Analysis
-
max time kernel
32s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
Resource
win10-en-20211208
General
-
Target
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe
-
Size
7.9MB
-
MD5
bd690751b9d80ef89cf73460e74ace65
-
SHA1
bf26afdfc51ade4ba3132fdc48ec5fd22e8041cd
-
SHA256
baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2
-
SHA512
eeaf49078694577d56be0020bde69c4c031951c42d8d74b7a9e73523598a2f362f0b0526daf65895f798074e530fedf53749a01e9aeb961a74d173c0ba233bd3
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
raccoon
164fb74855c13a4287d8fe7ac579a35bdf7002ab
-
url4cnc
http://194.180.174.53/takecareandkeepitup
http://91.219.236.18/takecareandkeepitup
http://194.180.174.41/takecareandkeepitup
http://91.219.236.148/takecareandkeepitup
https://t.me/takecareandkeepitup
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
redline
media18n
65.108.69.168:13293
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4664 4784 rundll32.exe 145 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/2484-282-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2484-283-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/1832-317-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1832-319-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab8b-233.dat family_socelars behavioral2/files/0x000500000001ab8b-194.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab7f-164.dat WebBrowserPassView behavioral2/files/0x000500000001ab7f-220.dat WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/files/0x000500000001ab7f-164.dat Nirsoft behavioral2/files/0x000500000001ab7f-220.dat Nirsoft behavioral2/memory/2468-304-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/3384-325-0x00000000021C0000-0x0000000002299000-memory.dmp family_vidar behavioral2/memory/3384-329-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab74-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab74-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab7b-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab7d-134.dat aspack_v212_v242 behavioral2/files/0x000500000001ab7d-133.dat aspack_v212_v242 behavioral2/files/0x000500000001ab7b-130.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 27 IoCs
pid Process 3760 setup_installer.exe 2368 setup_install.exe 360 Sat07e512bb3d25c12.exe 3080 Sat07b7c2fec3.exe 1216 Sat0795fb63be7.exe 2188 Sat0792179ccd.exe 3216 Sat0772425d29abfc.exe 3384 Sat07e2f23596cb8.exe 2260 Sat071c3f958e60606ae.exe 2952 Sat07937d3437557c6.exe 2872 Sat0792b2c8ba54f57b.exe 1892 Sat07182c98d9d91b.exe 4012 Sat07339203f83d3c6a6.exe 3568 Sat07d2e8e1add.exe 1480 Sat07937d3437557c6.exe 3212 Sat07b1b1b0313ca392.exe 3196 Sat07d63edd40e879f.exe 3424 Sat0746aaa34cc0.exe 2172 Tougay.exe 1172 Sat071c3f958e60606ae.tmp 2856 Sat072dbd2907c3.exe 2956 Sat072dbd2907c3.tmp 1968 @.cmd 3028 Sat07e512bb3d25c12.exe 2484 Sat07b1b1b0313ca392.exe 64 Sat07e512bb3d25c12.exe 2172 Tougay.exe -
resource yara_rule behavioral2/files/0x000600000001ab93-243.dat upx behavioral2/files/0x000600000001ab93-242.dat upx behavioral2/files/0x000600000001ab93-278.dat upx -
Loads dropped DLL 8 IoCs
pid Process 2368 setup_install.exe 2368 setup_install.exe 2368 setup_install.exe 2368 setup_install.exe 2368 setup_install.exe 2368 setup_install.exe 1172 Sat071c3f958e60606ae.tmp 2956 Sat072dbd2907c3.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Sat07339203f83d3c6a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Sat07339203f83d3c6a6.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com 96 ipinfo.io 97 ipinfo.io 111 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2952 set thread context of 1480 2952 Sat07937d3437557c6.exe 101 PID 2172 set thread context of 1968 2172 Tougay.exe 115 PID 3212 set thread context of 2484 3212 Sat07b1b1b0313ca392.exe 116 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3928 1968 WerFault.exe 115 -
