Analysis
-
max time kernel
159s -
max time network
177s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe
Resource
win10-en-20211208
General
-
Target
926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe
-
Size
9.8MB
-
MD5
4b059aee403e22a0d3f1fb16ca642d13
-
SHA1
919dd86c5d8cdb7918048e6a5891e1388232b05d
-
SHA256
926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1
-
SHA512
f3ec24e81e6a4689dd6f9ae82fd8fa9a0b4c9485d81e7d0986882d4ff04896a05af996aa6d41531beb179215f3e34147229e865a72c3f22a4fc368ca378f1cd4
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
redline
media22ns
65.108.69.168:13293
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/2736-304-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2736-307-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2736-308-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2944-316-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/2944-319-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2944-320-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x00050000000140fe-106.dat family_socelars behavioral1/files/0x00050000000140fe-155.dat family_socelars behavioral1/files/0x00050000000140fe-180.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000500000001413e-128.dat WebBrowserPassView behavioral1/memory/2680-248-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/files/0x000500000001413e-128.dat Nirsoft behavioral1/memory/2468-234-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2680-248-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1552-244-0x0000000001F60000-0x0000000002035000-memory.dmp family_vidar behavioral1/memory/1552-246-0x0000000000400000-0x0000000000535000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000138fe-71.dat aspack_v212_v242 behavioral1/files/0x00060000000138fe-72.dat aspack_v212_v242 behavioral1/files/0x00060000000138fa-73.dat aspack_v212_v242 behavioral1/files/0x00060000000138fa-74.dat aspack_v212_v242 behavioral1/files/0x000600000001390e-78.dat aspack_v212_v242 behavioral1/files/0x000600000001390e-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
pid Process 1040 setup_installer.exe 280 setup_install.exe 1036 Wed17e564879ff.exe 1972 Wed1773e5c68964.exe 1600 Wed176510fc794f72.exe 1032 Wed179170b19a.exe 1904 Wed177d7e0b80e32.exe 1760 Wed17bfb56d5816913eb.exe 268 Wed17490390f788.exe 1668 Wed171e1acc48fd84.exe 1552 Wed174fd2d1d7.exe 1604 Wed177feadfac6e2.exe 1488 Wed17a7fa0741c6202.exe 1132 Wed17c3d6ceb0e.exe 556 Wed17447053894b5.exe 892 Wed17ba81947100.exe 2096 Wed17ba81947100.exe 2352 Wed17447053894b5.tmp 2404 Wed17447053894b5.exe 2468 11111.exe 2568 Wed17447053894b5.tmp 2680 11111.exe 2420 windllhost.exe 2524 59623668-dc88-483e-ae4d-8d10b2973d94.exe 2700 3d96f300-0fc5-4165-b2b1-2c3bf22b35cb.exe 2528 Wed17490390f788.exe 2848 d63bb057-c5be-4d98-8574-f33276b3ddff.exe 2736 Wed176510fc794f72.exe 1596 Wed17490390f788.exe 2944 Wed17490390f788.exe 2860 N2JfxhFkdu55oaTtWRS_tvC4.exe 2320 5487786.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Wed177d7e0b80e32.exe -
Loads dropped DLL 64 IoCs
pid Process 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 1040 setup_installer.exe 1040 setup_installer.exe 1040 setup_installer.exe 1040 setup_installer.exe 1040 setup_installer.exe 1040 setup_installer.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 280 setup_install.exe 1804 cmd.exe 1804 cmd.exe 1440 cmd.exe 2036 cmd.exe 1972 Wed1773e5c68964.exe 1972 Wed1773e5c68964.exe 732 cmd.exe 1544 cmd.exe 1544 cmd.exe 1548 cmd.exe 1548 cmd.exe 568 cmd.exe 1784 cmd.exe 1640 cmd.exe 1640 cmd.exe 1600 Wed176510fc794f72.exe 1600 Wed176510fc794f72.exe 324 cmd.exe 1760 Wed17bfb56d5816913eb.exe 1760 Wed17bfb56d5816913eb.exe 268 Wed17490390f788.exe 268 Wed17490390f788.exe 1904 Wed177d7e0b80e32.exe 1904 Wed177d7e0b80e32.exe 1668 Wed171e1acc48fd84.exe 1668 Wed171e1acc48fd84.exe 1552 Wed174fd2d1d7.exe 1552 Wed174fd2d1d7.exe 1512 cmd.exe 1512 cmd.exe 1308 cmd.exe 1584 cmd.exe 1812 cmd.exe 1812 cmd.exe 892 Wed17ba81947100.exe 892 Wed17ba81947100.exe 892 Wed17ba81947100.exe 1032 Wed179170b19a.exe 1032 Wed179170b19a.exe 556 Wed17447053894b5.exe 556 Wed17447053894b5.exe 2096 Wed17ba81947100.exe 2096 Wed17ba81947100.exe 556 Wed17447053894b5.exe 2352 Wed17447053894b5.tmp 2352 Wed17447053894b5.tmp 2404 Wed17447053894b5.exe 2404 Wed17447053894b5.exe 2468 11111.