Analysis
-
max time kernel
127s -
max time network
154s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:27
Static task
static1
General
-
Target
5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe
-
Size
6.8MB
-
MD5
19a783e43f4d7b841ef4a678b6cab04b
-
SHA1
02cda91e2213d13c82ab5cfd0a3c0a56b2cfb3b9
-
SHA256
5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba
-
SHA512
2cfc3315d04dd045f4d3b5e47300b395118fa7dbf4243a9555087c03feb81650f6c5d5d46ecdc99ab44e42cc3f76827fc9f83e65bc5b789de6aa1e078bf03e04
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1064 2796 rundll32.exe 79 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/2712-299-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/1120-298-0x000000000041932A-mapping.dmp family_redline behavioral1/memory/2712-303-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2712-302-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1120-306-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1120-307-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x00050000000141ca-128.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000500000001404e-119.dat WebBrowserPassView behavioral1/files/0x000500000001404e-179.dat WebBrowserPassView behavioral1/memory/2512-242-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/files/0x000500000001404e-119.dat Nirsoft behavioral1/files/0x000500000001404e-179.dat Nirsoft behavioral1/memory/2296-223-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2512-242-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/524-260-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar behavioral1/memory/524-264-0x00000000002F0000-0x00000000003C5000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000013916-71.dat aspack_v212_v242 behavioral1/files/0x0006000000013916-72.dat aspack_v212_v242 behavioral1/files/0x000600000001390e-73.dat aspack_v212_v242 behavioral1/files/0x000600000001390e-74.dat aspack_v212_v242 behavioral1/files/0x0006000000013943-77.dat aspack_v212_v242 behavioral1/files/0x0006000000013943-78.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 31 IoCs
pid Process 608 setup_installer.exe 1372 setup_install.exe 524 Thu0733ed8a825a025a.exe 1336 Thu0758285c76.exe 2008 Thu079294186b.exe 752 Thu07591e8932000a1.exe 748 Thu0785d39bed3127.exe 1740 Thu07d03cbff47c.exe 1648 Thu073b8d0217a8b45b.exe 1308 Thu0786f9df93.exe 1056 Thu0759a981db.exe 1476 Thu0758285c76.exe 1912 Thu0784ab7efb72.exe 1320 Thu0782554cbdd5d.exe 728 Thu07f9ae12c2bc.exe 1556 Thu077e2e75cb9448.exe 1712 Thu0784ab7efb72.exe 1492 Thu07ee83176e465e.exe 2068 Thu0785d39bed3127.tmp 2224 Thu0785d39bed3127.exe 2296 11111.exe 2396 Thu0785d39bed3127.tmp 2512 11111.exe 2956 windllhost.exe 2992 blQ66pELJswltfl0GNf4hI84.exe 972 blQ66pELJswltfl0GNf4hI84.exe 1120 Thu079294186b.exe 2712 Thu077e2e75cb9448.exe 2780 99980a8f-ed84-452c-86f7-6a8dea078e0b.exe 1080 6c7bccc5-ee34-4629-8728-1337835592f9.exe 2624 e887be6a-2a6b-48c4-9207-fb190a7b874c.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Thu0782554cbdd5d.exe Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Thu07d03cbff47c.exe -
Loads dropped DLL 64 IoCs
pid Process 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 608 setup_installer.exe 608 setup_installer.exe 608 setup_installer.exe 608 setup_installer.exe 608 setup_installer.exe 608 setup_installer.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1372 setup_install.exe 1944 cmd.exe 1944 cmd.exe 972 cmd.exe 972 cmd.exe 1496 cmd.exe 1496 cmd.exe 524 Thu0733ed8a825a025a.exe 524 Thu0733ed8a825a025a.exe 1136 cmd.exe 988 cmd.exe 1336 Thu0758285c76.exe 1336 Thu0758285c76.exe 2008 Thu079294186b.exe 2008 Thu079294186b.exe 964 cmd.exe 1740 Thu07d03cbff47c.exe 1740 Thu07d03cbff47c.exe 268 cmd.exe 1080 cmd.exe 1080 cmd.exe 1736 cmd.exe 1336 Thu0758285c76.exe 1584 cmd.exe 1584 cmd.exe 1984 cmd.exe 1308 Thu0786f9df93.exe 1308 Thu0786f9df93.exe 1184 cmd.exe 1664 cmd.exe 1664 cmd.exe 1476 Thu0758285c76.exe 1476 Thu0758285c76.exe 1912 Thu0784ab7efb72.exe 1912 Thu0784ab7efb72.