Analysis
-
max time kernel
19s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 15:01
Static task
static1
Behavioral task
behavioral1
Sample
b5e07ffa7b0fd520f763a7580528c84f.exe
Resource
win7-en-20211208
General
-
Target
b5e07ffa7b0fd520f763a7580528c84f.exe
-
Size
6.8MB
-
MD5
b5e07ffa7b0fd520f763a7580528c84f
-
SHA1
cb255fabb58ccb3d0a3354241f1300b85d5ab7a7
-
SHA256
98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb
-
SHA512
8276c31784a04b291f96d220440721f32503fb60f757fa6bc2cd02441a6952961689e676664d46dae080c5152640304df73400f809a95216d4c48121540fcf15
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media18n
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 368 4584 rundll32.exe 126 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5256 4584 rundll32.exe 126 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/1568-283-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2868-286-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/1568-285-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/2868-284-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab26-177.dat family_socelars behavioral2/files/0x000500000001ab26-145.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab28-186.dat WebBrowserPassView behavioral2/files/0x000500000001ab28-172.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab28-186.dat Nirsoft behavioral2/files/0x000500000001ab28-172.dat Nirsoft behavioral2/memory/608-302-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000700000001ab64-301.dat Nirsoft behavioral2/files/0x000700000001ab64-300.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1624-360-0x0000000000DC0000-0x0000000000E99000-memory.dmp family_vidar behavioral2/memory/1624-370-0x0000000000400000-0x000000000088B000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab35-122.dat aspack_v212_v242 behavioral2/files/0x000600000001ab35-125.dat aspack_v212_v242 behavioral2/files/0x000600000001ab34-123.dat aspack_v212_v242 behavioral2/files/0x000600000001ab34-128.dat aspack_v212_v242 behavioral2/files/0x000600000001ab34-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-129.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-132.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 23 IoCs
pid Process 2560 setup_installer.exe 2136 setup_install.exe 1136 Fri166bb32b321cb.exe 2144 Fri16fd01fcb8a6c.exe 3788 Fri16001824e7621ef.exe 3804 Fri165bcbc7f8b.exe 2908 Fri161c534d708b.exe 1284 Fri160a13ed0cc30f79.exe 1384 8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe 1552 Fri16a36a6a837.exe 1516 Fri16bd645415835b795.exe 1624 Fri1691e33fa9b0c.exe 2192 Fri16794d8e6c1f8.exe 1888 Fri16885ed77f383b.exe 2060 Fri167e14a5b3d5dc.exe 2040 Fri160a13ed0cc30f79.exe 1528 Fri164a0149aa.exe 968 Fri16a36a6a837.tmp 3064 Fri165bcbc7f8b.tmp 2672 Fri16885ed77f383b.exe 1932 Fri165bcbc7f8b.exe 2280 Fri165bcbc7f8b.tmp 1360 Tougay.exe -
Loads dropped DLL 10 IoCs
pid Process 2136 setup_install.exe 2136 setup_install.exe 2136 setup_install.exe 2136 setup_install.exe 2136 setup_install.exe 2136 setup_install.exe 2136 setup_install.exe 968 Fri16a36a6a837.tmp 3064 Fri165bcbc7f8b.tmp 2280 Fri165bcbc7f8b.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com 58 ipinfo.io 59 ipinfo.io 118 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1284 set thread context of 2040 1284 Fri160a13ed0cc30f79.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 4664 taskkill.exe 4064 taskkill.exe 3860 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 620 powershell.exe 1096 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 3788 Fri16001824e7621ef.exe Token: SeAssignPrimaryTokenPrivilege 3788 Fri16001824e7621ef.exe Token: SeLockMemoryPrivilege 3788 Fri16001824e7621ef.exe Token: SeIncreaseQuotaPrivilege 3788 Fri16001824e7621ef.exe Token: SeMachineAccountPrivilege 3788 Fri16001824e7621ef.exe Token: SeTcbPrivilege 3788 Fri16001824e7621ef.exe Token: SeSecurityPrivilege 3788 Fri16001824e7621ef.exe Token: SeTakeOwnershipPrivilege 3788 Fri16001824e7621ef.exe Token: SeLoadDriverPrivilege 3788 Fri16001824e7621ef.exe Token: SeSystemProfilePrivilege 3788 Fri16001824e7621ef.exe Token: SeSystemtimePrivilege 3788 Fri16001824e7621ef.exe Token: SeProfSingleProcessPrivilege 3788 Fri16001824e7621ef.exe Token: SeIncBasePriorityPrivilege 3788 Fri16001824e7621ef.exe Token: SeCreatePagefilePrivilege 3788 Fri16001824e7621ef.exe Token: SeCreatePermanentPrivilege 