Analysis
-
max time kernel
152s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 14:05
Static task
static1
Behavioral task
behavioral1
Sample
c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe
Resource
win7-en-20211208
General
-
Target
c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe
-
Size
6.4MB
-
MD5
2a7590502178c2856cc9f14a257f2de8
-
SHA1
76838b4358b814d5fb4048bc780356e95c612956
-
SHA256
c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c
-
SHA512
39374d3957e277bb3ac67b40b5e07a43327256ba9d06efb86ab59e6ff1995c1bbd3e527a88527aaddf890b450e0c24e2325c2e9e3cce30e975867bfdb7e6c992
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2652-269-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2720-299-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x0006000000013225-101.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013090-112.dat WebBrowserPassView behavioral1/files/0x0006000000013090-170.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/files/0x0006000000013090-112.dat Nirsoft behavioral1/files/0x0006000000013090-170.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1780-220-0x0000000001E40000-0x0000000001F19000-memory.dmp family_vidar behavioral1/memory/1780-222-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000125e4-70.dat aspack_v212_v242 behavioral1/files/0x00060000000125e4-71.dat aspack_v212_v242 behavioral1/files/0x000800000001226a-72.dat aspack_v212_v242 behavioral1/files/0x000800000001226a-73.dat aspack_v212_v242 behavioral1/files/0x0006000000012608-76.dat aspack_v212_v242 behavioral1/files/0x0006000000012608-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Tougay.exe -
Executes dropped EXE 33 IoCs
pid Process 652 setup_installer.exe 1460 setup_install.exe 1368 Sat0028b1660366.exe 1592 Sat001aa7b2efac304.exe 968 Sat002529dc82e.exe 616 Sat00834bcc8317.exe 1000 Sat00341fe3c5fb.exe 1780 Sat00c34ad37732.exe 724 Sat00d44aabf63254180.exe 1912 Sat00b30428872231f.exe 1516 Sat00cf1b178aa9919.exe 1596 Sat005ba53214084.exe 440 Sat00d69b74c2.exe 1600 Sat00341fe3c5fb.exe 1076 Sat009e22e644.exe 1948 Sat009173a870063a0e.exe 1060 Sat0028b1660366.tmp 1920 Sat009e22e644.tmp 672 Sat009e22e644.exe 2060 Sat009e22e644.tmp 2412 Tougay.exe 2644 Sat00834bcc8317.exe 2652 Sat005ba53214084.exe 2776 1e4f6f40-bf4d-49f1-b2c7-84d8768591f3.exe 2816 03a65446-e97e-4978-9271-1f71341c0d24.exe 2864 4084e902-84f4-44a9-8be8-515d8d1a3c53.exe 2880 d4037f37-288e-430e-bc01-f71a3fa4d923.exe 2912 90275538-c7a4-413b-ac3d-12e60595d73a.exe 2720 Sat00834bcc8317.exe 1112 4333438.exe 440 R_n9pz_alIW_4mE9Gg_SBFvj.exe 1292 Litaenilaesha.exe 2876 Nuvefaetura.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\International\Geo\Nation Sat00cf1b178aa9919.exe -
Loads dropped DLL 64 IoCs
pid Process 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 652 setup_installer.exe 652 setup_installer.exe 652 setup_installer.exe 652 setup_installer.exe 652 setup_installer.exe 652 setup_installer.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1460 setup_install.exe 1884 cmd.exe 1520 cmd.exe 1260 cmd.exe 1368 Sat0028b1660366.exe 1368 Sat0028b1660366.exe 1592 Sat001aa7b2efac304.exe 1592 Sat001aa7b2efac304.exe 1112 cmd.exe 1112 cmd.exe 968 Sat002529dc82e.exe 968 Sat002529dc82e.exe 880 cmd.exe 880 cmd.exe 1532 cmd.exe 884 cmd.exe 1200 cmd.exe 572 cmd.exe 1336 cmd.exe 572 cmd.exe 1532 cmd.exe 1336 cmd.exe 616 Sat00834bcc8317.exe 616 Sat00834bcc8317.exe 1000 Sat00341fe3c5fb.exe 1000 Sat00341fe3c5fb.exe 724 Sat00d44aabf63254180.exe 724 Sat00d44aabf63254180.exe 1536 cmd.exe 1780 Sat00c34ad37732.exe 1780 Sat00c34ad37732.exe 1596 Sat005ba53214084.exe 1596 Sat005ba53214084.exe 1516 Sat00cf1b178aa9919.exe 1516 Sat00cf1b178aa9919.exe 1000 Sat00341fe3c5fb.exe 1904 cmd.exe 1752 cmd.exe 440 Sat00d69b74c2.exe 440 Sat00d69b74c2.exe 1948 Sat009173a870063a0e.exe 1948 Sat009173a870063a0e.exe 1076 Sat009e22e644.exe 1076 Sat009e22e644.exe 1600 Sat00341fe3c5fb.exe 1600 Sat00341fe3c5fb.exe 1076 Sat009e22e644.exe 1368 Sat0028b1660366.exe 1060 Sat0028b1660366.tmp 1060 Sat0028b1660366.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft Sync Framework\\Kelishukuqae.exe\"" Tougay.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\218457123 = "C:\\Users\\Admin\\AppData\\Roaming\\23963189\\4296601542966015.exe" 03a65446-e97e-4978-9271-1f71341c0d24.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 45 ipinfo.io 46 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2864 4084e902-84f4-44a9-8be8-515d8d1a3c53.