Analysis
-
max time kernel
52s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
Resource
win10-en-20211208
General
-
Target
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
-
Size
7.9MB
-
MD5
bd690751b9d80ef89cf73460e74ace65
-
SHA1
bf26afdfc51ade4ba3132fdc48ec5fd22e8041cd
-
SHA256
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2
-
SHA512
eeaf49078694577d56be0020bde69c4c031951c42d8d74b7a9e73523598a2f362f0b0526daf65895f798074e530fedf53749a01e9aeb961a74d173c0ba233bd3
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
raccoon
164fb74855c13a4287d8fe7ac579a35bdf7002ab
-
url4cnc
http://194.180.174.53/takecareandkeepitup
http://91.219.236.18/takecareandkeepitup
http://194.180.174.41/takecareandkeepitup
http://91.219.236.148/takecareandkeepitup
https://t.me/takecareandkeepitup
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 3012 rundll32.exe 88 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/1276-308-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/1584-310-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x0005000000014070-139.dat family_socelars -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013919-120.dat WebBrowserPassView behavioral1/files/0x0006000000013919-159.dat WebBrowserPassView behavioral1/files/0x0006000000013919-137.dat WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x0006000000013919-120.dat Nirsoft behavioral1/files/0x0006000000013919-159.dat Nirsoft behavioral1/files/0x0006000000013919-137.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/608-216-0x0000000000770000-0x0000000000849000-memory.dmp family_vidar behavioral1/memory/608-218-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000133c1-71.dat aspack_v212_v242 behavioral1/files/0x00060000000133c1-72.dat aspack_v212_v242 behavioral1/files/0x0006000000013413-70.dat aspack_v212_v242 behavioral1/files/0x0006000000013413-69.dat aspack_v212_v242 behavioral1/files/0x00060000000138cb-75.dat aspack_v212_v242 behavioral1/files/0x00060000000138cb-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
pid Process 1328 setup_installer.exe 944 setup_install.exe 1628 Sat07339203f83d3c6a6.exe 1588 Sat07182c98d9d91b.exe 808 Sat0746aaa34cc0.exe 984 Sat071c3f958e60606ae.exe 1624 Sat0772425d29abfc.exe 1548 Sat0792b2c8ba54f57b.exe 764 Sat0792179ccd.exe 608 Sat07e2f23596cb8.exe 1672 Sat07b7c2fec3.exe 1056 Sat07937d3437557c6.exe 1500 Sat07d2e8e1add.exe 2016 Sat07b1b1b0313ca392.exe 1876 Sat07e512bb3d25c12.exe 1636 Sat07d63edd40e879f.exe 1764 Sat0795fb63be7.exe 1948 Sat072dbd2907c3.exe 1744 Sat07d63edd40e879f.exe 1080 Sat072dbd2907c3.tmp 1532 @.cmd 1116 Sat071c3f958e60606ae.tmp -
Loads dropped DLL 64 IoCs
pid Process 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 1328 setup_installer.exe 1328 setup_installer.exe 1328 setup_installer.exe 1328 setup_installer.exe 1328 setup_installer.exe 1328 setup_installer.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 944 setup_install.exe 692 cmd.exe 1184 cmd.exe 1016 cmd.exe 1964 cmd.exe 1964 cmd.exe 584 cmd.exe 1276 cmd.exe 1276 cmd.exe 1924 cmd.exe 1628 Sat07339203f83d3c6a6.exe 1628 Sat07339203f83d3c6a6.exe 808 Sat0746aaa34cc0.exe 808 Sat0746aaa34cc0.exe 872 cmd.exe 872 cmd.exe 1624 Sat0772425d29abfc.exe 1624 Sat0772425d29abfc.exe 608 Sat07e2f23596cb8.exe 608 Sat07e2f23596cb8.exe 1548 Sat0792b2c8ba54f57b.exe 1548 Sat0792b2c8ba54f57b.exe 1940 cmd.exe 1512 cmd.exe 1512 cmd.exe 1672 Sat07b7c2fec3.exe 1672 Sat07b7c2fec3.exe 1056 Sat07937d3437557c6.exe 1056 Sat07937d3437557c6.exe 1640 cmd.exe 1180 cmd.exe 1180 cmd.exe 2044 cmd.exe 2044 cmd.exe 1700 cmd.exe 704 cmd.exe 704 cmd.exe 516 cmd.exe 1056 Sat07937d3437557c6.exe 2016 Sat07b1b1b0313ca392.exe 2016 Sat07b1b1b0313ca392.exe 1636 Sat07d63edd40e879f.exe 1636 Sat07d63edd40e879f.exe 1764 Sat0795fb63be7.exe 1764 Sat0795fb63be7.exe 1876 Sat07e512bb3d25c12.exe 1876 Sat07e512bb3d25c12.exe 1948 Sat072dbd2907c3.exe 1948 Sat072dbd2907c3.exe 1636 Sat07d63edd40e879f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce Sat07339203f83d3c6a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Sat07339203f83d3c6a6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 107 ipinfo.io 110 ipinfo.io 41 ipinfo.io 47 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2980 2360 WerFault.exe 78 1540 1672 WerFault.exe 61 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0746aaa34cc0.