Analysis
-
max time kernel
120s -
max time network
163s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:27
Static task
static1
Behavioral task
behavioral1
Sample
aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe
Resource
win7-en-20211208
General
-
Target
aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe
-
Size
6.8MB
-
MD5
7b200c631a4f583512c5db045ad7cef1
-
SHA1
9cb736b3de4fbc37cebe0b500938260aa65804fe
-
SHA256
aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76
-
SHA512
7aec7bace45d945d1ffee0cd43c6a72e2802597c53c05e89d85122cde55efb26b0f4b547e1ebb79234dc6d25f3c95e1f445cd692a9669831a1f5b408af0c18f4
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000012634-102.dat family_socelars behavioral1/files/0x0006000000012634-168.dat family_socelars behavioral1/files/0x0006000000012634-180.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000700000001226a-106.dat WebBrowserPassView behavioral1/memory/908-226-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x000700000001226a-106.dat Nirsoft behavioral1/memory/1720-215-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/908-226-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1648-241-0x00000000008B0000-0x0000000000985000-memory.dmp family_vidar behavioral1/memory/1648-243-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x000700000001220f-71.dat aspack_v212_v242 behavioral1/files/0x000700000001220f-72.dat aspack_v212_v242 behavioral1/files/0x000700000001220d-73.dat aspack_v212_v242 behavioral1/files/0x000700000001220d-74.dat aspack_v212_v242 behavioral1/files/0x0007000000012217-77.dat aspack_v212_v242 behavioral1/files/0x0007000000012217-78.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 268 setup_installer.exe 564 setup_install.exe 960 Thu07e2ee365cd9.exe 1620 Thu072ac486e47.exe 748 Thu070ade39f9c1e6.exe 1676 Thu07f434e4f491.exe 1244 Thu07c2bf31cdafcbbb.exe 1148 Thu078e2e9500b3bdb.exe 1408 Thu07f9ee4cf36.exe 1484 Thu0727000b31e.exe 1648 Thu07ca8ec888048d3.exe 1604 Thu07b10fe2f6c9.exe 1644 Thu07749493846.exe 1660 Thu07670ce8a39e7.exe 1724 Thu0711d68c32.exe 1052 Thu07d52de194fe54.exe 1076 Thu0711d68c32.exe 1740 Thu078e2e9500b3bdb.tmp 1720 11111.exe 1636 Thu078e2e9500b3bdb.exe 908 11111.exe 1168 Thu078e2e9500b3bdb.tmp 2912 windllhost.exe 2996 tgw_GfNPQ0lW_uEDib13Wi90.exe 3024 qBNKXK6sKa7psO71_GxmJ7wf.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Thu07c2bf31cdafcbbb.exe Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Thu07e2ee365cd9.exe -
Loads dropped DLL 64 IoCs
pid Process 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 2000 cmd.exe 2000 cmd.exe 1768 cmd.exe 1684 cmd.exe 1684 cmd.exe 1504 cmd.exe 960 Thu07e2ee365cd9.exe 960 Thu07e2ee365cd9.exe 1160 cmd.exe 1892 cmd.exe 1136 cmd.exe 1244 Thu07c2bf31cdafcbbb.exe 1244 Thu07c2bf31cdafcbbb.exe 1764 cmd.exe 1764 cmd.exe 1748 cmd.exe 2032 cmd.exe 1532 cmd.exe 2032 cmd.exe 1328 cmd.exe 1548 cmd.exe 1548 cmd.exe 1240 cmd.exe 1724 Thu0711d68c32.exe 1724 Thu0711d68c32.exe 1660 Thu07670ce8a39e7.exe 1660 Thu07670ce8a39e7.exe 1724 Thu0711d68c32.exe 1604 Thu07b10fe2f6c9.exe 1604 Thu07b10fe2f6c9.exe 1648 Thu07ca8ec888048d3.exe 1648 Thu07ca8ec888048d3.exe 1408 Thu07f9ee4cf36.exe 1408 Thu07f9ee4cf36.exe 1076 Thu0711d68c32.exe 1076 Thu0711d68c32.exe 1148 Thu078e2e9500b3bdb.exe 1148 Thu078e2e9500b3bdb.exe 1148 Thu078e2e9500b3bdb.exe 1720 11111.exe 1720 11111.exe 1740 Thu078e2e9500b3bdb.tmp 1740 Thu078e2e9500b3bdb.tmp 1636 Thu078e2e9500b3bdb.exe 1636 Thu078e2e9500b3bdb.exe 1636 Thu078e2e9500b3bdb.exe 908 11111.exe 908 11111.exe 1168 Thu078e2e9500b3bdb.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 60 ipinfo.io 8 ip-api.com 57 ipinfo.io 58 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1724 set thread context of 1076 1724 Thu0711d68c32.exe 63 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\is-S81B4.tmp Thu078e2e9500b3bdb.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu078e2e9500b3bdb.tmp File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu078e2e9500b3bdb.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 2360 1408 WerFault.exe 53 2260 960 WerFault.exe 50 820 1244 WerFault.exe 51 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu07b10fe2f6c9.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu07b10fe2f6c9.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu07b10fe2f6c9.exe -
Kills process with taskkill 1 IoCs
