Analysis
-
max time kernel
166s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe
Resource
win7-en-20211208
General
-
Target
505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe
-
Size
7.4MB
-
MD5
75d915c4258d104ae9cbeaf3e4f6070a
-
SHA1
dfb15bc0f3bfbf3ce6db50f7fab7f27218d2b3e2
-
SHA256
505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d
-
SHA512
4b69ba74e1c5cebcb8d4d44f083e532d7fca2d3b03d589afc3f76efd99bd93434b6269c8afce383ea18a61193a9fbbeecd68329bffd32d34d10f3fc1ec7fc922
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
userv1
159.69.246.184:13127
Extracted
redline
media22ns
65.108.69.168:13293
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 10 IoCs
resource yara_rule behavioral2/memory/1584-309-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/3168-305-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/1584-303-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3168-301-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2772-299-0x00000000009E0000-0x0000000000A59000-memory.dmp family_redline behavioral2/memory/3168-318-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1584-317-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3168-315-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1584-314-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4952-401-0x0000000000020000-0x0000000000099000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ab1f-151.dat family_socelars behavioral2/files/0x000600000001ab1f-210.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000700000001ab1b-175.dat WebBrowserPassView behavioral2/files/0x000700000001ab1b-216.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000700000001ab1b-175.dat Nirsoft behavioral2/files/0x000700000001ab1b-216.dat Nirsoft behavioral2/files/0x000700000001ab0a-263.dat Nirsoft behavioral2/files/0x000700000001ab0a-262.dat Nirsoft behavioral2/memory/2264-264-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1908-286-0x0000000000400000-0x00000000008B2000-memory.dmp family_vidar behavioral2/memory/1908-288-0x0000000000E00000-0x0000000000ED5000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab15-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab15-129.dat aspack_v212_v242 behavioral2/files/0x000500000001ab18-134.dat aspack_v212_v242 behavioral2/files/0x000500000001ab18-132.dat aspack_v212_v242 behavioral2/files/0x000500000001ab15-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab16-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab16-126.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 39 IoCs
pid Process 1352 setup_installer.exe 588 setup_install.exe 4004 Thu01d09b231f9424582.exe 940 Thu012dabb74f235.exe 2952 Thu018a118270396e.exe 1612 Thu01f6404750c.exe 1972 Thu01962e07748d83.exe 1688 Thu012951243e343.exe 3992 Thu01e094f5aa082baec.exe 2436 Thu01881e99136f4a24e.exe 3332 Thu014d73a06a76eb966.exe 3232 Thu01731c67595.exe 3088 Thu015101b6b1a49.exe 1908 Thu01d121fa6676bc58.exe 2392 Thu01ce98a741.exe 3012 Thu0123974f80d835.exe 1772 Thu014c2c6a2c2649dfc.exe 2636 Thu01731c67595.exe 620 Thu01ce98a741.exe 1512 Thu012951243e343.tmp 3856 Thu012951243e343.exe 2264 11111.exe 1760 Thu012951243e343.tmp 3996 LzmwAqmV.exe 4028 d0a819c5-b8aa-4d62-966b-d4a3fc042da9.exe 2772 9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe 1196 6e2c8763-1beb-4954-b812-78e6820d1899.exe 3168 Thu014c2c6a2c2649dfc.exe 1584 Thu01e094f5aa082baec.exe 4176 myamrnewfile.exe 4256 RobCleanerInstll31827.exe 4384 DisgruntleMezzanines_2021-12-22_21-08.exe 4508 inst.exe 4648 windllhost.exe 4892 54120af6-ecdb-4a05-88dd-ef727407a05d.exe 4952 b34988ff-e4ee-413b-8a4f-a17e07d95102.exe 4160 edb34d35-9c4c-4405-9cdf-fd9159ccf732.exe 4392 n9n8FCXdUOWMRw7SljKrHR5H.exe 2952 4013528.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation Thu01f6404750c.exe -