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1000 set thread context of 1600 1000 Sat00341fe3c5fb.exe 57 PID 1596 set thread context of 2652 1596 Sat005ba53214084.exe 80 PID 616 set thread context of 2720 616 Sat00834bcc8317.exe 82 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Sync Framework\Kelishukuqae.exe Tougay.exe File created C:\Program Files (x86)\Microsoft Sync Framework\Kelishukuqae.exe.config Tougay.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1260 1516 WerFault.exe 55 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat00d44aabf63254180.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat00d44aabf63254180.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat00d44aabf63254180.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sat00c34ad37732.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sat00c34ad37732.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1848 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 1848 taskkill.exe 2348 taskkill.exe 2996 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sat00d69b74c2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sat00d69b74c2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 724 Sat00d44aabf63254180.exe 724 Sat00d44aabf63254180.exe 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found 1300 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1300 Process not Found 2060 Sat009e22e644.tmp -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 724 Sat00d44aabf63254180.exe -
Suspicious use of AdjustPrivilegeToken 58 IoCs
description pid Process Token: SeCreateTokenPrivilege 440 Sat00d69b74c2.exe Token: SeAssignPrimaryTokenPrivilege 440 Sat00d69b74c2.exe Token: SeLockMemoryPrivilege 440 Sat00d69b74c2.exe Token: SeIncreaseQuotaPrivilege 440 Sat00d69b74c2.exe Token: SeMachineAccountPrivilege 440 Sat00d69b74c2.exe Token: SeTcbPrivilege 440 Sat00d69b74c2.exe Token: SeSecurityPrivilege 440 Sat00d69b74c2.exe Token: SeTakeOwnershipPrivilege 440 Sat00d69b74c2.exe Token: SeLoadDriverPrivilege 440 Sat00d69b74c2.exe Token: SeSystemProfilePrivilege 440 Sat00d69b74c2.exe Token: SeSystemtimePrivilege 440 Sat00d69b74c2.exe Token: SeProfSingleProcessPrivilege 440 Sat00d69b74c2.exe Token: SeIncBasePriorityPrivilege 440 Sat00d69b74c2.exe Token: SeCreatePagefilePrivilege 440 Sat00d69b74c2.exe Token: SeCreatePermanentPrivilege 440 Sat00d69b74c2.exe Token: SeBackupPrivilege 440 Sat00d69b74c2.exe Token: SeRestorePrivilege 440 Sat00d69b74c2.exe Token: SeShutdownPrivilege 440 Sat00d69b74c2.exe Token: SeDebugPrivilege 440 Sat00d69b74c2.exe Token: SeAuditPrivilege 440 Sat00d69b74c2.exe Token: SeSystemEnvironmentPrivilege 440 Sat00d69b74c2.exe Token: SeChangeNotifyPrivilege 440 Sat00d69b74c2.exe Token: SeRemoteShutdownPrivilege 440 Sat00d69b74c2.exe Token: SeUndockPrivilege 440 Sat00d69b74c2.exe Token: SeSyncAgentPrivilege 440 Sat00d69b74c2.exe Token: SeEnableDelegationPrivilege 440 Sat00d69b74c2.exe Token: SeManageVolumePrivilege 440 Sat00d69b74c2.exe Token: SeImpersonatePrivilege 440 Sat00d69b74c2.exe Token: SeCreateGlobalPrivilege 440 Sat00d69b74c2.exe Token: 31 440 Sat00d69b74c2.exe Token: 32 440 Sat00d69b74c2.exe Token: 33 440 Sat00d69b74c2.exe Token: 34 440 Sat00d69b74c2.exe Token: 35 440 Sat00d69b74c2.exe Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeDebugPrivilege 1848 taskkill.exe Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeDebugPrivilege 2348 taskkill.exe Token: SeDebugPrivilege 1596 Sat005ba53214084.exe Token: SeDebugPrivilege 616 Sat00834bcc8317.exe Token: SeDebugPrivilege 968 Sat002529dc82e.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1696 powershell.exe Token: SeDebugPrivilege 2996 taskkill.exe Token: SeDebugPrivilege 2912 90275538-c7a4-413b-ac3d-12e60595d73a.exe Token: SeShutdownPrivilege 1300 Process not Found Token: SeShutdownPrivilege 1300 Process not Found Token: SeDebugPrivilege 2776 1e4f6f40-bf4d-49f1-b2c7-84d8768591f3.exe Token: SeDebugPrivilege 2720 Sat00834bcc8317.exe Token: SeDebugPrivilege 2652 Sat005ba53214084.exe Token: SeShutdownPrivilege 1300 Process not Found Token: SeDebugPrivilege 1260 WerFault.