pid Process 2328 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Thu07f9ee4cf36.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Thu07f9ee4cf36.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1604 Thu07b10fe2f6c9.exe 1604 Thu07b10fe2f6c9.exe 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 2360 WerFault.exe 2360 WerFault.exe 2360 WerFault.exe 2360 WerFault.exe 2360 WerFault.exe 2360 WerFault.exe 2360 WerFault.exe 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found 1412 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1604 Thu07b10fe2f6c9.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeCreateTokenPrivilege 1408 Thu07f9ee4cf36.exe Token: SeAssignPrimaryTokenPrivilege 1408 Thu07f9ee4cf36.exe Token: SeLockMemoryPrivilege 1408 Thu07f9ee4cf36.exe Token: SeIncreaseQuotaPrivilege 1408 Thu07f9ee4cf36.exe Token: SeMachineAccountPrivilege 1408 Thu07f9ee4cf36.exe Token: SeTcbPrivilege 1408 Thu07f9ee4cf36.exe Token: SeSecurityPrivilege 1408 Thu07f9ee4cf36.exe Token: SeTakeOwnershipPrivilege 1408 Thu07f9ee4cf36.exe Token: SeLoadDriverPrivilege 1408 Thu07f9ee4cf36.exe Token: SeSystemProfilePrivilege 1408 Thu07f9ee4cf36.exe Token: SeSystemtimePrivilege 1408 Thu07f9ee4cf36.exe Token: SeProfSingleProcessPrivilege 1408 Thu07f9ee4cf36.exe Token: SeIncBasePriorityPrivilege 1408 Thu07f9ee4cf36.exe Token: SeCreatePagefilePrivilege 1408 Thu07f9ee4cf36.exe Token: SeCreatePermanentPrivilege 1408 Thu07f9ee4cf36.exe Token: SeBackupPrivilege 1408 Thu07f9ee4cf36.exe Token: SeRestorePrivilege 1408 Thu07f9ee4cf36.exe Token: SeShutdownPrivilege 1408 Thu07f9ee4cf36.exe Token: SeDebugPrivilege 1408 Thu07f9ee4cf36.exe Token: SeAuditPrivilege 1408 Thu07f9ee4cf36.exe Token: SeSystemEnvironmentPrivilege 1408 Thu07f9ee4cf36.exe Token: SeChangeNotifyPrivilege 1408 Thu07f9ee4cf36.exe Token: SeRemoteShutdownPrivilege 1408 Thu07f9ee4cf36.exe Token: SeUndockPrivilege 1408 Thu07f9ee4cf36.exe Token: SeSyncAgentPrivilege 1408 Thu07f9ee4cf36.exe Token: SeEnableDelegationPrivilege 1408 Thu07f9ee4cf36.exe Token: SeManageVolumePrivilege 1408 Thu07f9ee4cf36.exe Token: SeImpersonatePrivilege 1408 Thu07f9ee4cf36.exe Token: SeCreateGlobalPrivilege 1408 Thu07f9ee4cf36.exe Token: 31 1408 Thu07f9ee4cf36.exe Token: 32 1408 Thu07f9ee4cf36.exe Token: 33 1408 Thu07f9ee4cf36.exe Token: 34 1408 Thu07f9ee4cf36.exe Token: 35 1408 Thu07f9ee4cf36.exe Token: SeDebugPrivilege 2328 taskkill.exe Token: SeDebugPrivilege 2360 WerFault.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeShutdownPrivilege 1412 Process not Found Token: SeShutdownPrivilege 1412 Process not Found Token: SeShutdownPrivilege 1412 Process not Found Token: SeShutdownPrivilege 1412 Process not Found Token: SeShutdownPrivilege 1412 Process not Found Token: SeDebugPrivilege 1676 Thu07f434e4f491.exe Token: SeShutdownPrivilege 1412 Process not Found Token: SeDebugPrivilege 2260 WerFault.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1168 Thu078e2e9500b3bdb.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 960 wrote to memory of 268 960 aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe 27 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1708 564 setup_install.exe 30 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1516 564 setup_install.exe 31 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1892 564 setup_install.exe 32 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1504 564 setup_install.exe 33 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1532 564 setup_install.exe 34 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1136 564 setup_install.exe 35 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1160 564 setup_install.exe 36 PID 564 wrote to memory of 1684 564 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe"C:\Users\Admin\AppData\Local\Temp\aebeca559ddde3cc0998baef4584576e5aa0b58e83fb7da2f09000903a9aee76.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1708
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1516
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07f9ee4cf36.exe4⤵
- Loads dropped DLL
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07f9ee4cf36.exeThu07f9ee4cf36.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 14446⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07e2ee365cd9.exe4⤵
- Loads dropped DLL
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07e2ee365cd9.exeThu07e2ee365cd9.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:960 -
C:\Users\Admin\Pictures\Adobe Films\tgw_GfNPQ0lW_uEDib13Wi90.exe"C:\Users\Admin\Pictures\Adobe Films\tgw_GfNPQ0lW_uEDib13Wi90.exe"6⤵
- Executes dropped EXE
PID:2996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 960 -s 15566⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07749493846.exe4⤵
- Loads dropped DLL
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07749493846.exeThu07749493846.exe5⤵
- Executes dropped EXE
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu078e2e9500b3bdb.exe4⤵
- Loads dropped DLL
