Analysis
-
max time kernel
98s -
max time network
172s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
General
-
Target
fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe
-
Size
7.2MB
-
MD5
8c58160ee123350f23b879bfc8493a4e
-
SHA1
d37b113d7c41cff86f3b7b9caa8ec7a5d96cf19b
-
SHA256
fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1
-
SHA512
5c3e309a1d5820b5ee2f9aacd203c70e1cb3d6260f18ae61e22f6d507b23c43532064f4b4147bc59f56e2494ad11105b54617e505e591cefd6b226847a07f15f
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
userv1
159.69.246.184:13127
Extracted
redline
media22ns
65.108.69.168:13293
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4668 4412 rundll32.exe 125 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/4004-288-0x0000000000950000-0x00000000009C9000-memory.dmp family_redline behavioral2/memory/4004-311-0x0000000000950000-0x00000000009C9000-memory.dmp family_redline behavioral2/memory/4004-312-0x0000000000950000-0x00000000009C9000-memory.dmp family_redline behavioral2/memory/1092-409-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4740-410-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab6e-154.dat family_socelars behavioral2/files/0x000500000001ab6e-216.dat family_socelars -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab64-178.dat WebBrowserPassView behavioral2/files/0x000500000001ab64-201.dat WebBrowserPassView behavioral2/memory/4740-334-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000500000001ab64-178.dat Nirsoft behavioral2/files/0x000500000001ab64-201.dat Nirsoft behavioral2/memory/2144-285-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000700000001ab5c-284.dat Nirsoft behavioral2/files/0x000700000001ab5c-283.dat Nirsoft behavioral2/memory/4740-334-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2120-262-0x0000000000D80000-0x0000000000E55000-memory.dmp family_vidar behavioral2/memory/2120-272-0x0000000000400000-0x00000000008B2000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab5c-125.dat aspack_v212_v242 behavioral2/files/0x000600000001ab5b-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab5c-129.dat aspack_v212_v242 behavioral2/files/0x000600000001ab5b-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab60-131.dat aspack_v212_v242 behavioral2/files/0x000500000001ab60-132.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 27 IoCs
pid Process 1392 setup_installer.exe 644 setup_install.exe 1632 Thu030f000c97b1a47cf.exe 1676 Thu03aa0b8bc75.exe 1816 Thu0391445c068b.exe 1892 Thu03b1305321.exe 2244 Thu0362a57cb04.exe 1972 Thu03812e8b6f95.exe 1952 Thu038a24d798.exe 1896 Thu03e3edb243781.exe 1552 Thu0388d948c4d2.exe 2096 Thu033002fdb13a8ca.exe 2144 Thu0340c0ac45a.exe 2152 Thu0368bfc54f5c0f8.exe 684 Thu03b3d0969cddc22eb.exe 1492 Thu03b281c30a.exe 2120 Thu03b32e8695.exe 3696 Thu0388d948c4d2.exe 1724 Thu0362a57cb04.exe 1512 Thu0340c0ac45a.tmp 3172 Thu0340c0ac45a.exe 3724 Thu0340c0ac45a.tmp 1056 ba5bd0de-1a31-4d32-9da7-a1f8016244dd.exe 4004 d44de20a-aca5-4149-91b8-daf0c44fcad9.exe 2144 11111.exe 4152 85e9a6b6-1ed2-4524-b7f4-cd62e1b5c375.exe 4320 LzmwAqmV.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation Thu03aa0b8bc75.exe -
Loads dropped DLL 12 IoCs
pid Process 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 644 setup_install.exe 1512 Thu0340c0ac45a.tmp 3724 Thu0340c0ac45a.tmp 3840 rundll32.exe 1152 rundll32.exe 3840 rundll32.exe 1152 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com 48 ipinfo.io 49 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4004 d44de20a-aca5-4149-91b8-daf0c44fcad9.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1552 set thread context of 3696 1552 Thu0388d948c4d2.exe 101 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0340c0ac45a.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-8O467.tmp Thu0340c0ac45a.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu0340c0ac45a.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 808 4120 WerFault.exe 139 4332 4968 WerFault.exe 159 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu03e3edb243781.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu03e3edb243781.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu03e3edb243781.exe -