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0746aaa34cc0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0746aaa34cc0.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1424 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2580 taskkill.exe 1636 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 808 Sat0746aaa34cc0.exe 808 Sat0746aaa34cc0.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 808 Sat0746aaa34cc0.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeCreateTokenPrivilege 1500 Sat07d2e8e1add.exe Token: SeAssignPrimaryTokenPrivilege 1500 Sat07d2e8e1add.exe Token: SeLockMemoryPrivilege 1500 Sat07d2e8e1add.exe Token: SeIncreaseQuotaPrivilege 1500 Sat07d2e8e1add.exe Token: SeMachineAccountPrivilege 1500 Sat07d2e8e1add.exe Token: SeTcbPrivilege 1500 Sat07d2e8e1add.exe Token: SeSecurityPrivilege 1500 Sat07d2e8e1add.exe Token: SeTakeOwnershipPrivilege 1500 Sat07d2e8e1add.exe Token: SeLoadDriverPrivilege 1500 Sat07d2e8e1add.exe Token: SeSystemProfilePrivilege 1500 Sat07d2e8e1add.exe Token: SeSystemtimePrivilege 1500 Sat07d2e8e1add.exe Token: SeProfSingleProcessPrivilege 1500 Sat07d2e8e1add.exe Token: SeIncBasePriorityPrivilege 1500 Sat07d2e8e1add.exe Token: SeCreatePagefilePrivilege 1500 Sat07d2e8e1add.exe Token: SeCreatePermanentPrivilege 1500 Sat07d2e8e1add.exe Token: SeBackupPrivilege 1500 Sat07d2e8e1add.exe Token: SeRestorePrivilege 1500 Sat07d2e8e1add.exe Token: SeShutdownPrivilege 1500 Sat07d2e8e1add.exe Token: SeDebugPrivilege 1500 Sat07d2e8e1add.exe Token: SeAuditPrivilege 1500 Sat07d2e8e1add.exe Token: SeSystemEnvironmentPrivilege 1500 Sat07d2e8e1add.exe Token: SeChangeNotifyPrivilege 1500 Sat07d2e8e1add.exe Token: SeRemoteShutdownPrivilege 1500 Sat07d2e8e1add.exe Token: SeUndockPrivilege 1500 Sat07d2e8e1add.exe Token: SeSyncAgentPrivilege 1500 Sat07d2e8e1add.exe Token: SeEnableDelegationPrivilege 1500 Sat07d2e8e1add.exe Token: SeManageVolumePrivilege 1500 Sat07d2e8e1add.exe Token: SeImpersonatePrivilege 1500 Sat07d2e8e1add.exe Token: SeCreateGlobalPrivilege 1500 Sat07d2e8e1add.exe Token: 31 1500 Sat07d2e8e1add.exe Token: 32 1500 Sat07d2e8e1add.exe Token: 33 1500 Sat07d2e8e1add.exe Token: 34 1500 Sat07d2e8e1add.exe Token: 35 1500 Sat07d2e8e1add.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1224 Process not Found 1224 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1224 Process not Found 1224 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 808 wrote to memory of 1328 808 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 27 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 1328 wrote to memory of 944 1328 setup_installer.exe 28 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1164 944 setup_install.exe 30 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1788 944 setup_install.exe 31 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1924 944 setup_install.exe 32 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1180 944 setup_install.exe 33 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1940 944 setup_install.exe 34 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 1016 944 setup_install.exe 35 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 872 944 setup_install.exe 36 PID 944 wrote to memory of 1184 944 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe"C:\Users\Admin\AppData\Local\Temp\baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS035E0526\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1164
