Analysis
-
max time kernel
158s -
max time network
158s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe
Resource
win10-en-20211208
General
-
Target
b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe
-
Size
7.2MB
-
MD5
8d942065370ff79150835e15d4cc409b
-
SHA1
271cd3e2a95c82ca508f6d0f5e8750edfaa004bc
-
SHA256
b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2
-
SHA512
46838faca94854e539f5bdd4b29c5f433af98ba7ad8d86cea52c0adc6e085dbc4c570ad501f5682fe5ca261b626d48cf73b9633fb27cc480d1772dde63d673d5
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2484 rundll32.exe 76 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/3040-278-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 5 IoCs
resource yara_rule behavioral1/files/0x0006000000013985-124.dat family_socelars behavioral1/files/0x0006000000013985-145.dat family_socelars behavioral1/files/0x0006000000013985-152.dat family_socelars behavioral1/files/0x0006000000013985-178.dat family_socelars behavioral1/files/0x0006000000013985-177.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013943-128.dat WebBrowserPassView behavioral1/files/0x0006000000013943-147.dat WebBrowserPassView behavioral1/files/0x0006000000013943-158.dat WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x0006000000013943-128.dat Nirsoft behavioral1/files/0x0006000000013943-147.dat Nirsoft behavioral1/files/0x0006000000013943-158.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1668-221-0x0000000000850000-0x0000000000929000-memory.dmp family_vidar behavioral1/memory/1668-222-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00070000000138be-74.dat aspack_v212_v242 behavioral1/files/0x00070000000138be-73.dat aspack_v212_v242 behavioral1/files/0x0006000000013902-72.dat aspack_v212_v242 behavioral1/files/0x0006000000013902-71.dat aspack_v212_v242 behavioral1/files/0x0006000000013916-77.dat aspack_v212_v242 behavioral1/files/0x0006000000013916-78.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 30 IoCs
pid Process 900 setup_installer.exe 1592 setup_install.exe 952 Sat0413d2f09b96ff.exe 1588 Sat049b33b1be29125.exe 948 Sat04951cf2a61625.exe 1580 Sat04091e9a4f.exe 1740 Sat04951cf2a61625.exe 304 Sat04d99657076.exe 1668 Sat0440a840bf678986a.exe 1820 Sat0475667e2de8c3.exe 2044 Sat047cc0debc59.exe 1868 Sat04e9d8f172e50.exe 988 Sat04582c0a08.exe 2040 Sat045fe73e29fa5e0b2.exe 296 Sat04cf04f0504c7.exe 812 Sat04efd3813d34d2686.exe 652 Sat04e9d8f172e50.exe 1184 Sat047cc0debc59.tmp 1744 Sat04cf04f0504c7.tmp 2052 Sat04cf04f0504c7.exe 2176 Sat04cf04f0504c7.tmp 2380 Tougay.exe 3024 e6ea2bd6-9916-41df-b676-76287cf1d488.exe 3040 Sat04582c0a08.exe 296 8f3c5b7c-c0e0-4596-b662-145c0d0bece6.exe 2112 qtoymJEFscwqYcQv2k1R0_YS.exe 2132 6f41454c-ac51-4758-8630-f0b938e89dd2.exe 1908 bcd37bd2-14b0-4f0f-84fa-0a96cfbde4df.exe 2528 5b0c9871-3eac-43ca-a73a-97ad52ce87f2.exe 2436 60B6.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Sat049b33b1be29125.exe -
Loads dropped DLL 64 IoCs
pid Process 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 900 setup_installer.exe 900 setup_installer.exe 900 setup_installer.exe 900 setup_installer.exe 900 setup_installer.exe 900 setup_installer.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1592 setup_install.exe 1760 cmd.exe 616 cmd.exe 888 cmd.exe 1332 cmd.exe 1332 cmd.exe 1588 Sat049b33b1be29125.exe 1588 Sat049b33b1be29125.exe 948 Sat04951cf2a61625.exe 948 Sat04951cf2a61625.exe 948 Sat04951cf2a61625.exe 1264 cmd.exe 1264 cmd.exe 1320 cmd.exe 1156 cmd.exe 1156 cmd.exe 952 Sat0413d2f09b96ff.exe 952 Sat0413d2f09b96ff.exe 1880 cmd.exe 1460 cmd.exe 1460 cmd.exe 1516 cmd.exe 1468 cmd.exe 1468 cmd.exe 1924 cmd.exe 1728 cmd.exe 2044 Sat047cc0debc59.exe 304 Sat04d99657076.exe 1668 Sat0440a840bf678986a.exe 296 Sat04cf04f0504c7.exe 1740 Sat04951cf2a61625.exe 1868 Sat04e9d8f172e50.exe 2040 Sat045fe73e29fa5e0b2.exe 1820 Sat0475667e2de8c3.exe 988 Sat04582c0a08.exe 2044 Sat047cc0debc59.exe 296 Sat04cf04f0504c7.exe 1740 Sat04951cf2a61625.exe 304 Sat04d99657076.exe 1868 Sat04e9d8f172e50.exe 988 Sat04582c0a08.exe 1820 Sat0475667e2de8c3.exe 812 Sat04efd3813d34d2686.exe 812 Sat04efd3813d34d2686.exe 1668 Sat0440a840bf678986a.exe 2040 Sat045fe73e29fa5e0b2.exe 1868 Sat04e9d8f172e50.exe 652 Sat04e9d8f172e50.exe 652 Sat04e9d8f172e50.exe 2044 Sat047cc0debc59.