Kills process with taskkill 2 IoCs
pid Process 948 taskkill.exe 4676 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Thu03812e8b6f95.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Thu03b3d0969cddc22eb.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 25 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1896 Thu03e3edb243781.exe 1896 Thu03e3edb243781.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe 1676 Thu03aa0b8bc75.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1896 Thu03e3edb243781.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeCreateTokenPrivilege 1492 Thu03b281c30a.exe Token: SeAssignPrimaryTokenPrivilege 1492 Thu03b281c30a.exe Token: SeLockMemoryPrivilege 1492 Thu03b281c30a.exe Token: SeIncreaseQuotaPrivilege 1492 Thu03b281c30a.exe Token: SeMachineAccountPrivilege 1492 Thu03b281c30a.exe Token: SeTcbPrivilege 1492 Thu03b281c30a.exe Token: SeSecurityPrivilege 1492 Thu03b281c30a.exe Token: SeTakeOwnershipPrivilege 1492 Thu03b281c30a.exe Token: SeLoadDriverPrivilege 1492 Thu03b281c30a.exe Token: SeSystemProfilePrivilege 1492 Thu03b281c30a.exe Token: SeSystemtimePrivilege 1492 Thu03b281c30a.exe Token: SeProfSingleProcessPrivilege 1492 Thu03b281c30a.exe Token: SeIncBasePriorityPrivilege 1492 Thu03b281c30a.exe Token: SeCreatePagefilePrivilege 1492 Thu03b281c30a.exe Token: SeCreatePermanentPrivilege 1492 Thu03b281c30a.exe Token: SeBackupPrivilege 1492 Thu03b281c30a.exe Token: SeRestorePrivilege 1492 Thu03b281c30a.exe Token: SeShutdownPrivilege 1492 Thu03b281c30a.exe Token: SeDebugPrivilege 1492 Thu03b281c30a.exe Token: SeAuditPrivilege 1492 Thu03b281c30a.exe Token: SeSystemEnvironmentPrivilege 1492 Thu03b281c30a.exe Token: SeChangeNotifyPrivilege 1492 Thu03b281c30a.exe Token: SeRemoteShutdownPrivilege 1492 Thu03b281c30a.exe Token: SeUndockPrivilege 1492 Thu03b281c30a.exe Token: SeSyncAgentPrivilege 1492 Thu03b281c30a.exe Token: SeEnableDelegationPrivilege 1492 Thu03b281c30a.exe Token: SeManageVolumePrivilege 1492 Thu03b281c30a.exe Token: SeImpersonatePrivilege 1492 Thu03b281c30a.exe Token: SeCreateGlobalPrivilege 1492 Thu03b281c30a.exe Token: 31 1492 Thu03b281c30a.exe Token: 32 1492 Thu03b281c30a.exe Token: 33 1492 Thu03b281c30a.exe Token: 34 1492 Thu03b281c30a.exe Token: 35 1492 Thu03b281c30a.exe Token: SeDebugPrivilege 1892 Thu03b1305321.exe Token: SeDebugPrivilege 1952 Thu038a24d798.exe Token: SeDebugPrivilege 2152 Thu0368bfc54f5c0f8.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 1816 Thu0391445c068b.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 2420 powershell.exe Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found Token: SeShutdownPrivilege 1928 Process not Found Token: SeCreatePagefilePrivilege 1928 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3724 Thu0340c0ac45a.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 1392 2700 fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe 68 PID 2700 wrote to memory of 1392 2700 fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe 68 PID 2700 wrote to memory of 1392 2700 fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe 68 PID 1392 wrote to memory of 644 1392 setup_installer.exe 69 PID 1392 wrote to memory of 644 1392 setup_installer.exe 69 PID 1392 wrote to memory of 644 1392 setup_installer.exe 69 PID 644 wrote to memory of 1988 644 setup_install.exe 72 PID 644 wrote to memory of 1988 644 setup_install.exe 72 PID 644 wrote to memory of 1988 644 setup_install.exe 72 PID 644 wrote to memory of 600 644 setup_install.exe 73 PID 644 wrote to memory of 600 644 setup_install.exe 73 PID 644 wrote to memory of 600 644 setup_install.exe 73 PID 644 wrote to memory of 856 644 setup_install.exe 74 PID 644 