Analysis
-
max time kernel
44s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
b5e07ffa7b0fd520f763a7580528c84f.exe
Resource
win7-en-20211208
General
-
Target
b5e07ffa7b0fd520f763a7580528c84f.exe
-
Size
6.8MB
-
MD5
b5e07ffa7b0fd520f763a7580528c84f
-
SHA1
cb255fabb58ccb3d0a3354241f1300b85d5ab7a7
-
SHA256
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
-
SHA512
8276c31784a04b291f96d220440721f32503fb60f757fa6bc2cd02441a6952961689e676664d46dae080c5152640304df73400f809a95216d4c48121540fcf15
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media18n
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2660 1712 rundll32.exe 54 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
resource yara_rule behavioral1/memory/1904-212-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1660-211-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1904-215-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1660-214-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/1660-213-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1660-209-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1660-218-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1904-217-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1904-220-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/1904-222-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 5 IoCs
resource yara_rule behavioral1/files/0x000700000001262d-102.dat family_socelars behavioral1/files/0x000700000001262d-171.dat family_socelars behavioral1/files/0x000700000001262d-173.dat family_socelars behavioral1/files/0x000700000001262d-181.dat family_socelars behavioral1/files/0x000700000001262d-180.dat family_socelars -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2896-364-0x00000000022C0000-0x0000000002399000-memory.dmp family_vidar behavioral1/memory/2896-365-0x0000000000400000-0x000000000088B000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000013327-70.dat aspack_v212_v242 behavioral1/files/0x0006000000013327-71.dat aspack_v212_v242 behavioral1/files/0x000600000001330a-72.dat aspack_v212_v242 behavioral1/files/0x000600000001330a-73.dat aspack_v212_v242 behavioral1/files/0x0006000000013413-77.dat aspack_v212_v242 behavioral1/files/0x0006000000013413-76.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 596 setup_installer.exe 576 setup_install.exe 1568 Fri166bb32b321cb.exe 932 Fri160a13ed0cc30f79.exe 2020 Fri164c727b138e8e5.exe 1740 Fri16fd01fcb8a6c.exe 1704 Fri167e14a5b3d5dc.exe 472 Fri160a13ed0cc30f79.exe 1824 Fri16001824e7621ef.exe 1660 Fri16fd01fcb8a6c.exe 1904 Fri164c727b138e8e5.exe 2192 Fri165bcbc7f8b.exe 2232 Fri165bcbc7f8b.tmp 2252 bae1e0f5-64c1-4245-9c7e-300514dbc509.exe -
Loads dropped DLL 53 IoCs
pid Process 812 b5e07ffa7b0fd520f763a7580528c84f.exe 596 setup_installer.exe 596 setup_installer.exe 596 setup_installer.exe 596 setup_installer.exe 596 setup_installer.exe 596 setup_installer.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 576 setup_install.exe 860 cmd.exe 1628 cmd.exe 1568 Fri166bb32b321cb.exe 1568 Fri166bb32b321cb.exe 1628 cmd.exe 1792 cmd.exe 1792 cmd.exe 1928 cmd.exe 1928 cmd.exe 840 cmd.exe 932 Fri160a13ed0cc30f79.exe 932 Fri160a13ed0cc30f79.exe 932 Fri160a13ed0cc30f79.exe 2020 Fri164c727b138e8e5.exe 2020 Fri164c727b138e8e5.exe 1740 Fri16fd01fcb8a6c.exe 1740 Fri16fd01fcb8a6c.exe 1704 Fri167e14a5b3d5dc.exe 1704 Fri167e14a5b3d5dc.exe 472 Fri160a13ed0cc30f79.exe 472 Fri160a13ed0cc30f79.exe 1752 cmd.exe 1824 Fri16001824e7621ef.exe 1824 Fri16001824e7621ef.exe 484 msiexec.exe 1740 Fri16fd01fcb8a6c.exe 2020 Fri164c727b138e8e5.exe 1660 Fri16fd01fcb8a6c.exe 1660 Fri16fd01fcb8a6c.exe 1904 Fri164c727b138e8e5.exe 1904 Fri164c727b138e8e5.exe 1228 cmd.exe 2192 Fri165bcbc7f8b.exe 2192 Fri165bcbc7f8b.exe 2192 Fri165bcbc7f8b.exe 1568 Fri166bb32b321cb.exe 2252 bae1e0f5-64c1-4245-9c7e-300514dbc509.exe 2252 bae1e0f5-64c1-4245-9c7e-300514dbc509.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 53 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 932 set thread context of 472 932 Fri160a13ed0cc30f79.exe 47 PID 1740 set thread context of 1660 1740 Fri16fd01fcb8a6c.exe 57 PID 2020 set thread context of 1904 2020 Fri164c727b138e8e5.exe 58 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 108 taskkill.exe 1200 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fri16001824e7621ef.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Fri16001824e7621ef.