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 ip-api.com 53 ipinfo.io 75 api.db-ip.com 76 api.db-ip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2700 3d96f300-0fc5-4165-b2b1-2c3bf22b35cb.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 892 set thread context of 2096 892 Wed17ba81947100.exe 64 PID 1600 set thread context of 2736 1600 Wed176510fc794f72.exe 85 PID 268 set thread context of 2944 268 Wed17490390f788.exe 88 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed17447053894b5.tmp File created C:\Program Files (x86)\FarLabUninstaller\is-IP3G1.tmp Wed17447053894b5.tmp File opened for modification C:\Program Files (x86)\FarLabUninstaller\unins000.dat Wed17447053894b5.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2968 1032 WerFault.exe 50 1584 1904 WerFault.exe 60 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed1773e5c68964.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed1773e5c68964.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed1773e5c68964.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Wed174fd2d1d7.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wed174fd2d1d7.exe -
Kills process with taskkill 2 IoCs
pid Process 2800 taskkill.exe 2052 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Wed179170b19a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Wed179170b19a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1168 powershell.exe 1824 powershell.exe 1972 Wed1773e5c68964.exe 1972 Wed1773e5c68964.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 2680 11111.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 2968 WerFault.exe 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found 1224 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2420 windllhost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1972 Wed1773e5c68964.exe -
Suspicious use of AdjustPrivilegeToken 57 IoCs
description pid Process Token: SeCreateTokenPrivilege 1032 Wed179170b19a.exe Token: SeAssignPrimaryTokenPrivilege 1032 Wed179170b19a.exe Token: SeLockMemoryPrivilege 1032 Wed179170b19a.exe Token: SeIncreaseQuotaPrivilege 1032 Wed179170b19a.exe Token: SeMachineAccountPrivilege 1032 Wed179170b19a.exe Token: SeTcbPrivilege 1032 Wed179170b19a.exe Token: SeSecurityPrivilege 1032 Wed179170b19a.exe Token: SeTakeOwnershipPrivilege 1032 Wed179170b19a.exe Token: SeLoadDriverPrivilege 1032 Wed179170b19a.exe Token: SeSystemProfilePrivilege 1032 Wed179170b19a.exe Token: SeSystemtimePrivilege 1032 Wed179170b19a.exe Token: SeProfSingleProcessPrivilege 1032 Wed179170b19a.exe Token: SeIncBasePriorityPrivilege 1032 Wed179170b19a.exe Token: SeCreatePagefilePrivilege 1032 Wed179170b19a.exe Token: SeCreatePermanentPrivilege 1032 Wed179170b19a.exe Token: SeBackupPrivilege 1032 Wed179170b19a.exe Token: SeRestorePrivilege 1032 Wed179170b19a.exe Token: SeShutdownPrivilege 1032 Wed179170b19a.exe Token: SeDebugPrivilege 1032 Wed179170b19a.exe Token: SeAuditPrivilege 1032 Wed179170b19a.exe Token: SeSystemEnvironmentPrivilege 1032 Wed179170b19a.exe Token: SeChangeNotifyPrivilege 1032 Wed179170b19a.exe Token: SeRemoteShutdownPrivilege 1032 Wed179170b19a.exe Token: SeUndockPrivilege 1032 Wed179170b19a.exe Token: SeSyncAgentPrivilege 1032 Wed179170b19a.exe Token: SeEnableDelegationPrivilege 1032 Wed179170b19a.exe Token: SeManageVolumePrivilege 1032 Wed179170b19a.exe Token: SeImpersonatePrivilege 1032 Wed179170b19a.exe Token: SeCreateGlobalPrivilege 1032 Wed179170b19a.exe Token: 31 1032 Wed179170b19a.exe Token: 32 1032 Wed179170b19a.exe Token: 33 1032 Wed179170b19a.exe Token: 34 1032 Wed179170b19a.exe Token: 35 1032 Wed179170b19a.exe Token: SeDebugPrivilege 1600 Wed176510fc794f72.exe Token: SeDebugPrivilege 268 Wed17490390f788.exe Token: SeDebugPrivilege 1168 powershell.exe Token: SeDebugPrivilege 1824 powershell.exe Token: SeDebugPrivilege 1604 Wed177feadfac6e2.exe Token: SeDebugPrivilege 1036 Wed17e564879ff.exe Token: SeDebugPrivilege 2800 taskkill.exe Token: SeDebugPrivilege 2968 WerFault.exe Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeShutdownPrivilege 1224 Process not Found Token: SeDebugPrivilege 2848 d63bb057-c5be-4d98-8574-f33276b3ddff.exe Token: SeDebugPrivilege 1584 WerFault.exe Token: SeShutdownPrivilege 1224 Process not Found Token: SeDebugPrivilege 2524 59623668-dc88-483e-ae4d-8d10b2973d94.exe Token: SeDebugPrivilege 2052 taskkill.