Analysis
-
max time kernel
77s -
max time network
185s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
Resource
win10-en-20211208
General
-
Target
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe
-
Size
9.7MB
-
MD5
6b296de2de00117bf1cbfcff13f51c19
-
SHA1
a1a4259256800752273745cfdfb4204603bd97d5
-
SHA256
5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f
-
SHA512
1728b264683a2598eabf692a7707d15559395a2950e4b112ff915b05aa10348daa4d80f2b39bbff530a47fa825fd7fe2cb6e1da901fb0a87fdca489bf8b4cb4f
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
raccoon
8fc55a7ea41b0c5db2ca3c881e20966100c28a40
-
url4cnc
http://194.180.174.53/jredmankun
http://91.219.236.18/jredmankun
http://194.180.174.41/jredmankun
http://91.219.236.148/jredmankun
https://t.me/jredmankun
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
redline
media22ns
65.108.69.168:13293
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 3856 rundll32.exe 128 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/4380-314-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4380-317-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4364-315-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4364-313-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4364-323-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ab3a-153.dat family_socelars behavioral2/files/0x000600000001ab3a-198.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab41-163.dat WebBrowserPassView behavioral2/files/0x000500000001ab41-200.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab41-163.dat Nirsoft behavioral2/files/0x000500000001ab41-200.dat Nirsoft behavioral2/memory/4544-305-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab65-304.dat Nirsoft behavioral2/files/0x000600000001ab65-303.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2836-308-0x0000000000400000-0x000000000053E000-memory.dmp family_vidar behavioral2/memory/2836-307-0x0000000002190000-0x0000000002265000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab30-123.dat aspack_v212_v242 behavioral2/files/0x000700000001ab32-129.dat aspack_v212_v242 behavioral2/files/0x000700000001ab32-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab30-124.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-131.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-130.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 27 IoCs
pid Process 1308 setup_installer.exe 2824 setup_install.exe 1416 Wed15ff85e6fb5cb658.exe 2940 Wed150944bf7032c623.exe 3016 Wed153b85888b3614.exe 2836 Wed1585231a10aabd865.exe 2808 Wed150ca0ddb4.exe 3036 Wed150790bf65e4c8f4.exe 3168 Wed153b15877dec9.exe 3228 Wed1500c7d1d4.exe 412 Wed15cf77e3ddc30.exe 3684 Wed15f7625124.exe 3212 Wed15d8c997dfcb85ac.exe 3060 Wed15e36a85c94ce.exe 1952 Wed153b85888b3614.exe 3024 Wed156dcbb535.exe 2924 Wed15581b4e451c4f72.exe 1140 Wed15ff85e6fb5cb658.tmp 524 Wed150790bf65e4c8f4.exe 1052 Wed15def1e1a6.exe 3816 Wed15f5f024996c4fec.exe 3596 Wed15ff85e6fb5cb658.exe 536 Wed15ff85e6fb5cb658.tmp 4544 11111.exe 4364 Wed150ca0ddb4.exe 4380 Wed15581b4e451c4f72.exe 3980 windllhost.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wed15e36a85c94ce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wed15e36a85c94ce.exe -
Loads dropped DLL 13 IoCs
pid Process 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 2824 setup_install.exe 1140 Wed15ff85e6fb5cb658.tmp 536 Wed15ff85e6fb5cb658.tmp 4916 rundll32.exe 4896 rundll32.exe 4916 rundll32.exe 4896 rundll32.exe 2936 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wed15e36a85c94ce.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3060 Wed15e36a85c94ce.exe 3060 Wed15e36a85c94ce.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3016 set thread context of 1952 3016 Wed153b85888b3614.exe 104 PID 2808 set thread context of 4364 2808 Wed150ca0ddb4.exe 116 PID 2924 set thread context of 4380 2924 Wed15581b4e451c4f72.exe 115 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\is-AJCT1.tmp Wed15ff85e6fb5cb658.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed15ff85e6fb5cb658.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed15ff85e6fb5cb658.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4724 3684 WerFault.exe 100 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed156dcbb535.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed156dcbb535.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed156dcbb535.