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1724 powershell.exe 1936 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 1824 Fri16001824e7621ef.exe Token: SeAssignPrimaryTokenPrivilege 1824 Fri16001824e7621ef.exe Token: SeLockMemoryPrivilege 1824 Fri16001824e7621ef.exe Token: SeIncreaseQuotaPrivilege 1824 Fri16001824e7621ef.exe Token: SeMachineAccountPrivilege 1824 Fri16001824e7621ef.exe Token: SeTcbPrivilege 1824 Fri16001824e7621ef.exe Token: SeSecurityPrivilege 1824 Fri16001824e7621ef.exe Token: SeTakeOwnershipPrivilege 1824 Fri16001824e7621ef.exe Token: SeLoadDriverPrivilege 1824 Fri16001824e7621ef.exe Token: SeSystemProfilePrivilege 1824 Fri16001824e7621ef.exe Token: SeSystemtimePrivilege 1824 Fri16001824e7621ef.exe Token: SeProfSingleProcessPrivilege 1824 Fri16001824e7621ef.exe Token: SeIncBasePriorityPrivilege 1824 Fri16001824e7621ef.exe Token: SeCreatePagefilePrivilege 1824 Fri16001824e7621ef.exe Token: SeCreatePermanentPrivilege 1824 Fri16001824e7621ef.exe Token: SeBackupPrivilege 1824 Fri16001824e7621ef.exe Token: SeRestorePrivilege 1824 Fri16001824e7621ef.exe Token: SeShutdownPrivilege 1824 Fri16001824e7621ef.exe Token: SeDebugPrivilege 1824 Fri16001824e7621ef.exe Token: SeAuditPrivilege 1824 Fri16001824e7621ef.exe Token: SeSystemEnvironmentPrivilege 1824 Fri16001824e7621ef.exe Token: SeChangeNotifyPrivilege 1824 Fri16001824e7621ef.exe Token: SeRemoteShutdownPrivilege 1824 Fri16001824e7621ef.exe Token: SeUndockPrivilege 1824 Fri16001824e7621ef.exe Token: SeSyncAgentPrivilege 1824 Fri16001824e7621ef.exe Token: SeEnableDelegationPrivilege 1824 Fri16001824e7621ef.exe Token: SeManageVolumePrivilege 1824 Fri16001824e7621ef.exe Token: SeImpersonatePrivilege 1824 Fri16001824e7621ef.exe Token: SeCreateGlobalPrivilege 1824 Fri16001824e7621ef.exe Token: 31 1824 Fri16001824e7621ef.exe Token: 32 1824 Fri16001824e7621ef.exe Token: 33 1824 Fri16001824e7621ef.exe Token: 34 1824 Fri16001824e7621ef.exe Token: 35 1824 Fri16001824e7621ef.exe Token: SeDebugPrivilege 2020 Fri164c727b138e8e5.exe Token: SeDebugPrivilege 1740 Fri16fd01fcb8a6c.exe Token: SeDebugPrivilege 108 taskkill.exe Token: SeDebugPrivilege 1568 Fri166bb32b321cb.exe Token: SeDebugPrivilege 1724 powershell.exe Token: SeDebugPrivilege 1936 powershell.exe Token: SeDebugPrivilege 1200 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 812 wrote to memory of 596 812 b5e07ffa7b0fd520f763a7580528c84f.exe 27 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 596 wrote to memory of 576 596 setup_installer.exe 28 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1216 576 setup_install.exe 30 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1508 576 setup_install.exe 31 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 1752 576 setup_install.exe 32 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 860 576 setup_install.exe 33 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1228 576 setup_install.exe 34 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 1628 576 setup_install.exe 35 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 840 576 setup_install.exe 36 PID 576 wrote to memory of 1928 576 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe"C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1216
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1508
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16001824e7621ef.exe4⤵
- Loads dropped DLL
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16001824e7621ef.exeFri16001824e7621ef.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1128
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri166bb32b321cb.exe4⤵
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri166bb32b321cb.exeFri166bb32b321cb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1568 -
C:\Users\Admin\AppData\Local\bae1e0f5-64c1-4245-9c7e-300514dbc509.exe"C:\Users\Admin\AppData\Local\bae1e0f5-64c1-4245-9c7e-300514dbc509.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252
-
-
C:\Users\Admin\AppData\Local\3bdda50c-2f10-43de-9772-5112d3f64224.exe"C:\Users\Admin\AppData\Local\3bdda50c-2f10-43de-9772-5112d3f64224.exe"6⤵PID:2296
-
C:\Users\Admin\AppData\Roaming\14156440\9463701778275007.exe"C:\Users\Admin\AppData\Roaming\14156440\9463701778275007.exe"7⤵PID:2452
-
-
-
C:\Users\Admin\AppData\Local\73ca841e-4a84-46b6-accf-8c5c55198391.exe"C:\Users\Admin\AppData\Local\73ca841e-4a84-46b6-accf-8c5c55198391.exe"6⤵PID:2396
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=73ca841e-4a84-46b6-accf-8c5c55198391.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.07⤵PID:2156
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:28⤵PID:980
-
-
-
-
C:\Users\Admin\AppData\Local\d7d9e682-9bb4-4f5a-8a43-1dadd2a2299e.exe"C:\Users\Admin\AppData\Local\d7d9e682-9bb4-4f5a-8a43-1dadd2a2299e.exe"6⤵PID:2464
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=d7d9e682-9bb4-4f5a-8a43-1dadd2a2299e.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.07⤵PID:1484
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1484 CREDAT:275457 /prefetch:28⤵PID:2000
-
-
-
-
C:\Users\Admin\AppData\Local\cd6b7444-8206-41b1-a4fc-18035cd8bc25.exe"C:\Users\Admin\AppData\Local\cd6b7444-8206-41b1-a4fc-18035cd8bc25.exe"6⤵PID:2548
-
C:\Users\Admin\AppData\Roaming\5051421.exe"C:\Users\Admin\AppData\Roaming\5051421.exe"7⤵PID:2092