wrote to memory of 856 644 setup_install.exe 74 PID 644 wrote to memory of 856 644 setup_install.exe 74 PID 644 wrote to memory of 1224 644 setup_install.exe 77 PID 644 wrote to memory of 1224 644 setup_install.exe 77 PID 644 wrote to memory of 1224 644 setup_install.exe 77 PID 644 wrote to memory of 2064 644 setup_install.exe 76 PID 644 wrote to memory of 2064 644 setup_install.exe 76 PID 644 wrote to memory of 2064 644 setup_install.exe 76 PID 644 wrote to memory of 1736 644 setup_install.exe 75 PID 644 wrote to memory of 1736 644 setup_install.exe 75 PID 644 wrote to memory of 1736 644 setup_install.exe 75 PID 644 wrote to memory of 3196 644 setup_install.exe 78 PID 644 wrote to memory of 3196 644 setup_install.exe 78 PID 644 wrote to memory of 3196 644 setup_install.exe 78 PID 644 wrote to memory of 2284 644 setup_install.exe 79 PID 644 wrote to memory of 2284 644 setup_install.exe 79 PID 644 wrote to memory of 2284 644 setup_install.exe 79 PID 644 wrote to memory of 640 644 setup_install.exe 80 PID 644 wrote to memory of 640 644 setup_install.exe 80 PID 644 wrote to memory of 640 644 setup_install.exe 80 PID 644 wrote to memory of 820 644 setup_install.exe 88 PID 644 wrote to memory of 820 644 setup_install.exe 88 PID 644 wrote to memory of 820 644 setup_install.exe 88 PID 644 wrote to memory of 952 644 setup_install.exe 87 PID 644 wrote to memory of 952 644 setup_install.exe 87 PID 644 wrote to memory of 952 644 setup_install.exe 87 PID 644 wrote to memory of 2232 644 setup_install.exe 81 PID 644 wrote to memory of 2232 644 setup_install.exe 81 PID 644 wrote to memory of 2232 644 setup_install.exe 81 PID 644 wrote to memory of 1188 644 setup_install.exe 82 PID 644 wrote to memory of 1188 644 setup_install.exe 82 PID 644 wrote to memory of 1188 644 setup_install.exe 82 PID 644 wrote to memory of 3736 644 setup_install.exe 83 PID 644 wrote to memory of 3736 644 setup_install.exe 83 PID 644 wrote to memory of 3736 644 setup_install.exe 83 PID 644 wrote to memory of 4040 644 setup_install.exe 84 PID 644 wrote to memory of 4040 644 setup_install.exe 84 PID 644 wrote to memory of 4040 644 setup_install.exe 84 PID 644 wrote to memory of 3980 644 setup_install.exe 86 PID 644 wrote to memory of 3980 644 setup_install.exe 86 PID 644 wrote to memory of 3980 644 setup_install.exe 86 PID 644 wrote to memory of 1320 644 setup_install.exe 85 PID 644 wrote to memory of 1320 644 setup_install.exe 85 PID 644 wrote to memory of 1320 644 setup_install.exe 85 PID 2284 wrote to memory of 1632 2284 cmd.exe 89 PID 2284 wrote to memory of 1632 2284 cmd.exe 89 PID 2284 wrote to memory of 1632 2284 cmd.exe 89 PID 1224 wrote to memory of 1676 1224 cmd.exe 100 PID 1224 wrote to memory of 1676 1224 cmd.exe 100 PID 1224 wrote to memory of 1676 1224 cmd.exe 100 PID 820 wrote to memory of 1816 820 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe"C:\Users\Admin\AppData\Local\Temp\fecd7bad63eecce136544e13015ac36b55d56ee6be14c9d01bcd75a118c759f1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS075D4006\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:600
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03812e8b6f95.exe4⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03812e8b6f95.exeThu03812e8b6f95.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",6⤵PID:1048
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",7⤵
- Loads dropped DLL
PID:3840
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu038a24d798.exe4⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu038a24d798.exeThu038a24d798.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1952 -
C:\Users\Admin\AppData\Local\ba5bd0de-1a31-4d32-9da7-a1f8016244dd.exe"C:\Users\Admin\AppData\Local\ba5bd0de-1a31-4d32-9da7-a1f8016244dd.exe"6⤵
- Executes dropped EXE
PID:1056
-
-
C:\Users\Admin\AppData\Local\d44de20a-aca5-4149-91b8-daf0c44fcad9.exe"C:\Users\Admin\AppData\Local\d44de20a-aca5-4149-91b8-daf0c44fcad9.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4004