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4788 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 3240 taskkill.exe 4136 taskkill.exe 3508 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Wed15def1e1a6.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings Wed15d8c997dfcb85ac.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 30 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3060 Wed15e36a85c94ce.exe 3060 Wed15e36a85c94ce.exe 424 powershell.exe 424 powershell.exe 384 powershell.exe 384 powershell.exe 3060 Wed15e36a85c94ce.exe 3060 Wed15e36a85c94ce.exe 424 powershell.exe 384 powershell.exe 3024 Wed156dcbb535.exe 3024 Wed156dcbb535.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 4724 WerFault.exe 384 powershell.exe 424 powershell.exe 4724 WerFault.exe 4724 WerFault.exe 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3024 Wed156dcbb535.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 3168 Wed153b15877dec9.exe Token: SeAssignPrimaryTokenPrivilege 3168 Wed153b15877dec9.exe Token: SeLockMemoryPrivilege 3168 Wed153b15877dec9.exe Token: SeIncreaseQuotaPrivilege 3168 Wed153b15877dec9.exe Token: SeMachineAccountPrivilege 3168 Wed153b15877dec9.exe Token: SeTcbPrivilege 3168 Wed153b15877dec9.exe Token: SeSecurityPrivilege 3168 Wed153b15877dec9.exe Token: SeTakeOwnershipPrivilege 3168 Wed153b15877dec9.exe Token: SeLoadDriverPrivilege 3168 Wed153b15877dec9.exe Token: SeSystemProfilePrivilege 3168 Wed153b15877dec9.exe Token: SeSystemtimePrivilege 3168 Wed153b15877dec9.exe Token: SeProfSingleProcessPrivilege 3168 Wed153b15877dec9.exe Token: SeIncBasePriorityPrivilege 3168 Wed153b15877dec9.exe Token: SeCreatePagefilePrivilege 3168 Wed153b15877dec9.exe Token: SeCreatePermanentPrivilege 3168 Wed153b15877dec9.exe Token: SeBackupPrivilege 3168 Wed153b15877dec9.exe Token: SeRestorePrivilege 3168 Wed153b15877dec9.exe Token: SeShutdownPrivilege 3168 Wed153b15877dec9.exe Token: SeDebugPrivilege 3168 Wed153b15877dec9.exe Token: SeAuditPrivilege 3168 Wed153b15877dec9.exe Token: SeSystemEnvironmentPrivilege 3168 Wed153b15877dec9.exe Token: SeChangeNotifyPrivilege 3168 Wed153b15877dec9.exe Token: SeRemoteShutdownPrivilege 3168 Wed153b15877dec9.exe Token: SeUndockPrivilege 3168 Wed153b15877dec9.exe Token: SeSyncAgentPrivilege 3168 Wed153b15877dec9.exe Token: SeEnableDelegationPrivilege 3168 Wed153b15877dec9.exe Token: SeManageVolumePrivilege 3168 Wed153b15877dec9.exe Token: SeImpersonatePrivilege 3168 Wed153b15877dec9.exe Token: SeCreateGlobalPrivilege 3168 Wed153b15877dec9.exe Token: 31 3168 Wed153b15877dec9.exe Token: 32 3168 Wed153b15877dec9.exe Token: 33 3168 Wed153b15877dec9.exe Token: 34 3168 Wed153b15877dec9.exe Token: 35 3168 Wed153b15877dec9.exe Token: SeDebugPrivilege 2924 Wed15581b4e451c4f72.exe Token: SeDebugPrivilege 2808 Wed150ca0ddb4.exe Token: SeDebugPrivilege 424 powershell.exe Token: SeDebugPrivilege 384 powershell.exe Token: SeDebugPrivilege 3816 Wed15f5f024996c4fec.exe Token: SeDebugPrivilege 3684 Wed15f7625124.exe Token: SeDebugPrivilege 4724 WerFault.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 536 Wed15ff85e6fb5cb658.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2620 wrote to memory of 1308 2620 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 69 PID 2620 wrote to memory of 1308 2620 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 69 PID 2620 wrote to memory of 1308 2620 5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe 69 PID 1308 wrote to memory of 2824 1308 setup_installer.exe 70 PID 1308 wrote to memory of 2824 1308 setup_installer.exe 70 PID 1308 wrote to memory of 2824 1308 setup_installer.exe 70 PID 2824 wrote to memory of 2532 2824 setup_install.exe 73 PID 2824 wrote to memory of 2532 2824 setup_install.exe 73 PID 2824 wrote to memory of 2532 2824 setup_install.exe 73 PID 2824 wrote to memory of 1860 2824 setup_install.exe 74 PID 2824 wrote to memory of 1860 2824 setup_install.exe 74 PID 2824 wrote to memory of 1860 2824 setup_install.exe 74 PID 2824 wrote to memory of 1884 2824 setup_install.exe 75 PID 2824 wrote to memory of 1884 2824 setup_install.exe 75 PID 2824 wrote to memory of 1884 2824 setup_install.exe 75 PID 2824 wrote to memory of 2772 2824 setup_install.exe 96 PID 2824 wrote to memory of 2772 2824 setup_install.exe 96 PID 2824 wrote to memory of 2772 2824 setup_install.exe 96 PID 2824 wrote to memory of 1068 2824 setup_install.exe 95 PID 