Analysis
-
max time kernel
27s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21/12/2021, 01:31
Static task
static1
Behavioral task
behavioral1
Sample
a224fb7e0e9febf8604d6bb34e1f3669.exe
Resource
win7-en-20211208
General
-
Target
a224fb7e0e9febf8604d6bb34e1f3669.exe
-
Size
7.2MB
-
MD5
a224fb7e0e9febf8604d6bb34e1f3669
-
SHA1
1c556d68023668f7e399cb67a211672622fb4bea
-
SHA256
4fe1cb64f16f7fa987407a906a4319520972f5a8f5749e3b071a831825559a45
-
SHA512
2eea0497ea9a18b67ed516db8afaa885b4a2f6534c5ab3fda6677db42fe5d2c86f4c4cd2bdec346031293a65fe474461c3cd1b3b92593bd2e4450ea8eb559814
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media18n
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 4552 rundll32.exe 128 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/1740-281-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1740-282-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/3168-285-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/3168-283-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab2d-196.dat family_socelars behavioral2/files/0x000500000001ab2d-175.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab2b-158.dat WebBrowserPassView behavioral2/files/0x000500000001ab2b-200.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab2b-158.dat Nirsoft behavioral2/files/0x000500000001ab2b-200.dat Nirsoft behavioral2/memory/1700-298-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab44-297.dat Nirsoft behavioral2/files/0x000600000001ab44-296.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/3344-364-0x00000000022A0000-0x0000000002379000-memory.dmp family_vidar behavioral2/memory/3344-368-0x0000000000400000-0x0000000000539000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab25-124.dat aspack_v212_v242 behavioral2/files/0x000500000001ab25-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab26-123.dat aspack_v212_v242 behavioral2/files/0x000500000001ab26-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab28-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab28-129.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 3676 setup_installer.exe 432 setup_install.exe 1008 Sat0494d09aa7775.exe 616 Sat044c660c667.exe 788 Sat04b57b2b5cd240fd7.exe 988 Sat0416a6fea2.exe 536 Sat04498b5333ea0e4d.exe 912 Sat04b37a8a0cb44e.exe 2824 Sat047a4df7658eb8.exe 2788 Sat043294c6d0fbd1.exe 2068 Sat041ad04ef04fb.exe 1824 Sat041e2cec77924.exe 3344 Sat04e71d955f.exe 3024 Sat04c66f5aa6456.exe 3028 Sat045c167897c8ece.exe 1840 Sat047a4df7658eb8.tmp 3228 Sat04b37a8a0cb44e.exe 3168 Sat04498b5333ea0e4d.exe 2588 Sat04a852dfcb0.exe 492 Sat045c167897c8ece.tmp 3056 Sat045c167897c8ece.exe 856 Sat045c167897c8ece.tmp 1740 Sat044c660c667.exe 3168 Sat04498b5333ea0e4d.exe 1700 11111.exe 2504 01cd2c77-ce2c-499b-bee2-cb5b614ce3ee.exe 2372 2f188727-4e24-4f7b-bce3-00821f2a28eb.exe 684 b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe -
Loads dropped DLL 14 IoCs
pid Process 432 setup_install.exe 432 setup_install.exe 432 setup_install.exe 432 setup_install.exe 432 setup_install.exe 432 setup_install.exe 432 setup_install.exe 1840 Sat047a4df7658eb8.tmp 492 Sat045c167897c8ece.tmp 856 Sat045c167897c8ece.tmp 1940 rundll32.exe 1940 rundll32.exe 1088 rundll32.exe 1088 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 684 b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3168 set thread context of 2588 3168 Sat04498b5333ea0e4d.exe 107 PID 616 set thread context of 1740 616 Sat044c660c667.exe 111 PID 536 set thread context of 3168 536 Sat04498b5333ea0e4d.exe 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0494d09aa7775.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0494d09aa7775.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sat0494d09aa7775.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 5024 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 4876 taskkill.exe 4900 taskkill.exe 3964 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Sat0416a6fea2.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Sat04c66f5aa6456.