3788 Fri16001824e7621ef.exe Token: SeBackupPrivilege 3788 Fri16001824e7621ef.exe Token: SeRestorePrivilege 3788 Fri16001824e7621ef.exe Token: SeShutdownPrivilege 3788 Fri16001824e7621ef.exe Token: SeDebugPrivilege 3788 Fri16001824e7621ef.exe Token: SeAuditPrivilege 3788 Fri16001824e7621ef.exe Token: SeSystemEnvironmentPrivilege 3788 Fri16001824e7621ef.exe Token: SeChangeNotifyPrivilege 3788 Fri16001824e7621ef.exe Token: SeRemoteShutdownPrivilege 3788 Fri16001824e7621ef.exe Token: SeUndockPrivilege 3788 Fri16001824e7621ef.exe Token: SeSyncAgentPrivilege 3788 Fri16001824e7621ef.exe Token: SeEnableDelegationPrivilege 3788 Fri16001824e7621ef.exe Token: SeManageVolumePrivilege 3788 Fri16001824e7621ef.exe Token: SeImpersonatePrivilege 3788 Fri16001824e7621ef.exe Token: SeCreateGlobalPrivilege 3788 Fri16001824e7621ef.exe Token: 31 3788 Fri16001824e7621ef.exe Token: 32 3788 Fri16001824e7621ef.exe Token: 33 3788 Fri16001824e7621ef.exe Token: 34 3788 Fri16001824e7621ef.exe Token: 35 3788 Fri16001824e7621ef.exe Token: SeDebugPrivilege 2144 Fri16fd01fcb8a6c.exe Token: SeDebugPrivilege 1384 8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe Token: SeDebugPrivilege 1136 control.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 620 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3068 wrote to memory of 2560 3068 b5e07ffa7b0fd520f763a7580528c84f.exe 69 PID 3068 wrote to memory of 2560 3068 b5e07ffa7b0fd520f763a7580528c84f.exe 69 PID 3068 wrote to memory of 2560 3068 b5e07ffa7b0fd520f763a7580528c84f.exe 69 PID 2560 wrote to memory of 2136 2560 setup_installer.exe 70 PID 2560 wrote to memory of 2136 2560 setup_installer.exe 70 PID 2560 wrote to memory of 2136 2560 setup_installer.exe 70 PID 2136 wrote to memory of 1260 2136 setup_install.exe 73 PID 2136 wrote to memory of 1260 2136 setup_install.exe 73 PID 2136 wrote to memory of 1260 2136 setup_install.exe 73 PID 2136 wrote to memory of 1132 2136 setup_install.exe 74 PID 2136 wrote to memory of 1132 2136 setup_install.exe 74 PID 2136 wrote to memory of 1132 2136 setup_install.exe 74 PID 2136 wrote to memory of 2196 2136 setup_install.exe 75 PID 2136 wrote to memory of 2196 2136 setup_install.exe 75 PID 2136 wrote to memory of 2196 2136 setup_install.exe 75 PID 2136 wrote to memory of 2272 2136 setup_install.exe 76 PID 2136 wrote to memory of 2272 2136 setup_install.exe 76 PID 2136 wrote to memory of 2272 2136 setup_install.exe 76 PID 2136 wrote to memory of 3916 2136 setup_install.exe 107 PID 2136 wrote to memory of 3916 2136 setup_install.exe 107 PID 2136 wrote to memory of 3916 2136 setup_install.exe 107 PID 2136 wrote to memory of 3488 2136 setup_install.exe 77 PID 2136 wrote to memory of 3488 2136 setup_install.exe 77 PID 2136 wrote to memory of 3488 2136 setup_install.exe 77 PID 2136 wrote to memory of 1652 2136 setup_install.exe 106 PID 2136 wrote to memory of 1652 2136 setup_install.exe 106 PID 2136 wrote to memory of 1652 2136 setup_install.exe 106 PID 2136 wrote to memory of 1752 2136 setup_install.exe 105 PID 2136 wrote to memory of 1752 2136 setup_install.exe 105 PID 2136 wrote to memory of 1752 2136 setup_install.exe 105 PID 2272 wrote to memory of 1136 2272 cmd.exe 104 PID 2272 wrote to memory of 1136 2272 cmd.exe 104 PID 2272 wrote to memory of 1136 2272 cmd.exe 104 PID 2136 wrote to memory of 2744 2136 setup_install.exe 78 PID 2136 wrote to memory of 2744 2136 setup_install.exe 78 PID 2136 wrote to memory of 2744 2136 setup_install.exe 78 PID 2136 wrote to memory of 3044 2136 setup_install.exe 79 PID 2136 wrote to memory of 3044 2136 setup_install.exe 79 PID 2136 wrote to memory of 3044 2136 setup_install.exe 79 PID 2136 wrote to memory of 3884 2136 setup_install.exe 103 PID 2136 wrote to memory of 3884 2136 setup_install.exe 103 PID 2136 wrote to memory of 3884 2136 setup_install.exe 103 PID 1132 wrote to memory of 1096 1132 cmd.exe 80 PID 1132 wrote to memory of 1096 1132 cmd.exe 80 PID 1132 wrote to memory of 1096 1132 cmd.exe 80 PID 1260 wrote to memory of 620 1260 cmd.exe 102 PID 1260 wrote to memory of 620 1260 cmd.exe 102 PID 1260 wrote to memory of 620 1260 cmd.exe 102 PID 2744 wrote to memory of 2144 2744 cmd.exe 81 PID 2744 wrote to memory of 2144 2744 cmd.exe 81 PID 2744 wrote to memory of 2144 2744 cmd.exe 81 PID 2136 wrote to memory of 3776 2136 setup_install.exe 101 PID 2136 wrote to memory of 3776 2136 setup_install.exe 101 PID 2136 wrote to memory of 3776 2136 setup_install.exe 101 PID 2196 wrote to memory of 3788 2196 cmd.exe 82 PID 2196 wrote to memory of 3788 2196 cmd.exe 82 PID 2196 wrote to memory of 3788 2196 cmd.exe 82 PID 2136 wrote to memory of 3168 2136 setup_install.exe 100 PID 2136 wrote to memory of 3168 2136 setup_install.exe 100 PID 2136 wrote to memory of 3168 2136 setup_install.exe 100 PID 3916 wrote to memory of 3804 3916 cmd.exe 99 PID 3916 wrote to memory of 3804 3916 cmd.exe 99 PID 3916 wrote to memory of 3804 3916 cmd.exe 99 PID 2136 wrote to memory of 1620 2136 setup_install.