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 ipinfo.io 41 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2132 6f41454c-ac51-4758-8630-f0b938e89dd2.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1868 set thread context of 652 1868 Sat04e9d8f172e50.exe 62 PID 988 set thread context of 3040 988 Sat04582c0a08.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 588 1588 WerFault.exe 49 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat04d99657076.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat04d99657076.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat04d99657076.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sat0440a840bf678986a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sat0440a840bf678986a.exe -
Kills process with taskkill 2 IoCs
pid Process 2200 taskkill.exe 2724 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sat0413d2f09b96ff.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sat0413d2f09b96ff.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 11 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 304 Sat04d99657076.exe 304 Sat04d99657076.exe 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found 1400 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 304 Sat04d99657076.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 952 Sat0413d2f09b96ff.exe Token: SeAssignPrimaryTokenPrivilege 952 Sat0413d2f09b96ff.exe Token: SeLockMemoryPrivilege 952 Sat0413d2f09b96ff.exe Token: SeIncreaseQuotaPrivilege 952 Sat0413d2f09b96ff.exe Token: SeMachineAccountPrivilege 952 Sat0413d2f09b96ff.exe Token: SeTcbPrivilege 952 Sat0413d2f09b96ff.exe Token: SeSecurityPrivilege 952 Sat0413d2f09b96ff.exe Token: SeTakeOwnershipPrivilege 952 Sat0413d2f09b96ff.exe Token: SeLoadDriverPrivilege 952 Sat0413d2f09b96ff.exe Token: SeSystemProfilePrivilege 952 Sat0413d2f09b96ff.exe Token: SeSystemtimePrivilege 952 Sat0413d2f09b96ff.exe Token: SeProfSingleProcessPrivilege 952 Sat0413d2f09b96ff.exe Token: SeIncBasePriorityPrivilege 952 Sat0413d2f09b96ff.exe Token: SeCreatePagefilePrivilege 952 Sat0413d2f09b96ff.exe Token: SeCreatePermanentPrivilege 952 Sat0413d2f09b96ff.exe Token: SeBackupPrivilege 952 Sat0413d2f09b96ff.exe Token: SeRestorePrivilege 952 Sat0413d2f09b96ff.exe Token: SeShutdownPrivilege 952 Sat0413d2f09b96ff.exe Token: SeDebugPrivilege 952 Sat0413d2f09b96ff.exe Token: SeAuditPrivilege 952 Sat0413d2f09b96ff.exe Token: SeSystemEnvironmentPrivilege 952 Sat0413d2f09b96ff.exe Token: SeChangeNotifyPrivilege 952 Sat0413d2f09b96ff.exe Token: SeRemoteShutdownPrivilege 952 Sat0413d2f09b96ff.exe Token: SeUndockPrivilege 952 Sat0413d2f09b96ff.exe Token: SeSyncAgentPrivilege 952 Sat0413d2f09b96ff.exe Token: SeEnableDelegationPrivilege 952 Sat0413d2f09b96ff.exe Token: SeManageVolumePrivilege 952 Sat0413d2f09b96ff.exe Token: SeImpersonatePrivilege 952 Sat0413d2f09b96ff.exe Token: SeCreateGlobalPrivilege 952 Sat0413d2f09b96ff.exe Token: 31 952 Sat0413d2f09b96ff.exe Token: 32 952 Sat0413d2f09b96ff.exe Token: 33 952 Sat0413d2f09b96ff.exe Token: 34 952 Sat0413d2f09b96ff.exe Token: 35 952 Sat0413d2f09b96ff.