Loads dropped DLL 14 IoCs
pid Process 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 588 setup_install.exe 1512 Thu012951243e343.tmp 1760 Thu012951243e343.tmp 1996 regsvr32.exe 1996 regsvr32.exe 4356 msiexec.exe 4356 msiexec.exe 1908 Thu01d121fa6676bc58.exe 1908 Thu01d121fa6676bc58.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 70 ipinfo.io 71 ipinfo.io 11 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2772 9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe 4952 b34988ff-e4ee-413b-8a4f-a17e07d95102.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2392 set thread context of 620 2392 Thu01ce98a741.exe 99 PID 1772 set thread context of 3168 1772 Thu014c2c6a2c2649dfc.exe 113 PID 3992 set thread context of 1584 3992 Thu01e094f5aa082baec.exe 114 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu012951243e343.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-04VE9.tmp Thu012951243e343.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Thu012951243e343.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu012dabb74f235.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu012dabb74f235.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu012dabb74f235.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Thu01d121fa6676bc58.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Thu01d121fa6676bc58.exe -
Kills process with taskkill 2 IoCs
pid Process 4488 taskkill.exe 4592 taskkill.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 39 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 50 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 powershell.exe 1500 powershell.exe 940 Thu012dabb74f235.exe 940 Thu012dabb74f235.exe 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found 3040 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3040 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 940 Thu012dabb74f235.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeAssignPrimaryTokenPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeLockMemoryPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeIncreaseQuotaPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeMachineAccountPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeTcbPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeSecurityPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeTakeOwnershipPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeLoadDriverPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeSystemProfilePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeSystemtimePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeProfSingleProcessPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeIncBasePriorityPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeCreatePagefilePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeCreatePermanentPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeBackupPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeRestorePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeShutdownPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeDebugPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeAuditPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeSystemEnvironmentPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeChangeNotifyPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeRemoteShutdownPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeUndockPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeSyncAgentPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeEnableDelegationPrivilege 3332 Thu014d73a06a76eb966.exe Token: SeManageVolumePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeImpersonatePrivilege 3332 Thu014d73a06a76eb966.exe Token: SeCreateGlobalPrivilege 3332 