Delays execution with timeout.exe 1 IoCs
pid Process 2236 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 4208 taskkill.exe 4304 taskkill.exe 3148 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2172 Tougay.exe 2172 Tougay.exe 2844 powershell.exe 2844 powershell.exe 1164 powershell.exe 1164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeDebugPrivilege 2188 Sat0792179ccd.exe Token: SeDebugPrivilege 360 Sat07e512bb3d25c12.exe Token: SeCreateTokenPrivilege 3568 Sat07d2e8e1add.exe Token: SeAssignPrimaryTokenPrivilege 3568 Sat07d2e8e1add.exe Token: SeLockMemoryPrivilege 3568 Sat07d2e8e1add.exe Token: SeIncreaseQuotaPrivilege 3568 Sat07d2e8e1add.exe Token: SeMachineAccountPrivilege 3568 Sat07d2e8e1add.exe Token: SeTcbPrivilege 3568 Sat07d2e8e1add.exe Token: SeSecurityPrivilege 3568 Sat07d2e8e1add.exe Token: SeTakeOwnershipPrivilege 3568 Sat07d2e8e1add.exe Token: SeLoadDriverPrivilege 3568 Sat07d2e8e1add.exe Token: SeSystemProfilePrivilege 3568 Sat07d2e8e1add.exe Token: SeSystemtimePrivilege 3568 Sat07d2e8e1add.exe Token: SeProfSingleProcessPrivilege 3568 Sat07d2e8e1add.exe Token: SeIncBasePriorityPrivilege 3568 Sat07d2e8e1add.exe Token: SeCreatePagefilePrivilege 3568 Sat07d2e8e1add.exe Token: SeCreatePermanentPrivilege 3568 Sat07d2e8e1add.exe Token: SeBackupPrivilege 3568 Sat07d2e8e1add.exe Token: SeRestorePrivilege 3568 Sat07d2e8e1add.exe Token: SeShutdownPrivilege 3568 Sat07d2e8e1add.exe Token: SeDebugPrivilege 3568 Sat07d2e8e1add.exe Token: SeAuditPrivilege 3568 Sat07d2e8e1add.exe Token: SeSystemEnvironmentPrivilege 3568 Sat07d2e8e1add.exe Token: SeChangeNotifyPrivilege 3568 Sat07d2e8e1add.exe Token: SeRemoteShutdownPrivilege 3568 Sat07d2e8e1add.exe Token: SeUndockPrivilege 3568 Sat07d2e8e1add.exe Token: SeSyncAgentPrivilege 3568 Sat07d2e8e1add.exe Token: SeEnableDelegationPrivilege 3568 Sat07d2e8e1add.exe Token: SeManageVolumePrivilege 3568 Sat07d2e8e1add.exe Token: SeImpersonatePrivilege 3568 Sat07d2e8e1add.exe Token: SeCreateGlobalPrivilege 3568 Sat07d2e8e1add.exe Token: 31 3568 Sat07d2e8e1add.exe Token: 32 3568 Sat07d2e8e1add.exe Token: 33 3568 Sat07d2e8e1add.exe Token: 34 3568 Sat07d2e8e1add.exe Token: 35 3568 Sat07d2e8e1add.exe Token: SeDebugPrivilege 3212 Sat07b1b1b0313ca392.exe Token: SeDebugPrivilege 3216 Sat0772425d29abfc.exe Token: SeRestorePrivilege 3928 WerFault.exe Token: SeBackupPrivilege 3928 WerFault.exe Token: SeDebugPrivilege 2844 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2504 wrote to memory of 3760 2504 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 69 PID 2504 wrote to memory of 3760 2504 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 69 PID 2504 wrote to memory of 3760 2504 baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe 69 PID 3760 wrote to memory of 2368 3760 setup_installer.exe 70 PID 3760 wrote to memory of 2368 3760 setup_installer.exe 70 PID 3760 wrote to memory of 2368 3760 setup_installer.exe 70 PID 2368 wrote to memory of 2344 2368 setup_install.exe 73 PID 2368 wrote to memory of 2344 2368 setup_install.exe 73 PID 2368 wrote to memory of 2344 2368 setup_install.exe 73 PID 2368 wrote to memory of 1196 2368 setup_install.exe 74 PID 2368 wrote to memory of 1196 2368 setup_install.exe 74 PID 2368 wrote to memory of 1196 2368 setup_install.exe 74 PID 2344 wrote to memory of 1164 2344 cmd.exe 76 PID 2344 wrote to memory of 1164 2344 cmd.exe 76 PID 2344 wrote to memory of 1164 2344 cmd.exe 76 PID 1196 wrote to memory of 2844 1196 cmd.exe 75 PID 1196 wrote to memory of 2844 1196 cmd.exe 75 PID 1196 wrote to memory of 2844 1196 cmd.exe 75 PID 2368 wrote to memory of 2700 2368 setup_install.exe 77 PID 2368 wrote to memory of 2700 2368 setup_install.exe 77 PID 2368 wrote to memory of 2700 2368 setup_install.exe 