-
-
C:\Users\Admin\AppData\Local\85e9a6b6-1ed2-4524-b7f4-cd62e1b5c375.exe"C:\Users\Admin\AppData\Local\85e9a6b6-1ed2-4524-b7f4-cd62e1b5c375.exe"6⤵
- Executes dropped EXE
PID:4152
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03b281c30a.exe4⤵PID:2064
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03b281c30a.exeThu03b281c30a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:5076
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4676
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03aa0b8bc75.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03aa0b8bc75.exeThu03aa0b8bc75.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1676 -
C:\Users\Admin\Pictures\Adobe Films\FIsnqqNlJ5Q7VkjaOYpTilgl.exe"C:\Users\Admin\Pictures\Adobe Films\FIsnqqNlJ5Q7VkjaOYpTilgl.exe"6⤵PID:4600
-
-
C:\Users\Admin\Pictures\Adobe Films\aGXQbiPH4VaCDX1f2_SZv0bN.exe"C:\Users\Admin\Pictures\Adobe Films\aGXQbiPH4VaCDX1f2_SZv0bN.exe"6⤵PID:4216
-
-
C:\Users\Admin\Pictures\Adobe Films\xbKAtG2MDXaEBqxkIS8AmIV3.exe"C:\Users\Admin\Pictures\Adobe Films\xbKAtG2MDXaEBqxkIS8AmIV3.exe"6⤵PID:4204
-
-
C:\Users\Admin\Pictures\Adobe Films\ux75qkEoDOwuQPCim7uzNKLW.exe"C:\Users\Admin\Pictures\Adobe Films\ux75qkEoDOwuQPCim7uzNKLW.exe"6⤵PID:4144
-
-
C:\Users\Admin\Pictures\Adobe Films\BVHf408jeqqDbZOsIH3lCc3v.exe"C:\Users\Admin\Pictures\Adobe Films\BVHf408jeqqDbZOsIH3lCc3v.exe"6⤵PID:4120
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 4007⤵
- Program crash
PID:808
-
-
-
C:\Users\Admin\Pictures\Adobe Films\SVR0FOEfAavW5y5ABQ62QVQT.exe"C:\Users\Admin\Pictures\Adobe Films\SVR0FOEfAavW5y5ABQ62QVQT.exe"6⤵PID:1392
-
-
C:\Users\Admin\Pictures\Adobe Films\9NEPaP_kmIgNvWi_liAOu2F4.exe"C:\Users\Admin\Pictures\Adobe Films\9NEPaP_kmIgNvWi_liAOu2F4.exe"6⤵PID:5112
-
-
C:\Users\Admin\Pictures\Adobe Films\U1oLxP1dj18xns8npQsn_YbJ.exe"C:\Users\Admin\Pictures\Adobe Films\U1oLxP1dj18xns8npQsn_YbJ.exe"6⤵PID:3156
-
-
C:\Users\Admin\Pictures\Adobe Films\ooR64eaw8Kse0tnEvTml85Ip.exe"C:\Users\Admin\Pictures\Adobe Films\ooR64eaw8Kse0tnEvTml85Ip.exe"6⤵PID:1140
-
-
C:\Users\Admin\Pictures\Adobe Films\Rd31zGs3KnZU7xSvB3FRwMn4.exe"C:\Users\Admin\Pictures\Adobe Films\Rd31zGs3KnZU7xSvB3FRwMn4.exe"6⤵PID:3592
-
-
C:\Users\Admin\Pictures\Adobe Films\GwfXPLvB2alEpCkwFiN8QVAi.exe"C:\Users\Admin\Pictures\Adobe Films\GwfXPLvB2alEpCkwFiN8QVAi.exe"6⤵PID:2068
-
-
C:\Users\Admin\Pictures\Adobe Films\UNvGY0h0d2ah23qoBkBqCnvY.exe"C:\Users\Admin\Pictures\Adobe Films\UNvGY0h0d2ah23qoBkBqCnvY.exe"6⤵PID:4996
-
-
C:\Users\Admin\Pictures\Adobe Films\WFqrQz3DMhXwSudmsnHYSWkS.exe"C:\Users\Admin\Pictures\Adobe Films\WFqrQz3DMhXwSudmsnHYSWkS.exe"6⤵PID:4816
-
-
C:\Users\Admin\Pictures\Adobe Films\AgJDjk9Sm5nl9fo_4fS4yjfu.exe"C:\Users\Admin\Pictures\Adobe Films\AgJDjk9Sm5nl9fo_4fS4yjfu.exe"6⤵PID:3868
-
-
C:\Users\Admin\Pictures\Adobe Films\u9Am9do7BxsfBZY3gYl_cnCp.exe"C:\Users\Admin\Pictures\Adobe Films\u9Am9do7BxsfBZY3gYl_cnCp.exe"6⤵PID:4984
-
-
C:\Users\Admin\Pictures\Adobe Films\GbpxokxfED3PifOxDJI_kPXN.exe"C:\Users\Admin\Pictures\Adobe Films\GbpxokxfED3PifOxDJI_kPXN.exe"6⤵PID:4968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 7767⤵
- Program crash
PID:4332
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nJOcL5aoQIceJ5kbcN3eRyq5.exe"C:\Users\Admin\Pictures\Adobe Films\nJOcL5aoQIceJ5kbcN3eRyq5.exe"6⤵PID:68
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03b32e8695.exe4⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03b32e8695.exeThu03b32e8695.exe5⤵
- Executes dropped EXE
PID:2120
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu030f000c97b1a47cf.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu030f000c97b1a47cf.exeThu030f000c97b1a47cf.exe5⤵
- Executes dropped EXE
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0340c0ac45a.exe4⤵PID:640
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0340c0ac45a.exeThu0340c0ac45a.exe5⤵
- Executes dropped EXE