Thu014d73a06a76eb966.exe Token: 31 3332 Thu014d73a06a76eb966.exe Token: 32 3332 Thu014d73a06a76eb966.exe Token: 33 3332 Thu014d73a06a76eb966.exe Token: 34 3332 Thu014d73a06a76eb966.exe Token: 35 3332 Thu014d73a06a76eb966.exe Token: SeDebugPrivilege 2952 Thu018a118270396e.exe Token: SeDebugPrivilege 1772 Thu014c2c6a2c2649dfc.exe Token: SeDebugPrivilege 3992 Thu01e094f5aa082baec.exe Token: SeDebugPrivilege 2648 powershell.exe Token: SeDebugPrivilege 1500 powershell.exe Token: SeDebugPrivilege 1972 Thu01962e07748d83.exe Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found Token: SeShutdownPrivilege 3040 Process not Found Token: SeCreatePagefilePrivilege 3040 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1760 Thu012951243e343.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3728 wrote to memory of 1352 3728 505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe 68 PID 3728 wrote to memory of 1352 3728 505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe 68 PID 3728 wrote to memory of 1352 3728 505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe 68 PID 1352 wrote to memory of 588 1352 setup_installer.exe 69 PID 1352 wrote to memory of 588 1352 setup_installer.exe 69 PID 1352 wrote to memory of 588 1352 setup_installer.exe 69 PID 588 wrote to memory of 872 588 setup_install.exe 72 PID 588 wrote to memory of 872 588 setup_install.exe 72 PID 588 wrote to memory of 872 588 setup_install.exe 72 PID 588 wrote to memory of 1268 588 setup_install.exe 73 PID 588 wrote to memory of 1268 588 setup_install.exe 73 PID 588 wrote to memory of 1268 588 setup_install.exe 73 PID 588 wrote to memory of 1196 588 setup_install.exe 75 PID 588 wrote to memory of 1196 588 setup_install.exe 75 PID 588 wrote to memory of 1196 588 setup_install.exe 75 PID 872 wrote to memory of 2648 872 cmd.exe 74 PID 872 wrote to memory of 2648 872 cmd.exe 74 PID 872 wrote to memory of 2648 872 cmd.exe 74 PID 588 wrote to memory of 600 588 setup_install.exe 76 PID 588 wrote to memory of 600 588 setup_install.exe 76 PID 588 wrote to memory of 600 588 setup_install.exe 76 PID 588 wrote to memory of 3672 588 setup_install.exe 77 PID 588 wrote to memory of 3672 588 setup_install.exe 77 PID 588 wrote to memory of 3672 588 setup_install.exe 77 PID 588 wrote to memory of 3196 588 setup_install.exe 82 PID 588 wrote to memory of 3196 588 setup_install.exe 82 PID 588 wrote to memory of 3196 588 setup_install.exe 82 PID 588 wrote to memory of 3212 588 setup_install.exe 81 PID 588 wrote to memory of 3212 588 setup_install.exe 81 PID 588 wrote to memory of 3212 588 setup_install.exe 81 PID 588 wrote to memory of 3200 588 setup_install.exe 80 PID 588 wrote to memory of 3200 588 setup_install.exe 80 PID 588 wrote to memory of 3200 588 setup_install.exe 80 PID 588 wrote to memory of 2896 588 setup_install.exe 79 PID 588 wrote to memory of 2896 588 setup_install.exe 79 PID 588 wrote to memory of 2896 588 setup_install.exe 79 PID 1268 wrote to memory of 1500 1268 cmd.exe 78 PID 1268 wrote to memory of 1500 1268 cmd.exe 78 PID 1268 wrote to memory of 1500 1268 cmd.exe 78 PID 588 wrote to memory of 4060 588 setup_install.exe 88 PID 588 wrote to memory of 4060 588 setup_install.exe 88 PID 588 wrote to memory of 4060 588 setup_install.exe 88 PID 600 wrote to memory of 4004 600 cmd.exe 87 PID 600 wrote to memory of 4004 600 cmd.exe 87 PID 600 wrote to memory of 4004 600 cmd.exe 87 PID 588 wrote to memory of 2968 588 setup_install.exe 86 PID 588 wrote to memory of 2968 588 setup_install.exe 86 PID 588 wrote to memory of 2968 588 setup_install.exe 86 PID 1196 wrote to memory of 940 1196 cmd.exe 85 PID 1196 wrote to memory of 940 1196 cmd.exe 85 PID 1196 wrote to memory of 940 1196 cmd.exe 85 PID 588 wrote to memory of 368 588 setup_install.exe 83 PID 588 wrote