Analysis
-
max time kernel
165s -
max time network
187s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
General
-
Target
f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe
-
Size
7.2MB
-
MD5
69c5ea6d185d93faafc2bff4cf2d4abf
-
SHA1
dd6f9f2d38f082563a185bf32b14f93c4e81bc13
-
SHA256
f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6
-
SHA512
334c323b3d2f9b4adc52d6ca9ad6bd2297838009ce41837de625a1f0cc6e50ec3cc2f89755620dd0957eb45eb5005e95b3e22c22bc6995ccc8402f87215f9455
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 12 IoCs
resource yara_rule behavioral1/memory/2672-239-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2672-241-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2680-240-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2672-243-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2680-242-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2680-246-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2672-245-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2680-254-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2672-253-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2680-251-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2672-250-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2552-260-0x0000000000320000-0x0000000000344000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x000600000001326b-133.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x00060000000131fe-162.dat WebBrowserPassView behavioral1/memory/2536-229-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x00060000000131fe-162.dat Nirsoft behavioral1/memory/2388-220-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2536-229-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1604-264-0x0000000002010000-0x00000000020E5000-memory.dmp family_vidar behavioral1/memory/1604-265-0x0000000000400000-0x0000000000534000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000125b9-71.dat aspack_v212_v242 behavioral1/files/0x00060000000125b9-72.dat aspack_v212_v242 behavioral1/files/0x00060000000125a9-73.dat aspack_v212_v242 behavioral1/files/0x00060000000125a9-74.dat aspack_v212_v242 behavioral1/files/0x00060000000125df-77.dat aspack_v212_v242 behavioral1/files/0x00060000000125df-78.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
pid Process 324 setup_installer.exe 1140 setup_install.exe 1300 Wed20eaf9ba37de7aca.exe 2036 Wed2099ab4766.exe 1604 Wed200ff414b8b.exe 1584 Wed20021b9aa37dd.exe 768 Wed2008e88aa30510.exe 816 Wed2069ceb6af8934.exe 1336 Wed2008cab5609b21c25.exe 912 Wed204e911f5d.exe 1492 Wed2069ceb6af8934.exe 1656 Wed20b74779004f8.exe 1124 Wed205a16ef765d47.exe 652 Wed205da434ac25b239.exe 1664 Wed202776b5457a79ef.exe 2080 Wed20a777ef993f60e8a.exe 2064 Wed200536832d.exe 2388 11111.exe 2536 11111.exe 2672 Wed205da434ac25b239.exe 2680 Wed2008cab5609b21c25.exe 1520 jk39ksNvHE2FBZsWTbkTuDHL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Wed20021b9aa37dd.exe -
Loads dropped DLL 64 IoCs
pid Process 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 324 setup_installer.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1140 setup_install.exe 1644 cmd.exe 1448 cmd.exe 996 cmd.exe 996 cmd.exe 1240 cmd.exe 1020 cmd.exe 1020 cmd.exe 1536 cmd.exe 1536 cmd.exe 1604 Wed200ff414b8b.exe 1604 Wed200ff414b8b.exe 1504 cmd.exe 1504 cmd.exe 2036 Wed2099ab4766.exe 2036 Wed2099ab4766.exe 1584 Wed20021b9aa37dd.exe 1584 Wed20021b9aa37dd.exe 768 Wed2008e88aa30510.exe 768 Wed2008e88aa30510.exe 816 Wed2069ceb6af8934.exe 816 Wed2069ceb6af8934.exe 1336 Wed2008cab5609b21c25.exe 1336 Wed2008cab5609b21c25.exe 460 cmd.exe 816 Wed2069ceb6af8934.exe 1492 Wed2069ceb6af8934.exe 1492 Wed2069ceb6af8934.exe 1544 cmd.exe 912 Wed204e911f5d.exe 912 Wed204e911f5d.exe 1744 cmd.exe 1744 cmd.exe 1776 cmd.exe 336 cmd.exe 652 Wed205da434ac25b239.exe 652 Wed205da434ac25b239.exe 1664 Wed202776b5457a79ef.exe 1664 Wed202776b5457a79ef.exe 904 cmd.exe 904 cmd.exe 1900 cmd.exe 1656 Wed20b74779004f8.exe 1656 Wed20b74779004f8.exe 1124 Wed205a16ef765d47.exe 1124 Wed205a16ef765d47.exe 2388 11111.exe 2388 11111.exe 2536 11111.exe 2536 11111.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 43 ipinfo.io 44 ipinfo.io 16 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 816 set thread context of 1492 816 Wed2069ceb6af8934.exe 56 PID 652 set thread context of 2672 652 Wed205da434ac25b239.exe 74 PID 1336 set thread context of 2680 1336 Wed2008cab5609b21c25.exe 75 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 2552 2036 WerFault.exe 46 2580 1656 WerFault.exe 57 1384 1584 WerFault.exe 48 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed2008e88aa30510.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed2008e88aa30510.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed2008e88aa30510.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wed200ff414b8b.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wed200ff414b8b.exe -