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe"C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16001824e7621ef.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16001824e7621ef.exeFri16001824e7621ef.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4700
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4064
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri166bb32b321cb.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri166bb32b321cb.exeFri166bb32b321cb.exe5⤵
- Executes dropped EXE
PID:1136 -
C:\Users\Admin\AppData\Local\62e36a9b-acf6-4058-bd13-d2926231bc6e.exe"C:\Users\Admin\AppData\Local\62e36a9b-acf6-4058-bd13-d2926231bc6e.exe"6⤵PID:1196
-
-
C:\Users\Admin\AppData\Local\91f4f328-b5b5-4365-ac77-2c8184d6eeb5.exe"C:\Users\Admin\AppData\Local\91f4f328-b5b5-4365-ac77-2c8184d6eeb5.exe"6⤵PID:3144
-
C:\Users\Admin\AppData\Roaming\6379627\7049811770498117.exe"C:\Users\Admin\AppData\Roaming\6379627\7049811770498117.exe"7⤵PID:4268
-
-
-
C:\Users\Admin\AppData\Local\8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe"C:\Users\Admin\AppData\Local\8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Users\Admin\AppData\Local\4dd24cf7-5bfd-4fb8-af89-78c77ac7e977.exe"C:\Users\Admin\AppData\Local\4dd24cf7-5bfd-4fb8-af89-78c77ac7e977.exe"6⤵PID:2108
-
-
C:\Users\Admin\AppData\Local\020b5b40-5a0c-48fd-87a5-8b8405f933fd.exe"C:\Users\Admin\AppData\Local\020b5b40-5a0c-48fd-87a5-8b8405f933fd.exe"6⤵PID:1616
-
C:\Users\Admin\AppData\Roaming\7623806.exe"C:\Users\Admin\AppData\Roaming\7623806.exe"7⤵PID:4824
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1136 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:2416
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",10⤵PID:1940
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",11⤵PID:3908
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri160a13ed0cc30f79.exe /mixtwo4⤵PID:3488
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exeFri160a13ed0cc30f79.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exeFri160a13ed0cc30f79.exe /mixtwo6⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Fri160a13ed0cc30f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exe" & exit7⤵PID:2856
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Fri160a13ed0cc30f79.exe" /f8⤵
- Kills process with taskkill
PID:4664
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16fd01fcb8a6c.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exeFri16fd01fcb8a6c.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exeC:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exe6⤵PID:2868
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16885ed77f383b.exe4⤵PID:3044
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exeFri16885ed77f383b.exe5⤵
- Executes dropped EXE
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exe"C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exe" -u6⤵
- Executes dropped EXE
PID:2672
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1691e33fa9b0c.exe4⤵PID:1620
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri1691e33fa9b0c.exeFri1691e33fa9b0c.exe5⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri1691e33fa9b0c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri1691e33fa9b0c.exe" & del C:\ProgramData\*.dll & exit6⤵PID:828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fri1691e33fa9b0c.exe /f7⤵
- Kills process with taskkill
PID:3860
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri164a0149aa.exe4⤵PID:372
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164a0149aa.exeFri164a0149aa.exe5⤵
- Executes dropped EXE
PID:1528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16a36a6a837.exe4⤵PID:2552
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16794d8e6c1f8.exe4⤵PID:3168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri161c534d708b.exe4⤵PID:3776