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1912 Thu0784ab7efb72.exe 1556 Thu077e2e75cb9448.exe 1556 Thu077e2e75cb9448.exe 1712 Thu0784ab7efb72.exe 1712 Thu0784ab7efb72.exe 856 cmd.exe 1492 Thu07ee83176e465e.exe 1492 Thu07ee83176e465e.exe 728 Thu07f9ae12c2bc.exe 728 Thu07f9ae12c2bc.exe 748 Thu0785d39bed3127.exe 748 Thu0785d39bed3127.exe 748 Thu0785d39bed3127.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 ip-api.com 55 ipinfo.io 56 ipinfo.io 57 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1080 6c7bccc5-ee34-4629-8728-1337835592f9.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1912 set thread context of 1712 1912 Thu0784ab7efb72.exe 62 PID 2008 set thread context of 1120 2008 Thu079294186b.exe 91 PID 1556 set thread context of 2712 1556 Thu077e2e75cb9448.exe 90 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0785d39bed3127.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0785d39bed3127.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-01HG2.tmp Thu0785d39bed3127.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2188 1320 WerFault.exe 58 2756 1740 WerFault.exe 50 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu0786f9df93.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thu0733ed8a825a025a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Thu0733ed8a825a025a.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2804 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 2428 taskkill.exe 2744 taskkill.exe 2436 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Thu07f9ae12c2bc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Thu07f9ae12c2bc.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 19 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2512 11111.exe 1740 Thu07d03cbff47c.exe 1740 Thu07d03cbff47c.exe 1740 Thu07d03cbff47c.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe 1740 Thu07d03cbff47c.exe 1320 Thu0782554cbdd5d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2956 windllhost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1308 Thu0786f9df93.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeCreateTokenPrivilege 728 Thu07f9ae12c2bc.exe Token: SeAssignPrimaryTokenPrivilege 728 Thu07f9ae12c2bc.exe Token: SeLockMemoryPrivilege 728 Thu07f9ae12c2bc.exe Token: SeIncreaseQuotaPrivilege 728 Thu07f9ae12c2bc.exe Token: SeMachineAccountPrivilege 728 Thu07f9ae12c2bc.exe Token: SeTcbPrivilege 728 Thu07f9ae12c2bc.exe Token: SeSecurityPrivilege 728 Thu07f9ae12c2bc.exe Token: SeTakeOwnershipPrivilege 728 Thu07f9ae12c2bc.exe Token: SeLoadDriverPrivilege 728 Thu07f9ae12c2bc.exe Token: SeSystemProfilePrivilege 728 Thu07f9ae12c2bc.exe Token: SeSystemtimePrivilege 728 Thu07f9ae12c2bc.exe Token: SeProfSingleProcessPrivilege 728 Thu07f9ae12c2bc.exe Token: SeIncBasePriorityPrivilege 728 Thu07f9ae12c2bc.exe Token: SeCreatePagefilePrivilege 728 Thu07f9ae12c2bc.exe Token: SeCreatePermanentPrivilege 728 Thu07f9ae12c2bc.exe Token: SeBackupPrivilege 728 Thu07f9ae12c2bc.exe Token: SeRestorePrivilege 728 Thu07f9ae12c2bc.exe Token: SeShutdownPrivilege 728 Thu07f9ae12c2bc.exe Token: SeDebugPrivilege 728 Thu07f9ae12c2bc.exe Token: SeAuditPrivilege 728 Thu07f9ae12c2bc.exe Token: SeSystemEnvironmentPrivilege 728 Thu07f9ae12c2bc.exe Token: SeChangeNotifyPrivilege 728 Thu07f9ae12c2bc.exe Token: SeRemoteShutdownPrivilege 728 Thu07f9ae12c2bc.exe Token: SeUndockPrivilege 728 Thu07f9ae12c2bc.exe Token: SeSyncAgentPrivilege 728 Thu07f9ae12c2bc.exe Token: SeEnableDelegationPrivilege 728 Thu07f9ae12c2bc.exe Token: SeManageVolumePrivilege 728 Thu07f9ae12c2bc.exe Token: SeImpersonatePrivilege 728 Thu07f9ae12c2bc.exe Token: SeCreateGlobalPrivilege 728 Thu07f9ae12c2bc.exe Token: 31 728 Thu07f9ae12c2bc.exe Token: 32 728 Thu07f9ae12c2bc.exe Token: 33 728 Thu07f9ae12c2bc.exe Token: 34 728 Thu07f9ae12c2bc.exe Token: 35 728 Thu07f9ae12c2bc.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 1556 Thu077e2e75cb9448.exe Token: SeDebugPrivilege 2008 Thu079294186b.exe Token: SeDebugPrivilege 2756 WerFault.exe Token: SeDebugPrivilege 2188 WerFault.exe Token: SeDebugPrivilege 1648 Thu073b8d0217a8b45b.exe Token: SeDebugPrivilege 752 Thu07591e8932000a1.exe Token: SeShutdownPrivilege 1400 Process not Found Token: SeShutdownPrivilege 1400 Process not Found Token: SeDebugPrivilege 1752 powershell.exe Token: SeDebugPrivilege 2624 e887be6a-2a6b-48c4-9207-fb190a7b874c.exe Token: SeShutdownPrivilege 1400 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2396 Thu0785d39bed3127.