2824 wrote to memory of 1068 2824 setup_install.exe 95 PID 2824 wrote to memory of 1068 2824 setup_install.exe 95 PID 2532 wrote to memory of 424 2532 cmd.exe 94 PID 2532 wrote to memory of 424 2532 cmd.exe 94 PID 2532 wrote to memory of 424 2532 cmd.exe 94 PID 1860 wrote to memory of 384 1860 cmd.exe 93 PID 1860 wrote to memory of 384 1860 cmd.exe 93 PID 1860 wrote to memory of 384 1860 cmd.exe 93 PID 2824 wrote to memory of 1268 2824 setup_install.exe 92 PID 2824 wrote to memory of 1268 2824 setup_install.exe 92 PID 2824 wrote to memory of 1268 2824 setup_install.exe 92 PID 2824 wrote to memory of 1148 2824 setup_install.exe 76 PID 2824 wrote to memory of 1148 2824 setup_install.exe 76 PID 2824 wrote to memory of 1148 2824 setup_install.exe 76 PID 2824 wrote to memory of 1224 2824 setup_install.exe 77 PID 2824 wrote to memory of 1224 2824 setup_install.exe 77 PID 2824 wrote to memory of 1224 2824 setup_install.exe 77 PID 2824 wrote to memory of 396 2824 setup_install.exe 78 PID 2824 wrote to memory of 396 2824 setup_install.exe 78 PID 2824 wrote to memory of 396 2824 setup_install.exe 78 PID 2824 wrote to memory of 980 2824 setup_install.exe 91 PID 2824 wrote to memory of 980 2824 setup_install.exe 91 PID 2824 wrote to memory of 980 2824 setup_install.exe 91 PID 2824 wrote to memory of 1820 2824 setup_install.exe 79 PID 2824 wrote to memory of 1820 2824 setup_install.exe 79 PID 2824 wrote to memory of 1820 2824 setup_install.exe 79 PID 2824 wrote to memory of 2156 2824 setup_install.exe 80 PID 2824 wrote to memory of 2156 2824 setup_install.exe 80 PID 2824 wrote to memory of 2156 2824 setup_install.exe 80 PID 2824 wrote to memory of 4024 2824 setup_install.exe 90 PID 2824 wrote to memory of 4024 2824 setup_install.exe 90 PID 2824 wrote to memory of 4024 2824 setup_install.exe 90 PID 2824 wrote to memory of 3664 2824 setup_install.exe 81 PID 2824 wrote to memory of 3664 2824 setup_install.exe 81 PID 2824 wrote to memory of 3664 2824 setup_install.exe 81 PID 2824 wrote to memory of 1332 2824 setup_install.exe 82 PID 2824 wrote to memory of 1332 2824 setup_install.exe 82 PID 2824 wrote to memory of 1332 2824 setup_install.exe 82 PID 1224 wrote to memory of 2940 1224 cmd.exe 83 PID 1224 wrote to memory of 2940 1224 cmd.exe 83 PID 1224 wrote to memory of 2940 1224 cmd.exe 83 PID 1148 wrote to memory of 1416 1148 cmd.exe 89 PID 1148 wrote to memory of 1416 1148 cmd.exe 89 PID 1148 wrote to memory of 1416 1148 cmd.exe 89 PID 1884 wrote to memory of 3016 1884 cmd.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe"C:\Users\Admin\AppData\Local\Temp\5707fb85eb581b726bce78afdd58b1226a53550767a30537f6994ed939982b3f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC154B466\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:384
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed153b85888b3614.exe /mixtwo4⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed153b85888b3614.exeWed153b85888b3614.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed153b85888b3614.exeWed153b85888b3614.exe /mixtwo6⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed153b85888b3614.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed153b85888b3614.exe" & exit7⤵PID:5024
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed153b85888b3614.exe" /f8⤵
- Kills process with taskkill
PID:4136
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15ff85e6fb5cb658.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15ff85e6fb5cb658.exeWed15ff85e6fb5cb658.exe5⤵
- Executes dropped EXE
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\is-O56RL.tmp\Wed15ff85e6fb5cb658.tmp"C:\Users\Admin\AppData\Local\Temp\is-O56RL.tmp\Wed15ff85e6fb5cb658.tmp" /SL5="$20086,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15ff85e6fb5cb658.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150944bf7032c623.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150944bf7032c623.exeWed150944bf7032c623.exe5⤵
- Executes dropped EXE
PID:2940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1500c7d1d4.exe4⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed1500c7d1d4.exeWed1500c7d1d4.exe5⤵
- Executes dropped EXE
PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150ca0ddb4.exe4⤵PID:1820
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150ca0ddb4.exeWed150ca0ddb4.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150ca0ddb4.exeC:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150ca0ddb4.exe6⤵