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri16bd645415835b795.exe4⤵PID:3884
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri164c727b138e8e5.exe4⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri167e14a5b3d5dc.exe4⤵PID:1652
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri165bcbc7f8b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exeFri164c727b138e8e5.exe1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exeC:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exe2⤵PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16794d8e6c1f8.exeFri16794d8e6c1f8.exe1⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",2⤵PID:1328
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",3⤵PID:3904
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-TH3ST.tmp\Fri16a36a6a837.tmp"C:\Users\Admin\AppData\Local\Temp\is-TH3ST.tmp\Fri16a36a6a837.tmp" /SL5="$30086,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16a36a6a837.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Users\Admin\AppData\Local\Temp\is-98JG6.tmp\Tougay.exe"C:\Users\Admin\AppData\Local\Temp\is-98JG6.tmp\Tougay.exe" /S /UID=912⤵
- Executes dropped EXE
PID:1360 -
C:\Users\Admin\AppData\Local\Temp\4a-4013c-7a1-6e1b5-a01e781eb2c69\Fujimarasi.exe"C:\Users\Admin\AppData\Local\Temp\4a-4013c-7a1-6e1b5-a01e781eb2c69\Fujimarasi.exe"3⤵PID:4900
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exe /qn CAMPAIGN="654" & exit4⤵PID:772
-
C:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exeC:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exe /qn CAMPAIGN="654"5⤵PID:5188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe & exit4⤵PID:4220
-
C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exeC:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe5⤵PID:5216
-
C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe"C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe" -u6⤵PID:5356
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exe /S & exit4⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exeC:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exe /S5⤵PID:5340
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsr6AC9.tmp\tempfile.ps1"6⤵PID:5972
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e5-d60b5-32c-f3896-8947aef8b37ed\Selefomaly.exe"C:\Users\Admin\AppData\Local\Temp\e5-d60b5-32c-f3896-8947aef8b37ed\Selefomaly.exe"3⤵PID:4844
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-U225S.tmp\Fri165bcbc7f8b.tmp"C:\Users\Admin\AppData\Local\Temp\is-U225S.tmp\Fri165bcbc7f8b.tmp" /SL5="$20156,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe"C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe" /SILENT2⤵
- Executes dropped EXE
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\is-IBG4R.tmp\Fri165bcbc7f8b.tmp"C:\Users\Admin\AppData\Local\Temp\is-IBG4R.tmp\Fri165bcbc7f8b.tmp" /SL5="$1021A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe" /SILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri167e14a5b3d5dc.exeFri167e14a5b3d5dc.exe1⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -y .\l2RRL.WC2⤵PID:2564
-
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16a36a6a837.exeFri16a36a6a837.exe1⤵
- Executes dropped EXE
PID:1552
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16bd645415835b795.exeFri16bd645415835b795.exe1⤵
- Executes dropped EXE
PID:1516
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri161c534d708b.exeFri161c534d708b.exe1⤵
- Executes dropped EXE
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:608
-
-
C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exeFri165bcbc7f8b.exe1⤵
- Executes dropped EXE
PID:3804
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1316
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5004
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:5460
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:5544
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:6012
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 216203C8DCD5B33A9A9D380AF5D590B9 C2⤵PID:1712
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5784
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5268
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4696
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4200
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:5256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2576
-