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:1352
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:2352
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:2888
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:2976
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri165bcbc7f8b.exe4⤵
- Loads dropped DLL
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri165bcbc7f8b.exeFri165bcbc7f8b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\is-VV892.tmp\Fri165bcbc7f8b.tmp"C:\Users\Admin\AppData\Local\Temp\is-VV892.tmp\Fri165bcbc7f8b.tmp" /SL5="$20186,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri165bcbc7f8b.exe"6⤵
- Executes dropped EXE
PID:2232 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri165bcbc7f8b.exe"C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri165bcbc7f8b.exe" /SILENT7⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\is-D0QLV.tmp\Fri165bcbc7f8b.tmp"C:\Users\Admin\AppData\Local\Temp\is-D0QLV.tmp\Fri165bcbc7f8b.tmp" /SL5="$30186,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri165bcbc7f8b.exe" /SILENT8⤵PID:2412
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri160a13ed0cc30f79.exe /mixtwo4⤵
- Loads dropped DLL
PID:1628 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri160a13ed0cc30f79.exeFri160a13ed0cc30f79.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:932 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri160a13ed0cc30f79.exeFri160a13ed0cc30f79.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri160a13ed0cc30f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri160a13ed0cc30f79.exe" & exit7⤵PID:1616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri160a13ed0cc30f79.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:108
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri167e14a5b3d5dc.exe4⤵
- Loads dropped DLL
PID:840 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri167e14a5b3d5dc.exeFri167e14a5b3d5dc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -y .\l2RRL.WC6⤵
- Loads dropped DLL
PID:484
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri164c727b138e8e5.exe4⤵
- Loads dropped DLL
PID:1928 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri164c727b138e8e5.exeFri164c727b138e8e5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri164c727b138e8e5.exeC:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri164c727b138e8e5.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16fd01fcb8a6c.exe4⤵
- Loads dropped DLL
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16fd01fcb8a6c.exeFri16fd01fcb8a6c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16fd01fcb8a6c.exeC:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16fd01fcb8a6c.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16885ed77f383b.exe4⤵PID:1964
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16885ed77f383b.exeFri16885ed77f383b.exe5⤵PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16bd645415835b795.exe4⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16bd645415835b795.exeFri16bd645415835b795.exe5⤵PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16794d8e6c1f8.exe4⤵PID:2804
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16794d8e6c1f8.exeFri16794d8e6c1f8.exe5⤵PID:2920
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",6⤵PID:2112
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",7⤵PID:2272
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1691e33fa9b0c.exe4⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri1691e33fa9b0c.exeFri1691e33fa9b0c.exe5⤵PID:2896
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri1691e33fa9b0c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri1691e33fa9b0c.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2656
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16a36a6a837.exe4⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16a36a6a837.exeFri16a36a6a837.exe5⤵PID:2952
-
C:\Users\Admin\AppData\Local\Temp\is-T7163.tmp\Fri16a36a6a837.tmp"C:\Users\Admin\AppData\Local\Temp\is-T7163.tmp\Fri16a36a6a837.tmp" /SL5="$10262,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16a36a6a837.exe"6⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\is-8F0PB.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-8F0PB.tmp\Tougay.exe" /S /UID=917⤵PID:2312
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri164a0149aa.exe4⤵PID:2840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri161c534d708b.exe4⤵PID:2792
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri164a0149aa.exeFri164a0149aa.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16885ed77f383b.exe"C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri16885ed77f383b.exe" -u1⤵PID:3016
-
C:\Users\Admin\AppData\Local\Temp\7zS45217DC5\Fri161c534d708b.exeFri161c534d708b.exe1⤵PID:2856
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2668
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:676