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 828 powershell.exe 1884 powershell.exe 828 powershell.exe 1884 powershell.exe 828 powershell.exe 1884 powershell.exe 1008 Sat0494d09aa7775.exe 1008 Sat0494d09aa7775.exe 684 b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe 684 b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeAssignPrimaryTokenPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeLockMemoryPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeIncreaseQuotaPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeMachineAccountPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeTcbPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeSecurityPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeTakeOwnershipPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeLoadDriverPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeSystemProfilePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeSystemtimePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeProfSingleProcessPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeIncBasePriorityPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeCreatePagefilePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeCreatePermanentPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeBackupPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeRestorePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeShutdownPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeDebugPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeAuditPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeSystemEnvironmentPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeChangeNotifyPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeRemoteShutdownPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeUndockPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeSyncAgentPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeEnableDelegationPrivilege 2788 Sat043294c6d0fbd1.exe Token: SeManageVolumePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeImpersonatePrivilege 2788 Sat043294c6d0fbd1.exe Token: SeCreateGlobalPrivilege 2788 Sat043294c6d0fbd1.exe Token: 31 2788 Sat043294c6d0fbd1.exe Token: 32 2788 Sat043294c6d0fbd1.exe Token: 33 2788 Sat043294c6d0fbd1.exe Token: 34 2788 Sat043294c6d0fbd1.exe Token: 35 2788 Sat043294c6d0fbd1.exe Token: SeDebugPrivilege 536 Sat04498b5333ea0e4d.exe Token: SeDebugPrivilege 616 Sat044c660c667.exe Token: SeDebugPrivilege 1824 Sat041e2cec77924.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2660 wrote to memory of 3676 2660 a224fb7e0e9febf8604d6bb34e1f3669.exe 69 PID 2660 wrote to memory of 3676 2660 a224fb7e0e9febf8604d6bb34e1f3669.exe 69 PID 2660 wrote to memory of 3676 2660 a224fb7e0e9febf8604d6bb34e1f3669.exe 69 PID 3676 wrote to memory of 432 3676 setup_installer.exe 70 PID 3676 wrote to memory of 432 3676 setup_installer.exe 70 PID 3676 wrote to memory of 432 3676 setup_installer.exe 70 PID 432 wrote to memory of 4024 432 setup_install.exe 73 PID 432 wrote to memory of 4024 432 setup_install.exe 73 PID 432 wrote to memory of 4024 432 setup_install.exe 73 PID 432 wrote to memory of 2180 432 setup_install.exe 74 PID 432 wrote to memory of 2180 432 setup_install.exe 74 PID 432 wrote to memory of 2180 432 setup_install.exe 74 PID 2180 wrote to memory of 1884 2180 cmd.exe 78 PID 2180 wrote to memory of 1884 2180 cmd.exe 78 PID 2180 wrote to memory of 1884 2180 cmd.exe 78 PID 4024 wrote to memory of 828 4024 cmd.exe 75 PID 4024 wrote to memory of 828 4024 cmd.exe 75 PID 4024 wrote to memory of 828 4024 cmd.exe 75 PID 432 wrote to memory of 2748 432 setup_install.exe 76 PID 432 wrote to memory of 2748 432 setup_install.exe 76 PID 432 wrote to memory of 2748 432 setup_install.exe 76 PID 432 wrote to memory of 372 432 setup_install.exe 77 PID 432 wrote to memory of 372 432 setup_install.exe 77 PID 432 wrote to memory of 372 432 setup_install.exe 77 PID 432 wrote to memory of 1448 432 setup_install.exe 79 PID 432 wrote to memory of 1448 432 setup_install.exe 79 PID 432 wrote to memory of 1448 432 setup_install.exe 79 PID 432 wrote to memory of 684 432 setup_install.exe 80 PID 432 wrote to memory of 684 432 setup_install.exe 80 PID 432 wrote to memory of 684 432 setup_install.exe 80 PID 432 wrote to memory of 192 432 setup_install.exe 81 PID 432 wrote to memory of 192 432 setup_install.exe 81 PID 432 wrote to memory of 192 432 setup_install.exe 81 PID 432 wrote to memory of 412 432 setup_install.exe 82 PID 432 wrote to memory of 412 432 setup_install.exe 82 PID 432 wrote to memory of 412 