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 988 Sat04582c0a08.exe Token: SeDebugPrivilege 2724 taskkill.exe Token: SeDebugPrivilege 1820 Sat0475667e2de8c3.exe Token: SeDebugPrivilege 676 powershell.exe Token: SeDebugPrivilege 1472 powershell.exe Token: SeShutdownPrivilege 1400 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 736 wrote to memory of 900 736 b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe 27 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 900 wrote to memory of 1592 900 setup_installer.exe 28 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1824 1592 setup_install.exe 30 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1508 1592 setup_install.exe 31 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1460 1592 setup_install.exe 32 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1320 1592 setup_install.exe 34 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1516 1592 setup_install.exe 33 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1156 1592 setup_install.exe 35 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1832 1592 setup_install.exe 36 PID 1592 wrote to memory of 1468 1592 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe"C:\Users\Admin\AppData\Local\Temp\b92625560c246d61a57b07fa793b92926260bdd983b04459f60ccd10c1cf63f2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS48361276\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1824
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1508
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04e9d8f172e50.exe /mixtwo4⤵
- Loads dropped DLL
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04e9d8f172e50.exeSat04e9d8f172e50.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1868 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04e9d8f172e50.exeSat04e9d8f172e50.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat04e9d8f172e50.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04e9d8f172e50.exe" & exit7⤵PID:2120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat04e9d8f172e50.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat045fe73e29fa5e0b2.exe4⤵
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat045fe73e29fa5e0b2.exeSat045fe73e29fa5e0b2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",6⤵PID:2392
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",7⤵PID:2560
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0475667e2de8c3.exe4⤵
- Loads dropped DLL
PID:1320 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat0475667e2de8c3.exeSat0475667e2de8c3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Users\Admin\AppData\Local\e6ea2bd6-9916-41df-b676-76287cf1d488.exe"C:\Users\Admin\AppData\Local\e6ea2bd6-9916-41df-b676-76287cf1d488.exe"6⤵
- Executes dropped EXE
PID:3024
-
-
C:\Users\Admin\AppData\Local\8f3c5b7c-c0e0-4596-b662-145c0d0bece6.exe"C:\Users\Admin\AppData\Local\8f3c5b7c-c0e0-4596-b662-145c0d0bece6.exe"6⤵
- Executes dropped EXE
PID:296
-
-
C:\Users\Admin\AppData\Local\6f41454c-ac51-4758-8630-f0b938e89dd2.exe"C:\Users\Admin\AppData\Local\6f41454c-ac51-4758-8630-f0b938e89dd2.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2132
-
-
C:\Users\Admin\AppData\Local\bcd37bd2-14b0-4f0f-84fa-0a96cfbde4df.exe"C:\Users\Admin\AppData\Local\bcd37bd2-14b0-4f0f-84fa-0a96cfbde4df.exe"6⤵
- Executes dropped EXE
PID:1908
-
-
C:\Users\Admin\AppData\Local\5b0c9871-3eac-43ca-a73a-97ad52ce87f2.exe"C:\Users\Admin\AppData\Local\5b0c9871-3eac-43ca-a73a-97ad52ce87f2.exe"6⤵
- Executes dropped EXE
PID:2528
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0440a840bf678986a.exe4⤵
- Loads dropped DLL
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat0440a840bf678986a.exeSat0440a840bf678986a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1668 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat0440a840bf678986a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat0440a840bf678986a.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2212
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0448d9fa84aca6c1.exe4⤵PID:1832
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04582c0a08.exe4⤵
- Loads dropped DLL