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:2032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1788
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1448
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0792179ccd.exe4⤵
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat0792179ccd.exeSat0792179ccd.exe5⤵
- Executes dropped EXE
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07e512bb3d25c12.exe4⤵
- Loads dropped DLL
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07e512bb3d25c12.exeSat07e512bb3d25c12.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07e512bb3d25c12.exeC:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07e512bb3d25c12.exe6⤵PID:1276
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07b7c2fec3.exe4⤵
- Loads dropped DLL
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07b7c2fec3.exeSat07b7c2fec3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Users\Admin\Pictures\Adobe Films\HkGqSc34OCNgBCekRR2otsIE.exe"C:\Users\Admin\Pictures\Adobe Films\HkGqSc34OCNgBCekRR2otsIE.exe"6⤵PID:912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 7446⤵
- Program crash
PID:1540
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0772425d29abfc.exe4⤵
- Loads dropped DLL
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat0772425d29abfc.exeSat0772425d29abfc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Users\Admin\AppData\Local\2ec633d1-5476-4ef5-aa20-e86a7023f5d1.exe"C:\Users\Admin\AppData\Local\2ec633d1-5476-4ef5-aa20-e86a7023f5d1.exe"6⤵PID:1432
-
-
C:\Users\Admin\AppData\Local\66289a8e-cdcc-4074-b8c2-3b8875813245.exe"C:\Users\Admin\AppData\Local\66289a8e-cdcc-4074-b8c2-3b8875813245.exe"6⤵PID:2228
-
C:\Users\Admin\AppData\Roaming\77442112\2204297122042971.exe"C:\Users\Admin\AppData\Roaming\77442112\2204297122042971.exe"7⤵PID:2520
-
-
-
C:\Users\Admin\AppData\Local\3c5ffa1b-0657-425c-b80c-8692b5f2754d.exe"C:\Users\Admin\AppData\Local\3c5ffa1b-0657-425c-b80c-8692b5f2754d.exe"6⤵PID:908
-
-
C:\Users\Admin\AppData\Local\5eab8040-4f1f-4ee9-95d1-e0d293f316cd.exe"C:\Users\Admin\AppData\Local\5eab8040-4f1f-4ee9-95d1-e0d293f316cd.exe"6⤵PID:1896
-
-
C:\Users\Admin\AppData\Local\8e68dd18-65dc-46a6-a433-7f672af0b99a.exe"C:\Users\Admin\AppData\Local\8e68dd18-65dc-46a6-a433-7f672af0b99a.exe"6⤵PID:1620
-
C:\Users\Admin\AppData\Roaming\6945649.exe"C:\Users\Admin\AppData\Roaming\6945649.exe"7⤵PID:1768
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07e2f23596cb8.exe4⤵
- Loads dropped DLL
PID:872 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07e2f23596cb8.exeSat07e2f23596cb8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat07e2f23596cb8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07e2f23596cb8.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat07e2f23596cb8.exe /f7⤵
- Kills process with taskkill
PID:1636
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:1424
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat071c3f958e60606ae.exe4⤵
- Loads dropped DLL
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat071c3f958e60606ae.exeSat071c3f958e60606ae.exe5⤵
- Executes dropped EXE
PID:984 -
C:\Users\Admin\AppData\Local\Temp\is-HTN25.tmp\Sat071c3f958e60606ae.tmp"C:\Users\Admin\AppData\Local\Temp\is-HTN25.tmp\Sat071c3f958e60606ae.tmp" /SL5="$1019C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat071c3f958e60606ae.exe"6⤵
- Executes dropped EXE
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat071c3f958e60606ae.exe"C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat071c3f958e60606ae.exe" /SILENT7⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\is-QJJA7.tmp\Sat071c3f958e60606ae.tmp"C:\Users\Admin\AppData\Local\Temp\is-QJJA7.tmp\Sat071c3f958e60606ae.tmp" /SL5="$201C6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat071c3f958e60606ae.exe" /SILENT8⤵PID:2380
