4ed45.exe 1688 Fri14a519effa1518b96.exe 1800 Fri14d193ac82a5.exe 2452 Fri146baa2ec1f15e96.exe 2160 Fri14e4a5ae390c123.exe 1924 Fri14c3adc4723bc626.exe 820 Fri14986dc82ad.exe 1828 Fri149ff4ed45.exe 1520 Fri144c335f1d56.exe 2964 Fri143abe7e6896.exe 1948 Fri14e14e0105.exe 3708 Fri14d193ac82a5.exe 2064 Fri143c500f61323d.tmp 2892 Fri14e4a5ae390c123.tmp 1700 Fri14e4a5ae390c123.exe 1600 Tougay.exe 1488 Fri14e4a5ae390c123.tmp 1504 11111.exe 820 2e0375ee-a43b-42df-ba36-ab039d40d12b.exe 4136 67fa46ba-24d6-4824-8efe-f8c57db5faef.exe 4280 6c7867a1-5a60-4683-86c8-7d9830d80e85.exe 900 Fri14c6d5d2017a22.exe 1392 Fri14c3adc4723bc626.exe -
Loads dropped DLL 16 IoCs
pid Process 3560 setup_install.exe 3560 setup_install.exe 3560 setup_install.exe 3560 setup_install.exe 3560 setup_install.exe 3560 setup_install.exe 3560 setup_install.exe 2064 Fri143c500f61323d.tmp 2892 Fri14e4a5ae390c123.tmp 1488 Fri14e4a5ae390c123.tmp 2292 rundll32.exe 2292 rundll32.exe 1248 rundll32.exe 1248 rundll32.exe 2308 Fri14fed4dd4c.exe 2308 Fri14fed4dd4c.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 ip-api.com 119 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1488 set thread context of 1828 1488 Fri14e4a5ae390c123.tmp 84 PID 3464 set thread context of 900 3464 Fri14c6d5d2017a22.exe 122 PID 1924 set thread context of 1392 1924 Fri14c3adc4723bc626.exe 123 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri144c335f1d56.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri144c335f1d56.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri144c335f1d56.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fri14fed4dd4c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fri14fed4dd4c.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4416 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 4040 taskkill.exe 4220 taskkill.exe 2328 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Fri14e14e0105.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Fri143abe7e6896.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 17 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1520 Fri144c335f1d56.exe 1520 Fri144c335f1d56.exe 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found 3044 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1520 Fri144c335f1d56.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeCreateTokenPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeAssignPrimaryTokenPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeLockMemoryPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeIncreaseQuotaPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeMachineAccountPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeTcbPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeSecurityPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeTakeOwnershipPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeLoadDriverPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeSystemProfilePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeSystemtimePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeProfSingleProcessPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeIncBasePriorityPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeCreatePagefilePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeCreatePermanentPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeBackupPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeRestorePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeShutdownPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeDebugPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeAuditPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeSystemEnvironmentPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeChangeNotifyPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeRemoteShutdownPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeUndockPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeSyncAgentPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeEnableDelegationPrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeManageVolumePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeImpersonatePrivilege 2452 Fri146baa2ec1f15e96.exe Token: SeCreateGlobalPrivilege 2452 Fri146baa2ec1f15e96.exe Token: 31 2452 Fri146baa2ec1f15e96.exe Token: 32 2452 