77 PID 2368 wrote to memory of 348 2368 setup_install.exe 78 PID 2368 wrote to memory of 348 2368 setup_install.exe 78 PID 2368 wrote to memory of 348 2368 setup_install.exe 78 PID 2368 wrote to memory of 1828 2368 setup_install.exe 79 PID 2368 wrote to memory of 1828 2368 setup_install.exe 79 PID 2368 wrote to memory of 1828 2368 setup_install.exe 79 PID 2368 wrote to memory of 924 2368 setup_install.exe 82 PID 2368 wrote to memory of 924 2368 setup_install.exe 82 PID 2368 wrote to memory of 924 2368 setup_install.exe 82 PID 2368 wrote to memory of 1424 2368 setup_install.exe 80 PID 2368 wrote to memory of 1424 2368 setup_install.exe 80 PID 2368 wrote to memory of 1424 2368 setup_install.exe 80 PID 2368 wrote to memory of 2672 2368 setup_install.exe 81 PID 2368 wrote to memory of 2672 2368 setup_install.exe 81 PID 2368 wrote to memory of 2672 2368 setup_install.exe 81 PID 2368 wrote to memory of 2652 2368 setup_install.exe 84 PID 2368 wrote to memory of 2652 2368 setup_install.exe 84 PID 2368 wrote to memory of 2652 2368 setup_install.exe 84 PID 2368 wrote to memory of 708 2368 setup_install.exe 83 PID 2368 wrote to memory of 708 2368 setup_install.exe 83 PID 2368 wrote to memory of 708 2368 setup_install.exe 83 PID 348 wrote to memory of 360 348 cmd.exe 87 PID 348 wrote to memory of 360 348 cmd.exe 87 PID 348 wrote to memory of 360 348 cmd.exe 87 PID 2368 wrote to memory of 680 2368 setup_install.exe 86 PID 2368 wrote to memory of 680 2368 setup_install.exe 86 PID 2368 wrote to memory of 680 2368 setup_install.exe 86 PID 1828 wrote to memory of 3080 1828 cmd.exe 85 PID 1828 wrote to memory of 3080 1828 cmd.exe 85 PID 1828 wrote to memory of 3080 1828 cmd.exe 85 PID 708 wrote to memory of 1216 708 cmd.exe 114 PID 708 wrote to memory of 1216 708 cmd.exe 114 PID 708 wrote to memory of 1216 708 cmd.exe 114 PID 2368 wrote to memory of 820 2368 setup_install.exe 88 PID 2368 wrote to memory of 820 2368 setup_install.exe 88 PID 2368 wrote to memory of 820 2368 setup_install.exe 88 PID 2700 wrote to memory of 2188 2700 cmd.exe 89 PID 2700 wrote to memory of 2188 2700 cmd.exe 89 PID 2368 wrote to memory of 3172 2368 setup_install.exe 113 PID 2368 wrote to memory of 3172 2368 setup_install.exe 113 PID 2368 wrote to memory of 3172 2368 setup_install.exe 113 PID 924 wrote to memory of 3216 924 cmd.exe 112 PID 924 wrote to memory of 3216 924 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe"C:\Users\Admin\AppData\Local\Temp\baa50c4b5a4656ab01c2615f0f6310ff5c2029e14cd98c201e494c4b6ac073e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0792179ccd.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat0792179ccd.exeSat0792179ccd.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07e512bb3d25c12.exe4⤵
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exeSat07e512bb3d25c12.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:360 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exeC:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exe6⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exeC:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exe6⤵
- Executes dropped EXE
PID:64
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exeC:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e512bb3d25c12.exe6⤵PID:1832
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07b7c2fec3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07b7c2fec3.exeSat07b7c2fec3.exe5⤵
- Executes dropped EXE
PID:3080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07e2f23596cb8.exe4⤵PID:1424
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e2f23596cb8.exeSat07e2f23596cb8.exe5⤵
- Executes dropped EXE
PID:3384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat07e2f23596cb8.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07e2f23596cb8.exe" & del C:\ProgramData\*.dll & exit6⤵PID:4732