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07182c98d9d91b.exe4⤵
- Loads dropped DLL
PID:692 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07182c98d9d91b.exeSat07182c98d9d91b.exe5⤵
- Executes dropped EXE
PID:1588
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0795fb63be7.exe4⤵
- Loads dropped DLL
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat0795fb63be7.exeSat0795fb63be7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",6⤵PID:2416
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",7⤵PID:2488
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0792b2c8ba54f57b.exe4⤵
- Loads dropped DLL
PID:584 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat0792b2c8ba54f57b.exeSat0792b2c8ba54f57b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",6⤵PID:572
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",7⤵PID:1272
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07339203f83d3c6a6.exe4⤵
- Loads dropped DLL
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07339203f83d3c6a6.exeSat07339203f83d3c6a6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd6⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"7⤵PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd7⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2888⤵
- Program crash
PID:2980
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0746aaa34cc0.exe4⤵
- Loads dropped DLL
PID:1276 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat0746aaa34cc0.exeSat0746aaa34cc0.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07937d3437557c6.exe /mixtwo4⤵
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07937d3437557c6.exeSat07937d3437557c6.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07937d3437557c6.exeSat07937d3437557c6.exe /mixtwo6⤵PID:1560
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07d2e8e1add.exe4⤵
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07d2e8e1add.exeSat07d2e8e1add.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2732
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2580
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07b1b1b0313ca392.exe4⤵
- Loads dropped DLL
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07b1b1b0313ca392.exeSat07b1b1b0313ca392.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07b1b1b0313ca392.exeC:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07b1b1b0313ca392.exe6⤵PID:1584
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat072dbd2907c3.exe4⤵
- Loads dropped DLL
PID:516 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat072dbd2907c3.exeSat072dbd2907c3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\is-2KS13.tmp\Sat072dbd2907c3.tmp"C:\Users\Admin\AppData\Local\Temp\is-2KS13.tmp\Sat072dbd2907c3.tmp" /SL5="$110154,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat072dbd2907c3.exe"6⤵
- Executes dropped EXE
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\is-9T23L.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-9T23L.tmp\Tougay.exe" /S /UID=917⤵PID:2676
-
C:\Users\Admin\AppData\Local\Temp\4b-8a187-14a-ec898-8873513cbfbb5\Jacozhevizha.exe"C:\Users\Admin\AppData\Local\Temp\4b-8a187-14a-ec898-8873513cbfbb5\Jacozhevizha.exe"8⤵PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\6f-3668f-aeb-663ae-bd657120ab4a2\Gipisysazhu.exe"C:\Users\Admin\AppData\Local\Temp\6f-3668f-aeb-663ae-bd657120ab4a2\Gipisysazhu.exe"8⤵PID:1544
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07d63edd40e879f.exe4⤵
- Loads dropped DLL
PID:704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07d63edd40e879f.exeSat07d63edd40e879f.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07d63edd40e879f.exe"C:\Users\Admin\AppData\Local\Temp\7zS035E0526\Sat07d63edd40e879f.exe" -u2⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2068
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2328