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2568 Wed17447053894b5.tmp -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1224 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 820 wrote to memory of 1040 820 926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe 27 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 1040 wrote to memory of 280 1040 setup_installer.exe 28 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1924 280 setup_install.exe 30 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1872 280 setup_install.exe 31 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1804 280 setup_install.exe 32 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 1784 280 setup_install.exe 33 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 732 280 setup_install.exe 35 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1548 280 setup_install.exe 34 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1640 280 setup_install.exe 36 PID 280 wrote to memory of 1544 280 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe"C:\Users\Admin\AppData\Local\Temp\926d5da2e499201330d8a2e48ce142e75dac0dcd478409fc25adb7127dc257b1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS01474F86\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1924
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1872
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1773e5c68964.exe4⤵
- Loads dropped DLL
PID:1804 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed1773e5c68964.exeWed1773e5c68964.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed171e1acc48fd84.exe4⤵
- Loads dropped DLL
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed171e1acc48fd84.exeWed171e1acc48fd84.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\VRH1SDG.CPl",6⤵PID:3000
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VRH1SDG.CPl",7⤵PID:3044
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\VRH1SDG.CPl",8⤵PID:2452
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\VRH1SDG.CPl",9⤵PID:1808
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed176510fc794f72.exe4⤵
- Loads dropped DLL
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed176510fc794f72.exeWed176510fc794f72.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed176510fc794f72.exeC:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed176510fc794f72.exe6⤵
- Executes dropped EXE
PID:2736
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed179170b19a.exe4⤵
- Loads dropped DLL
PID:732 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed179170b19a.exeWed179170b19a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 11246⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed174fd2d1d7.exe4⤵
- Loads dropped DLL
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed174fd2d1d7.exeWed174fd2d1d7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1552 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Wed174fd2d1d7.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed174fd2d1d7.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2280
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Wed174fd2d1d7.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17bfb56d5816913eb.exe4⤵
- Loads dropped DLL
PID:1440 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17bfb56d5816913eb.exeWed17bfb56d5816913eb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17490390f788.exe4⤵
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exeWed17490390f788.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exeC:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exe6⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exeC:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exe6⤵
- Executes dropped EXE
PID:1596
-
-