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1300 Process not Found 1300 Process not Found -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1300 Process not Found 1300 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 1616 wrote to memory of 652 1616 c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe 27 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 652 wrote to memory of 1460 652 setup_installer.exe 28 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1828 1460 setup_install.exe 30 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1056 1460 setup_install.exe 31 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1536 1460 setup_install.exe 37 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1532 1460 setup_install.exe 32 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1520 1460 setup_install.exe 33 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 1200 1460 setup_install.exe 36 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 988 1460 setup_install.exe 34 PID 1460 wrote to memory of 1904 1460 setup_install.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe"C:\Users\Admin\AppData\Local\Temp\c8b5b3ada57ad45e2907330003c5e0df0f5881dad8e0bffe7a048972d9bc817c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC826D226\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1828
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1056
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00c34ad37732.exe4⤵
- Loads dropped DLL
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00c34ad37732.exeSat00c34ad37732.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1780 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat00c34ad37732.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00c34ad37732.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2836
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat00c34ad37732.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:1848
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat001aa7b2efac304.exe4⤵
- Loads dropped DLL
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat001aa7b2efac304.exeSat001aa7b2efac304.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\O4ZWUyCC.BN6⤵PID:2364
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0017e38210d427.exe4⤵PID:988
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat009e22e644.exe4⤵
- Loads dropped DLL
PID:1904 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009e22e644.exeSat009e22e644.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\is-JPIDN.tmp\Sat009e22e644.tmp"C:\Users\Admin\AppData\Local\Temp\is-JPIDN.tmp\Sat009e22e644.tmp" /SL5="$4011C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009e22e644.exe"6⤵
- Executes dropped EXE
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009e22e644.exe"C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009e22e644.exe" /SILENT7⤵
- Executes dropped EXE
PID:672 -
C:\Users\Admin\AppData\Local\Temp\is-7STJH.tmp\Sat009e22e644.tmp"C:\Users\Admin\AppData\Local\Temp\is-7STJH.tmp\Sat009e22e644.tmp" /SL5="$110156,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009e22e644.exe" /SILENT8⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2060
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00b30428872231f.exe4⤵
- Loads dropped DLL
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00b30428872231f.exeSat00b30428872231f.exe5⤵
- Executes dropped EXE
PID:1912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00d69b74c2.exe4⤵
- Loads dropped DLL
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00d69b74c2.exeSat00d69b74c2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:440 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2316
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat009173a870063a0e.exe4⤵
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat009173a870063a0e.exeSat009173a870063a0e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00834bcc8317.exe4⤵
- Loads dropped DLL
PID:880 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00834bcc8317.exeSat00834bcc8317.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:616 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00834bcc8317.exeC:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00834bcc8317.exe6⤵
- Executes dropped EXE
PID:2644
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00834bcc8317.exeC:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00834bcc8317.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00d44aabf63254180.exe4⤵
- Loads dropped DLL
PID:572 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00d44aabf63254180.exeSat00d44aabf63254180.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0028b1660366.exe4⤵