Fri146baa2ec1f15e96.exe Token: 33 2452 Fri146baa2ec1f15e96.exe Token: 34 2452 Fri146baa2ec1f15e96.exe Token: 35 2452 Fri146baa2ec1f15e96.exe Token: SeDebugPrivilege 3464 Fri14c6d5d2017a22.exe Token: SeDebugPrivilege 1924 Fri14c3adc4723bc626.exe Token: SeDebugPrivilege 3236 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeDebugPrivilege 1688 Fri14a519effa1518b96.exe Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeShutdownPrivilege 3044 Process not Found Token: SeCreatePagefilePrivilege 3044 Process not Found Token: SeDebugPrivilege 4040 taskkill.exe Token: SeDebugPrivilege 4220 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 640 wrote to memory of 3560 640 ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe 68 PID 640 wrote to memory of 3560 640 ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe 68 PID 640 wrote to memory of 3560 640 ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe 68 PID 3560 wrote to memory of 2636 3560 setup_install.exe 71 PID 3560 wrote to memory of 2636 3560 setup_install.exe 71 PID 3560 wrote to memory of 2636 3560 setup_install.exe 71 PID 3560 wrote to memory of 664 3560 setup_install.exe 72 PID 3560 wrote to memory of 664 3560 setup_install.exe 72 PID 3560 wrote to memory of 664 3560 setup_install.exe 72 PID 3560 wrote to memory of 392 3560 setup_install.exe 73 PID 3560 wrote to memory of 392 3560 setup_install.exe 73 PID 3560 wrote to memory of 392 3560 setup_install.exe 73 PID 3560 wrote to memory of 880 3560 setup_install.exe 74 PID 3560 wrote to memory of 880 3560 setup_install.exe 74 PID 3560 wrote to memory of 880 3560 setup_install.exe 74 PID 3560 wrote to memory of 660 3560 setup_install.exe 75 PID 3560 wrote to memory of 660 3560 setup_install.exe 75 PID 3560 wrote to memory of 660 3560 setup_install.exe 75 PID 3560 wrote to memory of 852 3560 setup_install.exe 76 PID 3560 wrote to memory of 852 3560 setup_install.exe 76 PID 3560 wrote to memory of 852 3560 setup_install.exe 76 PID 3560 wrote to memory of 1716 3560 setup_install.exe 78 PID 3560 wrote to memory of 1716 3560 setup_install.exe 78 PID 3560 wrote to memory of 1716 3560 setup_install.exe 78 PID 3560 wrote to memory of 3656 3560 setup_install.exe 77 PID 3560 wrote to memory of 3656 3560 setup_install.exe 77 PID 3560 wrote to memory of 3656 3560 setup_install.exe 77 PID 3560 wrote to memory of 848 3560 setup_install.exe 79 PID 3560 wrote to memory of 848 3560 setup_install.exe 79 PID 3560 wrote to memory of 848 3560 setup_install.exe 79 PID 3560 wrote to memory of 1004 3560 setup_install.exe 80 PID 3560 wrote to memory of 1004 3560 setup_install.exe 80 PID 3560 wrote to memory of 1004 3560 setup_install.exe 80 PID 3560 wrote to memory of 360 3560 setup_install.exe 99 PID 3560 wrote to memory of 360 3560 setup_install.exe 99 PID 3560 wrote to memory of 360 3560 setup_install.exe 99 PID 3560 wrote to memory of 1032 3560 setup_install.exe 81 PID 3560 wrote to memory of 1032 3560 setup_install.exe 81 PID 3560 wrote to memory of 1032 3560 setup_install.exe 81 PID 3560 wrote to memory of 1324 3560 setup_install.exe 82 PID 3560 wrote to memory of 1324 3560 setup_install.exe 82 PID 3560 wrote to memory of 1324 3560 setup_install.exe 82 PID 848 wrote to memory of 60 848 cmd.exe 83 PID 848 wrote to memory of 60 848 cmd.exe 83 PID 848 wrote to memory of 60 848 cmd.exe 83 PID 3560 wrote to memory of 8 3560 setup_install.exe 98 PID 3560 wrote to memory of 8 3560 setup_install.exe 98 PID 3560 wrote to memory of 8 3560 setup_install.exe 98 PID 660 wrote to memory of 1176 660 cmd.exe 97 PID 660 wrote to memory of 1176 660 cmd.exe 97 PID 660 wrote to memory of 1176 660 cmd.exe 97 PID 1032 wrote to memory of 3464 1032 cmd.exe 96 PID 1032 wrote to memory of 3464 1032 cmd.exe 96 PID 1032 wrote to memory of 3464 1032 cmd.exe 96 PID 3560 wrote to memory of 1436 3560 setup_install.exe 95 PID 3560 wrote to memory of 1436 3560 setup_install.exe 95 PID 3560 wrote to memory of 1436 3560 setup_install.exe 95 PID 392 wrote to memory of 2308 392 cmd.exe 94 PID 392 wrote to memory of 2308 392 cmd.exe 94 PID 392 wrote to memory of 2308 392 cmd.exe 94 PID 880 wrote to memory of 1488 880 cmd.exe 93 PID 880 wrote to memory of 1488 880 cmd.exe 93 PID 880 wrote to memory of 1488 880 cmd.exe 93 PID 1716 wrote to memory of 1688 1716 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe"C:\Users\Admin\AppData\Local\Temp\ff8c781d133727099271c37a67cbcd0b900bb37666b01e2c1a68015e3e39a238.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵PID:2636
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵PID:664
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14fed4dd4c.exe3⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14fed4dd4c.exeFri14fed4dd4c.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2308 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri14fed4dd4c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14fed4dd4c.exe" & del C:\ProgramData\*.dll & exit5⤵PID:4832
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fri14fed4dd4c.exe /f6⤵
- Kills process with taskkill
PID:2328
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:4416
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri149ff4ed45.exe /mixtwo3⤵
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri149ff4ed45.exeFri149ff4ed45.exe /mixtwo4⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri143c500f61323d.exe3⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri143c500f61323d.exeFri143c500f61323d.exe4⤵
- Executes dropped EXE
PID:1176 -
C:\Users\Admin\AppData\Local\Temp\is-QRHU0.tmp\Fri143c500f61323d.tmp"C:\Users\Admin\AppData\Local\Temp\is-QRHU0.tmp\Fri143c500f61323d.tmp" /SL5="$40050,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri143c500f61323d.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\is-T7CUS.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-T7CUS.tmp\Tougay.exe" /S /UID=916⤵
- Executes dropped EXE
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\be-068a6-997-d2cab-d9370f0aaed92\Tetehaevuqa.exe"C:\Users\Admin\AppData\Local\Temp\be-068a6-997-d2cab-d9370f0aaed92\Tetehaevuqa.exe"7⤵PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\53-cf2c4-a6c-5ee89-f586667426d7b\Nocaevybiky.exe"C:\Users\Admin\AppData\Local\Temp\53-cf2c4-a6c-5ee89-f586667426d7b\Nocaevybiky.exe"7⤵PID:3584
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k2wjpw5f.y1l\installer.exe /qn CAMPAIGN="654" & exit8⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\k2wjpw5f.y1l\installer.exeC:\Users\Admin\AppData\Local\Temp\k2wjpw5f.y1l\installer.exe /qn CAMPAIGN="654"9⤵PID:4136
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gpthy34z.d0f\any.exe & exit8⤵PID:672
-
C:\Users\Admin\AppData\Local\Temp\gpthy34z.d0f\any.exeC:\Users\Admin\AppData\Local\Temp\gpthy34z.d0f\any.exe9⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\gpthy34z.d0f\any.exe"C:\Users\Admin\AppData\Local\Temp\gpthy34z.d0f\any.exe" -u10⤵PID:4900
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pozvkn4f.w1s\autosubplayer.exe /S & exit8⤵PID:4768
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14d193ac82a5.exe3⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14d193ac82a5.exeFri14d193ac82a5.exe4⤵
- Executes dropped EXE
PID:1800 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14d193ac82a5.exe"C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14d193ac82a5.exe" -u5⤵
- Executes dropped EXE
PID:3708
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri146baa2ec1f15e96.exe3⤵PID:3656
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri146baa2ec1f15e96.exeFri146baa2ec1f15e96.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:1636
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14a519effa1518b96.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14a519effa1518b96.exeFri14a519effa1518b96.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1688 -
C:\Users\Admin\AppData\Local\2e0375ee-a43b-42df-ba36-ab039d40d12b.exe"C:\Users\Admin\AppData\Local\2e0375ee-a43b-42df-ba36-ab039d40d12b.exe"5⤵
- Executes dropped EXE
PID:820
-
-
C:\Users\Admin\AppData\Local\67fa46ba-24d6-4824-8efe-f8c57db5faef.exe"C:\Users\Admin\AppData\Local\67fa46ba-24d6-4824-8efe-f8c57db5faef.exe"5⤵
- Executes dropped EXE
PID:4136 -
C:\Users\Admin\AppData\Roaming\53099917\1721898517218985.exe"C:\Users\Admin\AppData\Roaming\53099917\1721898517218985.exe"6⤵PID:4944
-
-
-
C:\Users\Admin\AppData\Local\6c7867a1-5a60-4683-86c8-7d9830d80e85.exe"C:\Users\Admin\AppData\Local\6c7867a1-5a60-4683-86c8-7d9830d80e85.exe"5⤵
- Executes dropped EXE
PID:4280
-
-