Kills process with taskkill 1 IoCs
pid Process 2440 taskkill.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Wed20b74779004f8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Wed20b74779004f8.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe 2552 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 2580 WerFault.exe 768 Wed2008e88aa30510.exe 768 Wed2008e88aa30510.exe 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 2536 11111.exe 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found 1284 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 768 Wed2008e88aa30510.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeCreateTokenPrivilege 1656 Wed20b74779004f8.exe Token: SeAssignPrimaryTokenPrivilege 1656 Wed20b74779004f8.exe Token: SeLockMemoryPrivilege 1656 Wed20b74779004f8.exe Token: SeIncreaseQuotaPrivilege 1656 Wed20b74779004f8.exe Token: SeMachineAccountPrivilege 1656 Wed20b74779004f8.exe Token: SeTcbPrivilege 1656 Wed20b74779004f8.exe Token: SeSecurityPrivilege 1656 Wed20b74779004f8.exe Token: SeTakeOwnershipPrivilege 1656 Wed20b74779004f8.exe Token: SeLoadDriverPrivilege 1656 Wed20b74779004f8.exe Token: SeSystemProfilePrivilege 1656 Wed20b74779004f8.exe Token: SeSystemtimePrivilege 1656 Wed20b74779004f8.exe Token: SeProfSingleProcessPrivilege 1656 Wed20b74779004f8.exe Token: SeIncBasePriorityPrivilege 1656 Wed20b74779004f8.exe Token: SeCreatePagefilePrivilege 1656 Wed20b74779004f8.exe Token: SeCreatePermanentPrivilege 1656 Wed20b74779004f8.exe Token: SeBackupPrivilege 1656 Wed20b74779004f8.exe Token: SeRestorePrivilege 1656 Wed20b74779004f8.exe Token: SeShutdownPrivilege 1656 Wed20b74779004f8.exe Token: SeDebugPrivilege 1656 Wed20b74779004f8.exe Token: SeAuditPrivilege 1656 Wed20b74779004f8.exe Token: SeSystemEnvironmentPrivilege 1656 Wed20b74779004f8.exe Token: SeChangeNotifyPrivilege 1656 Wed20b74779004f8.exe Token: SeRemoteShutdownPrivilege 1656 Wed20b74779004f8.exe Token: SeUndockPrivilege 1656 Wed20b74779004f8.exe Token: SeSyncAgentPrivilege 1656 Wed20b74779004f8.exe Token: SeEnableDelegationPrivilege 1656 Wed20b74779004f8.exe Token: SeManageVolumePrivilege 1656 Wed20b74779004f8.exe Token: SeImpersonatePrivilege 1656 Wed20b74779004f8.exe Token: SeCreateGlobalPrivilege 1656 Wed20b74779004f8.exe Token: 31 1656 Wed20b74779004f8.exe Token: 32 1656 Wed20b74779004f8.exe Token: 33 1656 Wed20b74779004f8.exe Token: 34 1656 Wed20b74779004f8.exe Token: 35 1656 Wed20b74779004f8.exe Token: SeDebugPrivilege 652 Wed205da434ac25b239.exe Token: SeDebugPrivilege 1336 Wed2008cab5609b21c25.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeDebugPrivilege 2552 WerFault.exe Token: SeDebugPrivilege 2580 WerFault.exe Token: SeDebugPrivilege 1384 WerFault.exe Token: SeShutdownPrivilege 1284 Process not Found Token: SeDebugPrivilege 1888 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 1944 wrote to memory of 324 1944 f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe 27 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 324 wrote to memory of 1140 324 setup_installer.exe 28 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1920 1140 setup_install.exe 30 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1760 1140 setup_install.exe 31 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1504 1140 setup_install.exe 33 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1644 1140 setup_install.exe 32 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 1448 1140 setup_install.exe 34 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 460 1140 setup_install.exe 35 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1140 wrote to memory of 996 1140 setup_install.exe 36 PID 1760 wrote to memory of 1888 1760 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe"C:\Users\Admin\AppData\Local\Temp\f43dd56b838e81c5061b4be210feaf163e655ce9cd4e987c3efc83c613acdea6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1920