to memory of 368 588 setup_install.exe 83 PID 588 wrote to memory of 368 588 setup_install.exe 83 PID 588 wrote to memory of 2236 588 setup_install.exe 84 PID 588 wrote to memory of 2236 588 setup_install.exe 84 PID 588 wrote to memory of 2236 588 setup_install.exe 84 PID 588 wrote to memory of 2832 588 setup_install.exe 90 PID 588 wrote to memory of 2832 588 setup_install.exe 90 PID 588 wrote to memory of 2832 588 setup_install.exe 90 PID 588 wrote to memory of 2428 588 setup_install.exe 94 PID 588 wrote to memory of 2428 588 setup_install.exe 94 PID 588 wrote to memory of 2428 588 setup_install.exe 94 PID 588 wrote to memory of 1536 588 setup_install.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe"C:\Users\Admin\AppData\Local\Temp\505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS845CE226\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu012dabb74f235.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012dabb74f235.exeThu012dabb74f235.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01d09b231f9424582.exe4⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01d09b231f9424582.exeThu01d09b231f9424582.exe5⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -Y .\ScIxVO.XLP6⤵
- Loads dropped DLL
PID:4356
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu014d73a06a76eb966.exe4⤵PID:3672
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014d73a06a76eb966.exeThu014d73a06a76eb966.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4928
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4592
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu015101b6b1a49.exe4⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu015101b6b1a49.exeThu015101b6b1a49.exe5⤵
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -u .\meE3RM.036 /s6⤵
- Loads dropped DLL
PID:1996
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu012951243e343.exe4⤵PID:3200
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exeThu012951243e343.exe5⤵
- Executes dropped EXE
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\is-NBBBG.tmp\Thu012951243e343.tmp"C:\Users\Admin\AppData\Local\Temp\is-NBBBG.tmp\Thu012951243e343.tmp" /SL5="$200D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe"C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe" /SILENT7⤵
- Executes dropped EXE
PID:3856 -
C:\Users\Admin\AppData\Local\Temp\is-4QPQH.tmp\Thu012951243e343.tmp"C:\Users\Admin\AppData\Local\Temp\is-4QPQH.tmp\Thu012951243e343.tmp" /SL5="$10214,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1760 -
C:\Users\Admin\AppData\Local\Temp\is-45EUT.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-45EUT.tmp\windllhost.exe" 779⤵
- Executes dropped EXE
PID:4648
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu018a118270396e.exe4⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu018a118270396e.exeThu018a118270396e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2952 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"7⤵
- Executes dropped EXE
PID:4176
-
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"7⤵
- Executes dropped EXE
PID:4256 -
C:\Users\Admin\AppData\Local\54120af6-ecdb-4a05-88dd-ef727407a05d.exe"C:\Users\Admin\AppData\Local\54120af6-ecdb-4a05-88dd-ef727407a05d.exe"8⤵
- Executes dropped EXE
PID:4892
-
-
C:\Users\Admin\AppData\Local\b34988ff-e4ee-413b-8a4f-a17e07d95102.exe"C:\Users\Admin\AppData\Local\b34988ff-e4ee-413b-8a4f-a17e07d95102.exe"8⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4952
-
-
C:\Users\Admin\AppData\Local\edb34d35-9c4c-4405-9cdf-fd9159ccf732.exe"C:\Users\Admin\AppData\Local\edb34d35-9c4c-4405-9cdf-fd9159ccf732.exe"8⤵
- Executes dropped EXE
PID:4160 -
C:\Users\Admin\AppData\Roaming\8788918.exe"C:\Users\Admin\AppData\Roaming\8788918.exe"9⤵PID:4528