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\is-C4MD5.tmp\Thu0340c0ac45a.tmp"C:\Users\Admin\AppData\Local\Temp\is-C4MD5.tmp\Thu0340c0ac45a.tmp" /SL5="$6003A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0340c0ac45a.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0340c0ac45a.exe"C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0340c0ac45a.exe" /SILENT7⤵
- Executes dropped EXE
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\is-H5S99.tmp\Thu0340c0ac45a.tmp"C:\Users\Admin\AppData\Local\Temp\is-H5S99.tmp\Thu0340c0ac45a.tmp" /SL5="$501C8,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0340c0ac45a.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3724 -
C:\Users\Admin\AppData\Local\Temp\is-39J6J.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-39J6J.tmp\windllhost.exe" 779⤵PID:4544
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03b1305321.exe4⤵PID:2232
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03b1305321.exeThu03b1305321.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"7⤵PID:4656
-
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"7⤵PID:4728
-
-
C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"7⤵PID:5000
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"7⤵PID:1584
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03e3edb243781.exe4⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03e3edb243781.exeThu03e3edb243781.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1896
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0362a57cb04.exe4⤵PID:3736
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0362a57cb04.exeThu0362a57cb04.exe5⤵
- Executes dropped EXE
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0362a57cb04.exe"C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0362a57cb04.exe" -u6⤵
- Executes dropped EXE
PID:1724
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu03b3d0969cddc22eb.exe4⤵PID:4040
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu03b3d0969cddc22eb.exeThu03b3d0969cddc22eb.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",6⤵PID:952
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nmpadmoD.cPl",7⤵
- Loads dropped DLL
PID:1152
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu033002fdb13a8ca.exe4⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu033002fdb13a8ca.exeThu033002fdb13a8ca.exe5⤵
- Executes dropped EXE
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2144
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:4740
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0368bfc54f5c0f8.exe4⤵PID:3980
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0368bfc54f5c0f8.exeThu0368bfc54f5c0f8.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0368bfc54f5c0f8.exeC:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0368bfc54f5c0f8.exe6⤵PID:4740
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0388d948c4d2.exe /mixtwo4⤵PID:952
-
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0388d948c4d2.exeThu0388d948c4d2.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1552 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0388d948c4d2.exeThu0388d948c4d2.exe /mixtwo6⤵
- Executes dropped EXE
PID:3696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0388d948c4d2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0388d948c4d2.exe" & exit7⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu0388d948c4d2.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0391445c068b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0391445c068b.exeThu0391445c068b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0391445c068b.exeC:\Users\Admin\AppData\Local\Temp\7zS075D4006\Thu0391445c068b.exe6⤵PID:1092
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4668 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4976
-
-
C:\Users\Admin\AppData\Roaming\shbjsbfC:\Users\Admin\AppData\Roaming\shbjsbf1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:1980