432 setup_install.exe 82 PID 432 wrote to memory of 512 432 setup_install.exe 83 PID 432 wrote to memory of 512 432 setup_install.exe 83 PID 432 wrote to memory of 512 432 setup_install.exe 83 PID 2748 wrote to memory of 1008 2748 cmd.exe 84 PID 2748 wrote to memory of 1008 2748 cmd.exe 84 PID 2748 wrote to memory of 1008 2748 cmd.exe 84 PID 372 wrote to memory of 616 372 cmd.exe 85 PID 372 wrote to memory of 616 372 cmd.exe 85 PID 372 wrote to memory of 616 372 cmd.exe 85 PID 432 wrote to memory of 1120 432 setup_install.exe 88 PID 432 wrote to memory of 1120 432 setup_install.exe 88 PID 432 wrote to memory of 1120 432 setup_install.exe 88 PID 432 wrote to memory of 3660 432 setup_install.exe 86 PID 432 wrote to memory of 3660 432 setup_install.exe 86 PID 432 wrote to memory of 3660 432 setup_install.exe 86 PID 432 wrote to memory of 3208 432 setup_install.exe 87 PID 432 wrote to memory of 3208 432 setup_install.exe 87 PID 432 wrote to memory of 3208 432 setup_install.exe 87 PID 1120 wrote to memory of 788 1120 cmd.exe 106 PID 1120 wrote to memory of 788 1120 cmd.exe 106 PID 1120 wrote to memory of 788 1120 cmd.exe 106 PID 412 wrote to memory of 988 412 cmd.exe 105 PID 412 wrote to memory of 988 412 cmd.exe 105 PID 412 wrote to memory of 988 412 cmd.exe 105 PID 3660 wrote to memory of 536 3660 cmd.exe 104 PID 3660 wrote to memory of 536 3660 cmd.exe 104 PID 3660 wrote to memory of 536 3660 cmd.exe 104 PID 432 wrote to memory of 840 432 setup_install.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a224fb7e0e9febf8604d6bb34e1f3669.exe"C:\Users\Admin\AppData\Local\Temp\a224fb7e0e9febf8604d6bb34e1f3669.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0494d09aa7775.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat0494d09aa7775.exeSat0494d09aa7775.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat044c660c667.exe4⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat044c660c667.exeSat044c660c667.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:616 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat044c660c667.exeC:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat044c660c667.exe6⤵
- Executes dropped EXE
PID:1740
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04b37a8a0cb44e.exe4⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04b37a8a0cb44e.exeSat04b37a8a0cb44e.exe5⤵
- Executes dropped EXE
PID:912
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat047a4df7658eb8.exe4⤵PID:684
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat047a4df7658eb8.exeSat047a4df7658eb8.exe5⤵
- Executes dropped EXE
PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat041ad04ef04fb.exe4⤵PID:192
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat041ad04ef04fb.exeSat041ad04ef04fb.exe5⤵
- Executes dropped EXE
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:1700
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat0416a6fea2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat0416a6fea2.exeSat0416a6fea2.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",6⤵PID:1292
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",7⤵
- Loads dropped DLL
PID:1940
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat041e2cec77924.exe4⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat041e2cec77924.exeSat041e2cec77924.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Users\Admin\AppData\Local\01cd2c77-ce2c-499b-bee2-cb5b614ce3ee.exe"C:\Users\Admin\AppData\Local\01cd2c77-ce2c-499b-bee2-cb5b614ce3ee.exe"6⤵
- Executes dropped EXE
PID:2504
-
-
C:\Users\Admin\AppData\Local\b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe"C:\Users\Admin\AppData\Local\b86f3d1c-3852-45f9-b32c-a79d24ea5efc.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:684
-
-
C:\Users\Admin\AppData\Local\2f188727-4e24-4f7b-bce3-00821f2a28eb.exe"C:\Users\Admin\AppData\Local\2f188727-4e24-4f7b-bce3-00821f2a28eb.exe"6⤵
- Executes dropped EXE
PID:2372 -
C:\Users\Admin\AppData\Roaming\87904734\5235434852354348.exe"C:\Users\Admin\AppData\Roaming\87904734\5235434852354348.exe"7⤵PID:4392
-
-
-
C:\Users\Admin\AppData\Local\98508533-94cd-41f1-bfba-cda1008f5db5.exe"C:\Users\Admin\AppData\Local\98508533-94cd-41f1-bfba-cda1008f5db5.exe"6⤵PID:1244
-
-
C:\Users\Admin\AppData\Local\d892348f-d0b3-4705-8cac-4430329920ae.exe"C:\Users\Admin\AppData\Local\d892348f-d0b3-4705-8cac-4430329920ae.exe"6⤵PID:2004