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 1752 wrote to memory of 608 1752 5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe 27 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 608 wrote to memory of 1372 608 setup_installer.exe 28 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1868 1372 setup_install.exe 31 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1920 1372 setup_install.exe 30 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 1496 1372 setup_install.exe 33 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 988 1372 setup_install.exe 32 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 1136 1372 setup_install.exe 34 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 972 1372 setup_install.exe 35 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1944 1372 setup_install.exe 36 PID 1372 wrote to memory of 1736 1372 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe"C:\Users\Admin\AppData\Local\Temp\5c416961f6d7c90d805c17130cd7ceb38c76125a38e923bedfc54bc98afd46ba.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS06274F16\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1920
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1868
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0785d39bed3127.exe4⤵
- Loads dropped DLL
PID:988 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0785d39bed3127.exeThu0785d39bed3127.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Users\Admin\AppData\Local\Temp\is-07CF2.tmp\Thu0785d39bed3127.tmp"C:\Users\Admin\AppData\Local\Temp\is-07CF2.tmp\Thu0785d39bed3127.tmp" /SL5="$20158,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0785d39bed3127.exe"6⤵
- Executes dropped EXE
PID:2068 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0785d39bed3127.exe"C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0785d39bed3127.exe" /SILENT7⤵
- Executes dropped EXE
PID:2224 -
C:\Users\Admin\AppData\Local\Temp\is-3V9SG.tmp\Thu0785d39bed3127.tmp"C:\Users\Admin\AppData\Local\Temp\is-3V9SG.tmp\Thu0785d39bed3127.tmp" /SL5="$20170,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0785d39bed3127.exe" /SILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\is-MSB9V.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-MSB9V.tmp\windllhost.exe" 779⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2956
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu079294186b.exe4⤵
- Loads dropped DLL
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu079294186b.exeThu079294186b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu079294186b.exeC:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu079294186b.exe6⤵
- Executes dropped EXE
PID:1120
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07591e8932000a1.exe4⤵
- Loads dropped DLL
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu07591e8932000a1.exeThu07591e8932000a1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0758285c76.exe4⤵
- Loads dropped DLL
PID:972 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0758285c76.exeThu0758285c76.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0758285c76.exe"C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0758285c76.exe" -u6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0733ed8a825a025a.exe4⤵
- Loads dropped DLL
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0733ed8a825a025a.exeThu0733ed8a825a025a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:524 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu0733ed8a825a025a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0733ed8a825a025a.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu0733ed8a825a025a.exe /f7⤵
- Kills process with taskkill
PID:2436
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:2804
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0759a981db.exe4⤵