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat07e2f23596cb8.exe /f7⤵
- Kills process with taskkill
PID:3148
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:2236
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat071c3f958e60606ae.exe4⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat071c3f958e60606ae.exeSat071c3f958e60606ae.exe5⤵
- Executes dropped EXE
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0772425d29abfc.exe4⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat0772425d29abfc.exeSat0772425d29abfc.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216 -
C:\Users\Admin\AppData\Local\2410d18d-f050-4439-8438-2cd9e40dcf26.exe"C:\Users\Admin\AppData\Local\2410d18d-f050-4439-8438-2cd9e40dcf26.exe"6⤵PID:4340
-
-
C:\Users\Admin\AppData\Local\c33280f7-ed30-4cfe-b999-ff62e5a634ed.exe"C:\Users\Admin\AppData\Local\c33280f7-ed30-4cfe-b999-ff62e5a634ed.exe"6⤵PID:4476
-
C:\Users\Admin\AppData\Roaming\27786009\6715238867152388.exe"C:\Users\Admin\AppData\Roaming\27786009\6715238867152388.exe"7⤵PID:1376
-
-
-
C:\Users\Admin\AppData\Local\5459279c-a073-43c1-9fab-053f4db3ac63.exe"C:\Users\Admin\AppData\Local\5459279c-a073-43c1-9fab-053f4db3ac63.exe"6⤵PID:4668
-
-
C:\Users\Admin\AppData\Local\d0502379-7e32-419c-8636-d460a07d7443.exe"C:\Users\Admin\AppData\Local\d0502379-7e32-419c-8636-d460a07d7443.exe"6⤵PID:4760
-
-
C:\Users\Admin\AppData\Local\5989a8a8-e3d4-49dd-922b-ccca758dc04d.exe"C:\Users\Admin\AppData\Local\5989a8a8-e3d4-49dd-922b-ccca758dc04d.exe"6⤵PID:4804
-
C:\Users\Admin\AppData\Roaming\3067966.exe"C:\Users\Admin\AppData\Roaming\3067966.exe"7⤵PID:4944
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:1272
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:2192
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:4124
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:3124
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0795fb63be7.exe4⤵
- Suspicious use of WriteProcessMemory
PID:708 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat0795fb63be7.exeSat0795fb63be7.exe5⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",6⤵PID:3896
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",7⤵PID:4452
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07182c98d9d91b.exe4⤵PID:2652
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07182c98d9d91b.exeSat07182c98d9d91b.exe5⤵
- Executes dropped EXE
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2468
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0792b2c8ba54f57b.exe4⤵PID:680
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat0792b2c8ba54f57b.exeSat0792b2c8ba54f57b.exe5⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",6⤵PID:2124
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\yAYsX8nJ.CpL",7⤵PID:4460
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07339203f83d3c6a6.exe4⤵PID:820
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07339203f83d3c6a6.exeSat07339203f83d3c6a6.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat072dbd2907c3.exe4⤵PID:2532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07d63edd40e879f.exe4⤵PID:2380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07b1b1b0313ca392.exe4⤵PID:2128
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07d2e8e1add.exe4⤵PID:1572
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat07937d3437557c6.exe /mixtwo4⤵PID:1396
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0746aaa34cc0.exe4⤵PID:3172
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07d2e8e1add.exeSat07d2e8e1add.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:2148
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:4304
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07d63edd40e879f.exeSat07d63edd40e879f.exe1⤵
- Executes dropped EXE