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"7⤵
- Executes dropped EXE
PID:4384
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"7⤵
- Executes dropped EXE
PID:4508
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01d121fa6676bc58.exe4⤵PID:3196
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01d121fa6676bc58.exeThu01d121fa6676bc58.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0123974f80d835.exe4⤵PID:368
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu0123974f80d835.exeThu0123974f80d835.exe5⤵
- Executes dropped EXE
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2264
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01ce98a741.exe /mixtwo4⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exeThu01ce98a741.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exeThu01ce98a741.exe /mixtwo6⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu01ce98a741.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exe" & exit7⤵PID:4264
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu01ce98a741.exe" /f8⤵
- Kills process with taskkill
PID:4488
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu014c2c6a2c2649dfc.exe4⤵PID:2968
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exeThu014c2c6a2c2649dfc.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1772 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exeC:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exe6⤵
- Executes dropped EXE
PID:3168
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01f6404750c.exe4⤵PID:4060
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01f6404750c.exeThu01f6404750c.exe5⤵
- Executes dropped EXE
- Checks computer location settings
PID:1612 -
C:\Users\Admin\Pictures\Adobe Films\n9n8FCXdUOWMRw7SljKrHR5H.exe"C:\Users\Admin\Pictures\Adobe Films\n9n8FCXdUOWMRw7SljKrHR5H.exe"6⤵
- Executes dropped EXE
PID:4392
-
-
C:\Users\Admin\Pictures\Adobe Films\J5h1FJZuTQO53Q21fePsad8X.exe"C:\Users\Admin\Pictures\Adobe Films\J5h1FJZuTQO53Q21fePsad8X.exe"6⤵PID:4340
-
-
C:\Users\Admin\Pictures\Adobe Films\fsadlhBhlVJz9vhksbfs7tTn.exe"C:\Users\Admin\Pictures\Adobe Films\fsadlhBhlVJz9vhksbfs7tTn.exe"6⤵PID:4840
-
-
C:\Users\Admin\Pictures\Adobe Films\zO36AgPSg_mVHYPciONd_dEB.exe"C:\Users\Admin\Pictures\Adobe Films\zO36AgPSg_mVHYPciONd_dEB.exe"6⤵PID:4656
-
-
C:\Users\Admin\Pictures\Adobe Films\AvTXQ2BcltWY3dabMfWjLyLa.exe"C:\Users\Admin\Pictures\Adobe Films\AvTXQ2BcltWY3dabMfWjLyLa.exe"6⤵PID:4608
-
-
C:\Users\Admin\Pictures\Adobe Films\XchFeVfPlVggcEeQP8YXbEJt.exe"C:\Users\Admin\Pictures\Adobe Films\XchFeVfPlVggcEeQP8YXbEJt.exe"6⤵PID:4344
-
-
C:\Users\Admin\Pictures\Adobe Films\Wvjgt1pU3NWKkT1GxT5Q6lU9.exe"C:\Users\Admin\Pictures\Adobe Films\Wvjgt1pU3NWKkT1GxT5Q6lU9.exe"6⤵PID:1260
-
-
C:\Users\Admin\Pictures\Adobe Films\Ov0953KfTAoJ3gawul5YF6QV.exe"C:\Users\Admin\Pictures\Adobe Films\Ov0953KfTAoJ3gawul5YF6QV.exe"6⤵PID:3228
-
-
C:\Users\Admin\Pictures\Adobe Films\HO5u8ky03L_5jjoL0rQclym9.exe"C:\Users\Admin\Pictures\Adobe Films\HO5u8ky03L_5jjoL0rQclym9.exe"6⤵PID:1812
-
-
C:\Users\Admin\Pictures\Adobe Films\kWeNCFDHYDl5eSgyzy3pEcvh.exe"C:\Users\Admin\Pictures\Adobe Films\kWeNCFDHYDl5eSgyzy3pEcvh.exe"6⤵PID:1988
-
-
C:\Users\Admin\Pictures\Adobe Films\S2StLBAaX9OE4aBj6isgAuir.exe"C:\Users\Admin\Pictures\Adobe Films\S2StLBAaX9OE4aBj6isgAuir.exe"6⤵PID:4680
-
-
C:\Users\Admin\Pictures\Adobe Films\vg_RwI42FPCyl6B6GmEIuuko.exe"C:\Users\Admin\Pictures\Adobe Films\vg_RwI42FPCyl6B6GmEIuuko.exe"6⤵PID:4640
-
-
C:\Users\Admin\Pictures\Adobe Films\ntHDIvX3oiWJicLCkULEwEyv.exe"C:\Users\Admin\Pictures\Adobe Films\ntHDIvX3oiWJicLCkULEwEyv.exe"6⤵PID:1076
-
-
C:\Users\Admin\Pictures\Adobe Films\orFlJWxeN2z_AjOjtyzTDVfz.exe"C:\Users\Admin\Pictures\Adobe Films\orFlJWxeN2z_AjOjtyzTDVfz.exe"6⤵PID:2552
-
-