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0759a981db.exeThu0759a981db.exe5⤵
- Executes dropped EXE
PID:1056 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0730ece8e29065b7.exe4⤵PID:360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07f9ae12c2bc.exe4⤵
- Loads dropped DLL
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu07f9ae12c2bc.exeThu07f9ae12c2bc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:728 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2684
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0786f9df93.exe4⤵
- Loads dropped DLL
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0786f9df93.exeThu0786f9df93.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07d03cbff47c.exe4⤵
- Loads dropped DLL
PID:964 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu07d03cbff47c.exeThu07d03cbff47c.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1740 -
C:\Users\Admin\Pictures\Adobe Films\blQ66pELJswltfl0GNf4hI84.exe"C:\Users\Admin\Pictures\Adobe Films\blQ66pELJswltfl0GNf4hI84.exe"6⤵
- Executes dropped EXE
PID:972
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 9566⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0784ab7efb72.exe /mixtwo4⤵
- Loads dropped DLL
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0784ab7efb72.exeThu0784ab7efb72.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0784ab7efb72.exeThu0784ab7efb72.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0784ab7efb72.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0784ab7efb72.exe" & exit7⤵PID:2344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu0784ab7efb72.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu073b8d0217a8b45b.exe4⤵
- Loads dropped DLL
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu073b8d0217a8b45b.exeThu073b8d0217a8b45b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Users\Admin\AppData\Local\99980a8f-ed84-452c-86f7-6a8dea078e0b.exe"C:\Users\Admin\AppData\Local\99980a8f-ed84-452c-86f7-6a8dea078e0b.exe"6⤵
- Executes dropped EXE
PID:2780
-
-
C:\Users\Admin\AppData\Local\6c7bccc5-ee34-4629-8728-1337835592f9.exe"C:\Users\Admin\AppData\Local\6c7bccc5-ee34-4629-8728-1337835592f9.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1080
-
-
C:\Users\Admin\AppData\Local\e887be6a-2a6b-48c4-9207-fb190a7b874c.exe"C:\Users\Admin\AppData\Local\e887be6a-2a6b-48c4-9207-fb190a7b874c.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2624 -
C:\Users\Admin\AppData\Roaming\8391341.exe"C:\Users\Admin\AppData\Roaming\8391341.exe"7⤵PID:1940
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0782554cbdd5d.exe4⤵
- Loads dropped DLL
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu0782554cbdd5d.exeThu0782554cbdd5d.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1320 -
C:\Users\Admin\Pictures\Adobe Films\blQ66pELJswltfl0GNf4hI84.exe"C:\Users\Admin\Pictures\Adobe Films\blQ66pELJswltfl0GNf4hI84.exe"6⤵
- Executes dropped EXE
PID:2992
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 15206⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu077e2e75cb9448.exe4⤵
- Loads dropped DLL
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu077e2e75cb9448.exeThu077e2e75cb9448.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu077e2e75cb9448.exeC:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu077e2e75cb9448.exe6⤵
- Executes dropped EXE
PID:2712
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07ee83176e465e.exe4⤵
- Loads dropped DLL
PID:856 -
C:\Users\Admin\AppData\Local\Temp\7zS06274F16\Thu07ee83176e465e.exeThu07ee83176e465e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",6⤵PID:2468
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",7⤵PID:2536
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",8⤵PID:2348
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",9⤵PID:1580
-
-
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2408
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {838B6897-0EF6-40C3-9677-02F467FA09A7} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:2368
-
C:\Users\Admin\AppData\Roaming\hjivdauC:\Users\Admin\AppData\Roaming\hjivdau2⤵PID:2716
-