-
C:\Users\Admin\AppData\Roaming\4109873.exe"C:\Users\Admin\AppData\Roaming\4109873.exe"7⤵PID:4928
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",8⤵PID:3096
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",9⤵PID:4012
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",10⤵PID:400
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",11⤵PID:4872
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04498b5333ea0e4d.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04498b5333ea0e4d.exeSat04498b5333ea0e4d.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:536 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04498b5333ea0e4d.exeC:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04498b5333ea0e4d.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3168
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat043294c6d0fbd1.exe4⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat043294c6d0fbd1.exeSat043294c6d0fbd1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2788 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4360
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4900
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04b57b2b5cd240fd7.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04b57b2b5cd240fd7.exeSat04b57b2b5cd240fd7.exe5⤵
- Executes dropped EXE
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04c66f5aa6456.exe4⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04c66f5aa6456.exeSat04c66f5aa6456.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",6⤵PID:1056
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",7⤵
- Loads dropped DLL
PID:1088
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04e71d955f.exe4⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04e71d955f.exeSat04e71d955f.exe5⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat04e71d955f.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04e71d955f.exe" & del C:\ProgramData\*.dll & exit6⤵PID:3880
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat04e71d955f.exe /f7⤵
- Kills process with taskkill
PID:3964
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:5024
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat04a852dfcb0.exe /mixtwo4⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04a852dfcb0.exeSat04a852dfcb0.exe /mixtwo5⤵PID:3168
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04a852dfcb0.exeSat04a852dfcb0.exe /mixtwo6⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat04a852dfcb0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04a852dfcb0.exe" & exit7⤵PID:4304
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat04a852dfcb0.exe" /f8⤵
- Kills process with taskkill
PID:4876
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat045c167897c8ece.exe4⤵PID:840
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-VLOJF.tmp\Sat047a4df7658eb8.tmp"C:\Users\Admin\AppData\Local\Temp\is-VLOJF.tmp\Sat047a4df7658eb8.tmp" /SL5="$50060,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat047a4df7658eb8.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04b37a8a0cb44e.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat04b37a8a0cb44e.exe" -u1⤵
- Executes dropped EXE
PID:3228
-
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat045c167897c8ece.exeSat045c167897c8ece.exe1⤵
- Executes dropped EXE
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\is-IL40J.tmp\Sat045c167897c8ece.tmp"C:\Users\Admin\AppData\Local\Temp\is-IL40J.tmp\Sat045c167897c8ece.tmp" /SL5="$1020A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat045c167897c8ece.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat045c167897c8ece.exe"C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat045c167897c8ece.exe" /SILENT3⤵
- Executes dropped EXE
PID:3056 -
C:\Users\Admin\AppData\Local\Temp\is-6QPQ1.tmp\Sat045c167897c8ece.tmp"C:\Users\Admin\AppData\Local\Temp\is-6QPQ1.tmp\Sat045c167897c8ece.tmp" /SL5="$30218,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC5E219E5\Sat045c167897c8ece.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:856
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4832 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1380
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1428