PID:3196 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07d63edd40e879f.exe"C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07d63edd40e879f.exe" -u2⤵PID:2480
-
-
C:\Users\Admin\AppData\Local\Temp\is-MGK43.tmp\Sat071c3f958e60606ae.tmp"C:\Users\Admin\AppData\Local\Temp\is-MGK43.tmp\Sat071c3f958e60606ae.tmp" /SL5="$3004A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat071c3f958e60606ae.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat071c3f958e60606ae.exe"C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat071c3f958e60606ae.exe" /SILENT2⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\is-1DT1Q.tmp\Sat071c3f958e60606ae.tmp"C:\Users\Admin\AppData\Local\Temp\is-1DT1Q.tmp\Sat071c3f958e60606ae.tmp" /SL5="$2020E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat071c3f958e60606ae.exe" /SILENT3⤵PID:4200
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-2V7Q6.tmp\Sat072dbd2907c3.tmp"C:\Users\Admin\AppData\Local\Temp\is-2V7Q6.tmp\Sat072dbd2907c3.tmp" /SL5="$10212,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat072dbd2907c3.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\is-QVA0D.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-QVA0D.tmp\Tougay.exe" /S /UID=912⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\63-15663-cbd-8abab-b484822725de8\Vumaeshudabo.exe"C:\Users\Admin\AppData\Local\Temp\63-15663-cbd-8abab-b484822725de8\Vumaeshudabo.exe"3⤵PID:2284
-
-
C:\Users\Admin\AppData\Local\Temp\b4-a7525-c94-f599f-f10dd494962b0\SHaexujosola.exe"C:\Users\Admin\AppData\Local\Temp\b4-a7525-c94-f599f-f10dd494962b0\SHaexujosola.exe"3⤵PID:2748
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fr2eu2jy.xa2\installer.exe /qn CAMPAIGN="654" & exit4⤵PID:5232
-
C:\Users\Admin\AppData\Local\Temp\fr2eu2jy.xa2\installer.exeC:\Users\Admin\AppData\Local\Temp\fr2eu2jy.xa2\installer.exe /qn CAMPAIGN="654"5⤵PID:5840
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kaaq0q0n.pj0\any.exe & exit4⤵PID:5392
-
C:\Users\Admin\AppData\Local\Temp\kaaq0q0n.pj0\any.exeC:\Users\Admin\AppData\Local\Temp\kaaq0q0n.pj0\any.exe5⤵PID:5928
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l2pffhgr.4qk\autosubplayer.exe /S & exit4⤵PID:5544
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"1⤵PID:1832
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat072dbd2907c3.exeSat072dbd2907c3.exe1⤵
- Executes dropped EXE
PID:2856
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd1⤵PID:2172
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd2⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 6003⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3928
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat0746aaa34cc0.exeSat0746aaa34cc0.exe1⤵
- Executes dropped EXE
PID:3424
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07b1b1b0313ca392.exeSat07b1b1b0313ca392.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3212 -
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07b1b1b0313ca392.exeC:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07b1b1b0313ca392.exe2⤵
- Executes dropped EXE
PID:2484
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07937d3437557c6.exeSat07937d3437557c6.exe /mixtwo1⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat07937d3437557c6.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07937d3437557c6.exe" & exit2⤵PID:4932
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat07937d3437557c6.exe" /f3⤵
- Kills process with taskkill
PID:4208
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0BE59CB6\Sat07937d3437557c6.exeSat07937d3437557c6.exe /mixtwo1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2952
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4664 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1288
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2380