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed20eaf9ba37de7aca.exe4⤵
- Loads dropped DLL
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed20eaf9ba37de7aca.exeWed20eaf9ba37de7aca.exe5⤵
- Executes dropped EXE
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed2069ceb6af8934.exe /mixtwo4⤵
- Loads dropped DLL
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2069ceb6af8934.exeWed2069ceb6af8934.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:816 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2069ceb6af8934.exeWed2069ceb6af8934.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed2069ceb6af8934.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2069ceb6af8934.exe" & exit7⤵PID:2356
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed2069ceb6af8934.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed2099ab4766.exe4⤵
- Loads dropped DLL
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2099ab4766.exeWed2099ab4766.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 5846⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed204e911f5d.exe4⤵
- Loads dropped DLL
PID:460 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed204e911f5d.exeWed204e911f5d.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PHMAVY.cPL",6⤵PID:2812
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\PHMAVY.cPL",7⤵PID:2896
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed200ff414b8b.exe4⤵
- Loads dropped DLL
PID:996 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed200ff414b8b.exeWed200ff414b8b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed202b90c7f7.exe4⤵PID:752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed20021b9aa37dd.exe4⤵
- Loads dropped DLL
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed20021b9aa37dd.exeWed20021b9aa37dd.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1584 -
C:\Users\Admin\Pictures\Adobe Films\jk39ksNvHE2FBZsWTbkTuDHL.exe"C:\Users\Admin\Pictures\Adobe Films\jk39ksNvHE2FBZsWTbkTuDHL.exe"6⤵
- Executes dropped EXE
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 15406⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed20b74779004f8.exe4⤵
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed20b74779004f8.exeWed20b74779004f8.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 13926⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed2008e88aa30510.exe4⤵
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2008e88aa30510.exeWed2008e88aa30510.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed2008cab5609b21c25.exe4⤵
- Loads dropped DLL
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2008cab5609b21c25.exeWed2008cab5609b21c25.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2008cab5609b21c25.exeC:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed2008cab5609b21c25.exe6⤵
- Executes dropped EXE
PID:2680
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed205a16ef765d47.exe4⤵
- Loads dropped DLL
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed205a16ef765d47.exeWed205a16ef765d47.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed205da434ac25b239.exe4⤵
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed205da434ac25b239.exeWed205da434ac25b239.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:652 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed205da434ac25b239.exeC:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed205da434ac25b239.exe6⤵
- Executes dropped EXE
PID:2672
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed202776b5457a79ef.exe4⤵
- Loads dropped DLL
PID:336 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed202776b5457a79ef.exeWed202776b5457a79ef.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -y .\W9XOE.YA36⤵PID:2476
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed20a777ef993f60e8a.exe4⤵
- Loads dropped DLL
PID:1900 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed20a777ef993f60e8a.exeWed20a777ef993f60e8a.exe5⤵
- Executes dropped EXE
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed200536832d.exe4⤵
- Loads dropped DLL
PID:904 -
C:\Users\Admin\AppData\Local\Temp\7zS441E87C6\Wed200536832d.exeWed200536832d.exe5⤵
- Executes dropped EXE
PID:2064
-
-
-
-