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04582c0a08.exeSat04582c0a08.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:988 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04582c0a08.exeC:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04582c0a08.exe6⤵
- Executes dropped EXE
PID:3040
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04efd3813d34d2686.exe4⤵
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04efd3813d34d2686.exeSat04efd3813d34d2686.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",6⤵PID:2400
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",7⤵PID:2552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0413d2f09b96ff.exe4⤵
- Loads dropped DLL
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat0413d2f09b96ff.exeSat0413d2f09b96ff.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2680
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04091e9a4f.exe4⤵
- Loads dropped DLL
PID:616 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04091e9a4f.exeSat04091e9a4f.exe5⤵
- Executes dropped EXE
PID:1580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04cf04f0504c7.exe4⤵
- Loads dropped DLL
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04cf04f0504c7.exeSat04cf04f0504c7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Users\Admin\AppData\Local\Temp\is-UM2GP.tmp\Sat04cf04f0504c7.tmp"C:\Users\Admin\AppData\Local\Temp\is-UM2GP.tmp\Sat04cf04f0504c7.tmp" /SL5="$C0150,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04cf04f0504c7.exe"6⤵
- Executes dropped EXE
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04cf04f0504c7.exe"C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04cf04f0504c7.exe" /SILENT7⤵
- Executes dropped EXE
PID:2052 -
C:\Users\Admin\AppData\Local\Temp\is-3OU4M.tmp\Sat04cf04f0504c7.tmp"C:\Users\Admin\AppData\Local\Temp\is-3OU4M.tmp\Sat04cf04f0504c7.tmp" /SL5="$D0150,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04cf04f0504c7.exe" /SILENT8⤵
- Executes dropped EXE
PID:2176
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04951cf2a61625.exe4⤵
- Loads dropped DLL
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04951cf2a61625.exeSat04951cf2a61625.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04951cf2a61625.exe"C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04951cf2a61625.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat047cc0debc59.exe4⤵
- Loads dropped DLL
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat047cc0debc59.exeSat047cc0debc59.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\is-MKID2.tmp\Sat047cc0debc59.tmp"C:\Users\Admin\AppData\Local\Temp\is-MKID2.tmp\Sat047cc0debc59.tmp" /SL5="$20158,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat047cc0debc59.exe"6⤵
- Executes dropped EXE
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\is-DGESB.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-DGESB.tmp\Tougay.exe" /S /UID=917⤵
- Executes dropped EXE
PID:2380
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat049b33b1be29125.exe4⤵
- Loads dropped DLL
PID:888 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat049b33b1be29125.exeSat049b33b1be29125.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\Pictures\Adobe Films\qtoymJEFscwqYcQv2k1R0_YS.exe"C:\Users\Admin\Pictures\Adobe Films\qtoymJEFscwqYcQv2k1R0_YS.exe"6⤵
- Executes dropped EXE
PID:2112
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 7646⤵
- Program crash
PID:588
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04d99657076.exe4⤵
- Loads dropped DLL
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\7zS48361276\Sat04d99657076.exeSat04d99657076.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:304
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2836 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2896
-
-
C:\Users\Admin\AppData\Local\Temp\60B6.exeC:\Users\Admin\AppData\Local\Temp\60B6.exe1⤵
- Executes dropped EXE
PID:2436