C:\Users\Admin\AppData\Local\ac2517d2-4b44-400e-97ff-19f757a0eeb1.exe"C:\Users\Admin\AppData\Local\ac2517d2-4b44-400e-97ff-19f757a0eeb1.exe"5⤵PID:4420
-
-
C:\Users\Admin\AppData\Local\46f4104f-8003-41ca-8e42-52ca166a1523.exe"C:\Users\Admin\AppData\Local\46f4104f-8003-41ca-8e42-52ca166a1523.exe"5⤵PID:4504
-
C:\Users\Admin\AppData\Roaming\8901738.exe"C:\Users\Admin\AppData\Roaming\8901738.exe"6⤵PID:3632
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",7⤵PID:3768
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:1520
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri144567c7f86b7511.exe3⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri144567c7f86b7511.exeFri144567c7f86b7511.exe4⤵
- Executes dropped EXE
PID:60 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:1504
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14c3adc4723bc626.exe3⤵PID:1004
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c3adc4723bc626.exeFri14c3adc4723bc626.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c3adc4723bc626.exeC:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c3adc4723bc626.exe5⤵
- Executes dropped EXE
PID:1392
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14c6d5d2017a22.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c6d5d2017a22.exeFri14c6d5d2017a22.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3464 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c6d5d2017a22.exeC:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14c6d5d2017a22.exe5⤵
- Executes dropped EXE
PID:900
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri143abe7e6896.exe3⤵PID:1324
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri143abe7e6896.exeFri143abe7e6896.exe4⤵
- Executes dropped EXE
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\hkF3Ju.CPl",5⤵PID:2412
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\hkF3Ju.CPl",6⤵
- Loads dropped DLL
PID:1248
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri144c335f1d56.exe3⤵PID:1796
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri144c335f1d56.exeFri144c335f1d56.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1520
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14e14e0105.exe3⤵PID:1436
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e14e0105.exeFri14e14e0105.exe4⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7FA1J.Cpl",5⤵PID:3808
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7FA1J.Cpl",6⤵
- Loads dropped DLL
PID:2292
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14986dc82ad.exe3⤵PID:8
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14986dc82ad.exeFri14986dc82ad.exe4⤵
- Executes dropped EXE
PID:820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri14e4a5ae390c123.exe3⤵PID:360
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri149ff4ed45.exeFri149ff4ed45.exe /mixtwo1⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri149ff4ed45.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri149ff4ed45.exe" & exit2⤵PID:2948
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri149ff4ed45.exe" /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e4a5ae390c123.exeFri14e4a5ae390c123.exe1⤵
- Executes dropped EXE
PID:2160 -
C:\Users\Admin\AppData\Local\Temp\is-FQ9N9.tmp\Fri14e4a5ae390c123.tmp"C:\Users\Admin\AppData\Local\Temp\is-FQ9N9.tmp\Fri14e4a5ae390c123.tmp" /SL5="$201A2,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e4a5ae390c123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e4a5ae390c123.exe"C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e4a5ae390c123.exe" /SILENT3⤵
- Executes dropped EXE
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\is-I5T1V.tmp\Fri14e4a5ae390c123.tmp"C:\Users\Admin\AppData\Local\Temp\is-I5T1V.tmp\Fri14e4a5ae390c123.tmp" /SL5="$20202,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0824CB56\Fri14e4a5ae390c123.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1488
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4928
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4584
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:3164
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:2264
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1664
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4F1E050944F1F042585A7F195F32B09C C2⤵PID:3460
-