- Executes dropped EXE
PID:4364
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15e36a85c94ce.exe4⤵PID:2156
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15e36a85c94ce.exeWed15e36a85c94ce.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15f7625124.exe4⤵PID:3664
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15f7625124.exeWed15f7625124.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 20446⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed156dcbb535.exe4⤵PID:1332
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed156dcbb535.exeWed156dcbb535.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15581b4e451c4f72.exe4⤵PID:1724
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15581b4e451c4f72.exeWed15581b4e451c4f72.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15581b4e451c4f72.exeC:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15581b4e451c4f72.exe6⤵
- Executes dropped EXE
PID:4380
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15d8c997dfcb85ac.exe4⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15d8c997dfcb85ac.exeWed15d8c997dfcb85ac.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",6⤵PID:4464
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",7⤵
- Loads dropped DLL
PID:4916 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",8⤵PID:744
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",9⤵PID:3708
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15cf77e3ddc30.exe4⤵PID:980
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15cf77e3ddc30.exeWed15cf77e3ddc30.exe5⤵
- Executes dropped EXE
PID:412 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4544
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed150790bf65e4c8f4.exe4⤵PID:1268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed153b15877dec9.exe4⤵PID:1068
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed153b15877dec9.exeWed153b15877dec9.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3168 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2792
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:3508
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1585231a10aabd865.exe4⤵PID:2772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15def1e1a6.exe4⤵PID:2112
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15def1e1a6.exeWed15def1e1a6.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",6⤵PID:4444
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",7⤵
- Loads dropped DLL
PID:4896 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",8⤵PID:2772
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\PWGKod.Cpl",9⤵PID:2216
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed15f5f024996c4fec.exe4⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15f5f024996c4fec.exeWed15f5f024996c4fec.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150790bf65e4c8f4.exeWed150790bf65e4c8f4.exe1⤵
- Executes dropped EXE
PID:3036 -
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150790bf65e4c8f4.exe"C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed150790bf65e4c8f4.exe" -u2⤵
- Executes dropped EXE
PID:524
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed1585231a10aabd865.exeWed1585231a10aabd865.exe1⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Wed1585231a10aabd865.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed1585231a10aabd865.exe" & del C:\ProgramData\*.dll & exit2⤵PID:1448
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Wed1585231a10aabd865.exe /f3⤵
- Kills process with taskkill
PID:3240
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:4788
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15ff85e6fb5cb658.exe"C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15ff85e6fb5cb658.exe" /SILENT1⤵
- Executes dropped EXE
PID:3596 -
C:\Users\Admin\AppData\Local\Temp\is-35STF.tmp\Wed15ff85e6fb5cb658.tmp"C:\Users\Admin\AppData\Local\Temp\is-35STF.tmp\Wed15ff85e6fb5cb658.tmp" /SL5="$10218,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC154B466\Wed15ff85e6fb5cb658.exe" /SILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:536 -
C:\Users\Admin\AppData\Local\Temp\is-2BLP1.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-2BLP1.tmp\windllhost.exe" 773⤵
- Executes dropped EXE
PID:3980
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:2936
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4772