C:\Users\Admin\Pictures\Adobe Films\J18ADQ90kURJclOc7EJuYrEv.exe"C:\Users\Admin\Pictures\Adobe Films\J18ADQ90kURJclOc7EJuYrEv.exe"6⤵PID:4280
-
-
C:\Users\Admin\Pictures\Adobe Films\T8CHfyTKCygP5OiWEu1f1TCY.exe"C:\Users\Admin\Pictures\Adobe Films\T8CHfyTKCygP5OiWEu1f1TCY.exe"6⤵PID:5084
-
-
C:\Users\Admin\Pictures\Adobe Films\82bg_JRrBvNNQWxrUZD7JlyQ.exe"C:\Users\Admin\Pictures\Adobe Films\82bg_JRrBvNNQWxrUZD7JlyQ.exe"6⤵PID:2160
-
-
C:\Users\Admin\Pictures\Adobe Films\AUkyrg0ibSUC2C8jF77Wku6k.exe"C:\Users\Admin\Pictures\Adobe Films\AUkyrg0ibSUC2C8jF77Wku6k.exe"6⤵PID:3864
-
-
C:\Users\Admin\Pictures\Adobe Films\MVaeXpPX7zTuszsu_9u1QHRc.exe"C:\Users\Admin\Pictures\Adobe Films\MVaeXpPX7zTuszsu_9u1QHRc.exe"6⤵PID:2696
-
-
C:\Users\Admin\Pictures\Adobe Films\PFfIJyjMSs8s4SYICE_wAG0v.exe"C:\Users\Admin\Pictures\Adobe Films\PFfIJyjMSs8s4SYICE_wAG0v.exe"6⤵PID:3300
-
-
C:\Users\Admin\Pictures\Adobe Films\ABfOdMXZWSPXsQn_Rv8F0hhp.exe"C:\Users\Admin\Pictures\Adobe Films\ABfOdMXZWSPXsQn_Rv8F0hhp.exe"6⤵PID:64
-
-
C:\Users\Admin\Pictures\Adobe Films\nUNqun_MwD40ezPWPcDO0atB.exe"C:\Users\Admin\Pictures\Adobe Films\nUNqun_MwD40ezPWPcDO0atB.exe"6⤵PID:2112
-
-
C:\Users\Admin\Pictures\Adobe Films\qWoNYHH5fU_qubPANjXFcJOx.exe"C:\Users\Admin\Pictures\Adobe Films\qWoNYHH5fU_qubPANjXFcJOx.exe"6⤵PID:2412
-
-
C:\Users\Admin\Pictures\Adobe Films\WuqzU0lbSYqcEgG8tshZnh0O.exe"C:\Users\Admin\Pictures\Adobe Films\WuqzU0lbSYqcEgG8tshZnh0O.exe"6⤵PID:1188
-
-
C:\Users\Admin\Pictures\Adobe Films\3F7chUuhqWTBo8wwRPKj5nEO.exe"C:\Users\Admin\Pictures\Adobe Films\3F7chUuhqWTBo8wwRPKj5nEO.exe"6⤵PID:2116
-
-
C:\Users\Admin\Pictures\Adobe Films\M6NbF4C5nySHoddknH0LTDsX.exe"C:\Users\Admin\Pictures\Adobe Films\M6NbF4C5nySHoddknH0LTDsX.exe"6⤵PID:3980
-
-
C:\Users\Admin\Pictures\Adobe Films\MpdKjanU_QGwsyaQxFx2wG80.exe"C:\Users\Admin\Pictures\Adobe Films\MpdKjanU_QGwsyaQxFx2wG80.exe"6⤵PID:1472
-
-
C:\Users\Admin\Pictures\Adobe Films\QklOhKUL2HYSGwMeDK6plEVT.exe"C:\Users\Admin\Pictures\Adobe Films\QklOhKUL2HYSGwMeDK6plEVT.exe"6⤵PID:4988
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01962e07748d83.exe4⤵PID:2832
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01962e07748d83.exeThu01962e07748d83.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972 -
C:\Users\Admin\AppData\Local\d0a819c5-b8aa-4d62-966b-d4a3fc042da9.exe"C:\Users\Admin\AppData\Local\d0a819c5-b8aa-4d62-966b-d4a3fc042da9.exe"6⤵
- Executes dropped EXE
PID:4028
-
-
C:\Users\Admin\AppData\Local\9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe"C:\Users\Admin\AppData\Local\9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2772
-
-
C:\Users\Admin\AppData\Local\6e2c8763-1beb-4954-b812-78e6820d1899.exe"C:\Users\Admin\AppData\Local\6e2c8763-1beb-4954-b812-78e6820d1899.exe"6⤵
- Executes dropped EXE
PID:1196 -
C:\Users\Admin\AppData\Roaming\4013528.exe"C:\Users\Admin\AppData\Roaming\4013528.exe"7⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",8⤵PID:4064
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01881e99136f4a24e.exe4⤵PID:2108
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01881e99136f4a24e.exeThu01881e99136f4a24e.exe5⤵
- Executes dropped EXE
PID:2436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01731c67595.exe4⤵PID:1536
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exeThu01731c67595.exe5⤵
- Executes dropped EXE
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exe"C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exe" -u6⤵
- Executes dropped EXE
PID:2636
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu01e094f5aa082baec.exe4⤵PID:2428
-
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exeThu01e094f5aa082baec.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exeC:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exe6⤵
- Executes dropped EXE
PID:1584
-
-
-
-
-