Analysis
-
max time kernel
142s -
max time network
187s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
Resource
win10-en-20211208
General
-
Target
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
-
Size
9.9MB
-
MD5
d96604e6d61e59a0ada37d738dde3dec
-
SHA1
79e674165810ae7861a8cb1e59230361da2a8f3a
-
SHA256
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859
-
SHA512
8f9660bb9d6066e08e6cba581c4cfae7487536e6bfbbf1f3852145dc1dfe5900f79637812272c9e2117f638b70752f51dad3c80b1574193670b685e8a1124dde
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
raccoon
8fc55a7ea41b0c5db2ca3c881e20966100c28a40
-
url4cnc
http://194.180.174.53/jredmankun
http://91.219.236.18/jredmankun
http://194.180.174.41/jredmankun
http://91.219.236.148/jredmankun
https://t.me/jredmankun
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 3436 rundll32.exe 136 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral2/memory/2408-332-0x0000000000EE0000-0x0000000000F59000-memory.dmp family_redline behavioral2/memory/2204-353-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4744-358-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/2204-357-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4744-352-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab35-202.dat family_socelars behavioral2/files/0x000500000001ab35-238.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
NirSoft WebBrowserPassView 5 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab38-164.dat WebBrowserPassView behavioral2/files/0x000500000001ab38-186.dat WebBrowserPassView behavioral2/files/0x000600000001ab25-299.dat WebBrowserPassView behavioral2/memory/3812-303-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView behavioral2/files/0x000600000001ab25-304.dat WebBrowserPassView -
Nirsoft 8 IoCs
resource yara_rule behavioral2/files/0x000500000001ab38-164.dat Nirsoft behavioral2/files/0x000500000001ab38-186.dat Nirsoft behavioral2/files/0x000200000001ab4e-249.dat Nirsoft behavioral2/files/0x000200000001ab4e-250.dat Nirsoft behavioral2/memory/4960-252-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab25-299.dat Nirsoft behavioral2/memory/3812-303-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab25-304.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1712-246-0x0000000002220000-0x00000000022F5000-memory.dmp family_vidar behavioral2/memory/1712-267-0x0000000000400000-0x000000000053E000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab29-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab29-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2a-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2a-124.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2c-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2c-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
pid Process 1632 setup_installer.exe 4324 setup_install.exe 1712 Wed16b7f58bed.exe 1744 Wed161aa00221.exe 1748 Wed16c449cf8eaf38a8.exe 1836 Wed163cde2f33.exe 1716 Wed16814b15e2bbe.exe 2188 Wed16c0128f84198.exe 2416 Wed168409f03a6ee66.exe 2724 Wed16430a6d225.exe 2092 Wed161aa00221.exe 1460 Wed160ef4d04d0cf6.exe 4592 Wed16c449cf8eaf38a8.exe 4600 Wed163ae772fc.exe 4884 Wed167ce42a0c123f.exe 4992 Wed16a36d1f6f23.exe 4996 Wed16d53730fd5435.exe 5020 Wed1645070e75.exe 2672 Wed16693e79560dd.exe 408 Wed16d7a95b10861.exe 4960 11111.exe 2972 Wed16430a6d225.tmp 4928 Wed16430a6d225.exe 3812 11111.exe 2832 Wed16430a6d225.tmp 2388 53eef956-38a9-4d49-b5ca-1f8c9df70a6e.exe 4896 LzmwAqmV.exe 2408 a1026c02-c34c-451e-974b-5af71f08e889.exe 4960 83cc5ae1-ee51-4850-884b-15b54d2dd6a2.exe 2204 Wed1645070e75.exe 4744 Wed16a36d1f6f23.exe 4372 myamrnewfile.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wed163cde2f33.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wed163cde2f33.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Control Panel\International\Geo\Nation Wed16d53730fd5435.exe -