- Loads dropped DLL
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat0028b1660366.exeSat0028b1660366.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Users\Admin\AppData\Local\Temp\is-P0HNQ.tmp\Sat0028b1660366.tmp"C:\Users\Admin\AppData\Local\Temp\is-P0HNQ.tmp\Sat0028b1660366.tmp" /SL5="$40122,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat0028b1660366.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\is-EGJFE.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-EGJFE.tmp\Tougay.exe" /S /UID=917⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2412 -
C:\Users\Admin\AppData\Local\Temp\10-3e756-d50-aebb3-9674c1901db63\Litaenilaesha.exe"C:\Users\Admin\AppData\Local\Temp\10-3e756-d50-aebb3-9674c1901db63\Litaenilaesha.exe"8⤵
- Executes dropped EXE
PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\54-82e84-0c6-1d8b3-12fc9e29c330c\Nuvefaetura.exe"C:\Users\Admin\AppData\Local\Temp\54-82e84-0c6-1d8b3-12fc9e29c330c\Nuvefaetura.exe"8⤵
- Executes dropped EXE
PID:2876
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat002529dc82e.exe4⤵
- Loads dropped DLL
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat002529dc82e.exeSat002529dc82e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:968 -
C:\Users\Admin\AppData\Local\1e4f6f40-bf4d-49f1-b2c7-84d8768591f3.exe"C:\Users\Admin\AppData\Local\1e4f6f40-bf4d-49f1-b2c7-84d8768591f3.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Users\Admin\AppData\Local\03a65446-e97e-4978-9271-1f71341c0d24.exe"C:\Users\Admin\AppData\Local\03a65446-e97e-4978-9271-1f71341c0d24.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2816 -
C:\Users\Admin\AppData\Roaming\23963189\4296601542966015.exe"C:\Users\Admin\AppData\Roaming\23963189\4296601542966015.exe"7⤵PID:2140
-
-
-
C:\Users\Admin\AppData\Local\4084e902-84f4-44a9-8be8-515d8d1a3c53.exe"C:\Users\Admin\AppData\Local\4084e902-84f4-44a9-8be8-515d8d1a3c53.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2864 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4084e902-84f4-44a9-8be8-515d8d1a3c53.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.07⤵PID:1828
-
-
-
C:\Users\Admin\AppData\Local\d4037f37-288e-430e-bc01-f71a3fa4d923.exe"C:\Users\Admin\AppData\Local\d4037f37-288e-430e-bc01-f71a3fa4d923.exe"6⤵
- Executes dropped EXE
PID:2880
-
-
C:\Users\Admin\AppData\Local\90275538-c7a4-413b-ac3d-12e60595d73a.exe"C:\Users\Admin\AppData\Local\90275538-c7a4-413b-ac3d-12e60595d73a.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912 -
C:\Users\Admin\AppData\Roaming\4333438.exe"C:\Users\Admin\AppData\Roaming\4333438.exe"7⤵
- Executes dropped EXE
PID:1112 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:572
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:852
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:1336
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:956
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat005ba53214084.exe4⤵
- Loads dropped DLL
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat005ba53214084.exeSat005ba53214084.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1596 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat005ba53214084.exeC:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat005ba53214084.exe6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00cf1b178aa9919.exe4⤵
- Loads dropped DLL
PID:884 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00cf1b178aa9919.exeSat00cf1b178aa9919.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\Pictures\Adobe Films\R_n9pz_alIW_4mE9Gg_SBFvj.exe"C:\Users\Admin\Pictures\Adobe Films\R_n9pz_alIW_4mE9Gg_SBFvj.exe"6⤵
- Executes dropped EXE
PID:440
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 7686⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1260
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat00341fe3c5fb.exe /mixtwo4⤵
- Loads dropped DLL
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00341fe3c5fb.exeSat00341fe3c5fb.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1000 -
C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00341fe3c5fb.exeSat00341fe3c5fb.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat00341fe3c5fb.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC826D226\Sat00341fe3c5fb.exe" & exit7⤵PID:1296
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat00341fe3c5fb.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
-
-
-
-
-