PID:1136 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu078e2e9500b3bdb.exeThu078e2e9500b3bdb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\is-GRNBM.tmp\Thu078e2e9500b3bdb.tmp"C:\Users\Admin\AppData\Local\Temp\is-GRNBM.tmp\Thu078e2e9500b3bdb.tmp" /SL5="$5011A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu078e2e9500b3bdb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu078e2e9500b3bdb.exe"C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu078e2e9500b3bdb.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\is-GTV41.tmp\Thu078e2e9500b3bdb.tmp"C:\Users\Admin\AppData\Local\Temp\is-GTV41.tmp\Thu078e2e9500b3bdb.tmp" /SL5="$6011A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu078e2e9500b3bdb.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\is-U04E8.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-U04E8.tmp\windllhost.exe" 779⤵
- Executes dropped EXE
PID:2912
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07c2bf31cdafcbbb.exe4⤵
- Loads dropped DLL
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07c2bf31cdafcbbb.exeThu07c2bf31cdafcbbb.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1244 -
C:\Users\Admin\Pictures\Adobe Films\qBNKXK6sKa7psO71_GxmJ7wf.exe"C:\Users\Admin\Pictures\Adobe Films\qBNKXK6sKa7psO71_GxmJ7wf.exe"6⤵
- Executes dropped EXE
PID:3024
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 14966⤵
- Program crash
PID:820
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu070ade39f9c1e6.exe4⤵
- Loads dropped DLL
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu070ade39f9c1e6.exeThu070ade39f9c1e6.exe5⤵
- Executes dropped EXE
PID:748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07ca8ec888048d3.exe4⤵
- Loads dropped DLL
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07ca8ec888048d3.exeThu07ca8ec888048d3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu07ca8ec888048d3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07ca8ec888048d3.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2588
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07f434e4f491.exe4⤵
- Loads dropped DLL
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07f434e4f491.exeThu07f434e4f491.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu072ac486e47.exe4⤵
- Loads dropped DLL
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu072ac486e47.exeThu072ac486e47.exe5⤵
- Executes dropped EXE
PID:1620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0711d68c32.exe /mixtwo4⤵
- Loads dropped DLL
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu0711d68c32.exeThu0711d68c32.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu0711d68c32.exeThu0711d68c32.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0711d68c32.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu0711d68c32.exe" & exit7⤵PID:2120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu0711d68c32.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07d52de194fe54.exe4⤵
- Loads dropped DLL
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07d52de194fe54.exeThu07d52de194fe54.exe5⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",6⤵PID:2300
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",7⤵PID:2076
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07b10fe2f6c9.exe4⤵
- Loads dropped DLL
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07b10fe2f6c9.exeThu07b10fe2f6c9.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07670ce8a39e7.exe4⤵
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu07670ce8a39e7.exeThu07670ce8a39e7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",6⤵PID:2452
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",7⤵PID:2564
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0727000b31e.exe4⤵
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7zSC013EF06\Thu0727000b31e.exeThu0727000b31e.exe5⤵
- Executes dropped EXE
PID:1484 -
C:\Users\Admin\AppData\Local\b9d20164-9c19-4efd-a653-4ebeaefa196e.exe"C:\Users\Admin\AppData\Local\b9d20164-9c19-4efd-a653-4ebeaefa196e.exe"6⤵PID:2984
-
-
C:\Users\Admin\AppData\Local\d9d16353-eb0e-4d20-a246-7a2dc3aa5713.exe"C:\Users\Admin\AppData\Local\d9d16353-eb0e-4d20-a246-7a2dc3aa5713.exe"6⤵PID:3032
-
-
C:\Users\Admin\AppData\Local\453c75b0-3683-4f52-ada8-5200e4f0d88c.exe"C:\Users\Admin\AppData\Local\453c75b0-3683-4f52-ada8-5200e4f0d88c.exe"6⤵PID:1760
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0782b1b8839f.exe4⤵PID:2004
-
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {39B9E287-A05B-4B32-A06F-A4BA9B1E7BAF} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:2924
-
C:\Users\Admin\AppData\Roaming\igbirawC:\Users\Admin\AppData\Roaming\igbiraw2⤵PID:1520
-