Loads dropped DLL 11 IoCs
pid Process 4324 setup_install.exe 4324 setup_install.exe 4324 setup_install.exe 4324 setup_install.exe 4324 setup_install.exe 4324 setup_install.exe 4324 setup_install.exe 2972 Wed16430a6d225.tmp 2832 Wed16430a6d225.tmp 4444 rundll32.exe 4444 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wed163cde2f33.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ip-api.com 69 ipinfo.io 70 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1836 Wed163cde2f33.exe 1836 Wed163cde2f33.exe 2408 a1026c02-c34c-451e-974b-5af71f08e889.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1744 set thread context of 2092 1744 Wed161aa00221.exe 95 PID 4992 set thread context of 4744 4992 Wed16a36d1f6f23.exe 125 PID 5020 set thread context of 2204 5020 Wed1645070e75.exe 124 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\FarLabUninstaller\unins000.dat M939kRmQhirIPRoWq6YqFBWP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 5176 3176 WerFault.exe 167 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed16c0128f84198.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed16c0128f84198.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed16c0128f84198.exe -
Kills process with taskkill 2 IoCs
pid Process 4892 taskkill.exe 1372 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Wed167ce42a0c123f.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings Wed16d7a95b10861.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 31 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 Wed16c0128f84198.exe 2188 Wed16c0128f84198.exe 1836 Wed163cde2f33.exe 1836 Wed163cde2f33.exe 1836 Wed163cde2f33.exe 1836 Wed163cde2f33.exe 3232 powershell.exe 3232 powershell.exe 792 powershell.exe 792 powershell.exe 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found 1640 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2188 Wed16c0128f84198.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4600 Wed163ae772fc.exe Token: SeCreateTokenPrivilege 2672 Wed16693e79560dd.exe Token: SeAssignPrimaryTokenPrivilege 2672 Wed16693e79560dd.exe Token: SeLockMemoryPrivilege 2672 Wed16693e79560dd.exe Token: SeIncreaseQuotaPrivilege 2672 Wed16693e79560dd.exe Token: SeMachineAccountPrivilege 2672 Wed16693e79560dd.exe Token: SeTcbPrivilege 2672 Wed16693e79560dd.exe Token: SeSecurityPrivilege 2672 Wed16693e79560dd.exe Token: SeTakeOwnershipPrivilege 2672 Wed16693e79560dd.exe Token: SeLoadDriverPrivilege 2672 Wed16693e79560dd.exe Token: SeSystemProfilePrivilege 2672 Wed16693e79560dd.exe Token: SeSystemtimePrivilege 2672 Wed16693e79560dd.exe Token: SeProfSingleProcessPrivilege 2672 Wed16693e79560dd.exe Token: SeIncBasePriorityPrivilege 2672 Wed16693e79560dd.exe Token: SeCreatePagefilePrivilege 2672 Wed16693e79560dd.exe Token: SeCreatePermanentPrivilege 2672 Wed16693e79560dd.exe Token: SeBackupPrivilege 2672 Wed16693e79560dd.exe Token: SeRestorePrivilege 2672 Wed16693e79560dd.exe Token: SeShutdownPrivilege 2672 Wed16693e79560dd.exe Token: SeDebugPrivilege 2672 Wed16693e79560dd.exe Token: SeAuditPrivilege 2672 Wed16693e79560dd.exe Token: SeSystemEnvironmentPrivilege 2672 Wed16693e79560dd.exe Token: SeChangeNotifyPrivilege 2672 Wed16693e79560dd.exe Token: SeRemoteShutdownPrivilege 2672 Wed16693e79560dd.exe Token: SeUndockPrivilege 2672 Wed16693e79560dd.exe Token: SeSyncAgentPrivilege 2672 Wed16693e79560dd.exe Token: SeEnableDelegationPrivilege 2672 Wed16693e79560dd.exe Token: SeManageVolumePrivilege 2672 Wed16693e79560dd.exe Token: SeImpersonatePrivilege 2672 