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exeC:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17490390f788.exe6⤵
- Executes dropped EXE
PID:2944
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17e564879ff.exe4⤵
- Loads dropped DLL
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17e564879ff.exeWed17e564879ff.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1036 -
C:\Users\Admin\AppData\Local\59623668-dc88-483e-ae4d-8d10b2973d94.exe"C:\Users\Admin\AppData\Local\59623668-dc88-483e-ae4d-8d10b2973d94.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2524
-
-
C:\Users\Admin\AppData\Local\3d96f300-0fc5-4165-b2b1-2c3bf22b35cb.exe"C:\Users\Admin\AppData\Local\3d96f300-0fc5-4165-b2b1-2c3bf22b35cb.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2700
-
-
C:\Users\Admin\AppData\Local\d63bb057-c5be-4d98-8574-f33276b3ddff.exe"C:\Users\Admin\AppData\Local\d63bb057-c5be-4d98-8574-f33276b3ddff.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Users\Admin\AppData\Roaming\5487786.exe"C:\Users\Admin\AppData\Roaming\5487786.exe"7⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",8⤵PID:2008
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",9⤵PID:1440
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17c3d6ceb0e.exe4⤵
- Loads dropped DLL
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17c3d6ceb0e.exeWed17c3d6ceb0e.exe5⤵
- Executes dropped EXE
PID:1132 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2680
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17447053894b5.exe4⤵
- Loads dropped DLL
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17447053894b5.exeWed17447053894b5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Users\Admin\AppData\Local\Temp\is-33AQF.tmp\Wed17447053894b5.tmp"C:\Users\Admin\AppData\Local\Temp\is-33AQF.tmp\Wed17447053894b5.tmp" /SL5="$1015E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17447053894b5.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17447053894b5.exe"C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17447053894b5.exe" /SILENT7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\is-TH8RO.tmp\Wed17447053894b5.tmp"C:\Users\Admin\AppData\Local\Temp\is-TH8RO.tmp\Wed17447053894b5.tmp" /SL5="$20162,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17447053894b5.exe" /SILENT8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\is-FR8N4.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-FR8N4.tmp\windllhost.exe" 779⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2420
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17a7fa0741c6202.exe4⤵
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17a7fa0741c6202.exeWed17a7fa0741c6202.exe5⤵
- Executes dropped EXE
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed177d7e0b80e32.exe4⤵
- Loads dropped DLL
PID:568 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed177d7e0b80e32.exeWed177d7e0b80e32.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1904 -
C:\Users\Admin\Pictures\Adobe Films\N2JfxhFkdu55oaTtWRS_tvC4.exe"C:\Users\Admin\Pictures\Adobe Films\N2JfxhFkdu55oaTtWRS_tvC4.exe"6⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 15166⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed177522e89359.exe4⤵PID:876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed170f684959b54cd.exe4⤵PID:1764
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed17ba81947100.exe /mixtwo4⤵
- Loads dropped DLL
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17ba81947100.exeWed17ba81947100.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:892 -
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17ba81947100.exeWed17ba81947100.exe /mixtwo6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed17ba81947100.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed17ba81947100.exe" & exit7⤵PID:2708
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed17ba81947100.exe" /f8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed177feadfac6e2.exe4⤵
- Loads dropped DLL
PID:324
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS01474F86\Wed177feadfac6e2.exeWed177feadfac6e2.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604