Wed16693e79560dd.exe Token: SeCreateGlobalPrivilege 2672 Wed16693e79560dd.exe Token: 31 2672 Wed16693e79560dd.exe Token: 32 2672 Wed16693e79560dd.exe Token: 33 2672 Wed16693e79560dd.exe Token: 34 2672 Wed16693e79560dd.exe Token: 35 2672 Wed16693e79560dd.exe Token: SeDebugPrivilege 5020 Wed1645070e75.exe Token: SeDebugPrivilege 4992 Wed16a36d1f6f23.exe Token: SeDebugPrivilege 3232 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 1460 Wed160ef4d04d0cf6.exe Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found Token: SeShutdownPrivilege 1640 Process not Found Token: SeCreatePagefilePrivilege 1640 Process not Found -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2832 M939kRmQhirIPRoWq6YqFBWP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4164 wrote to memory of 1632 4164 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 68 PID 4164 wrote to memory of 1632 4164 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 68 PID 4164 wrote to memory of 1632 4164 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 68 PID 1632 wrote to memory of 4324 1632 setup_installer.exe 71 PID 1632 wrote to memory of 4324 1632 setup_installer.exe 71 PID 1632 wrote to memory of 4324 1632 setup_installer.exe 71 PID 4324 wrote to memory of 508 4324 setup_install.exe 74 PID 4324 wrote to memory of 508 4324 setup_install.exe 74 PID 4324 wrote to memory of 508 4324 setup_install.exe 74 PID 4324 wrote to memory of 612 4324 setup_install.exe 75 PID 4324 wrote to memory of 612 4324 setup_install.exe 75 PID 4324 wrote to memory of 612 4324 setup_install.exe 75 PID 612 wrote to memory of 3232 612 cmd.exe 78 PID 612 wrote to memory of 3232 612 cmd.exe 78 PID 612 wrote to memory of 3232 612 cmd.exe 78 PID 508 wrote to memory of 792 508 cmd.exe 77 PID 508 wrote to memory of 792 508 cmd.exe 77 PID 508 wrote to memory of 792 508 cmd.exe 77 PID 4324 wrote to memory of 884 4324 setup_install.exe 76 PID 4324 wrote to memory of 884 4324 setup_install.exe 76 PID 4324 wrote to memory of 884 4324 setup_install.exe 76 PID 4324 wrote to memory of 3132 4324 setup_install.exe 85 PID 4324 wrote to memory of 3132 4324 setup_install.exe 85 PID 4324 wrote to memory of 3132 4324 setup_install.exe 85 PID 4324 wrote to memory of 400 4324 setup_install.exe 79 PID 4324 wrote to memory of 400 4324 setup_install.exe 79 PID 4324 wrote to memory of 400 4324 setup_install.exe 79 PID 4324 wrote to memory of 1064 4324 setup_install.exe 84 PID 4324 wrote to memory of 1064 4324 setup_install.exe 84 PID 4324 wrote to memory of 1064 4324 setup_install.exe 84 PID 4324 wrote to memory of 1200 4324 setup_install.exe 80 PID 4324 wrote to memory of 1200 4324 setup_install.exe 80 PID 4324 wrote to memory of 1200 4324 setup_install.exe 80 PID 4324 wrote to memory of 1376 4324 setup_install.exe 81 PID 4324 wrote to memory of 1376 4324 setup_install.exe 81 PID 4324 wrote to memory of 1376 4324 setup_install.exe 81 PID 4324 wrote to memory of 1428 4324 setup_install.exe 82 PID 4324 wrote to memory of 1428 4324 setup_install.exe 82 PID 4324 wrote to memory of 1428 4324 setup_install.exe 82 PID 4324 wrote to memory of 1516 4324 setup_install.exe 83 PID 4324 wrote to memory of 1516 4324 setup_install.exe 83 PID 4324 wrote to memory of 1516 4324 setup_install.exe 83 PID 1064 wrote to memory of 1712 1064 cmd.exe 86 PID 1064 wrote to memory of 1712 1064 cmd.exe 86 PID 1064 wrote to memory of 1712 1064 cmd.exe 86 PID 1200 wrote to memory of 1744 1200 cmd.exe 87 PID 1200 wrote to memory of 1744 1200 cmd.exe 87 PID 1200 wrote to memory of 1744 1200 cmd.exe 87 PID 400 wrote to memory of 1748 400 cmd.exe 101 PID 400 wrote to memory of 1748 400 cmd.exe 101 PID 400 wrote to memory of 1748 400 cmd.exe 101 PID 884 wrote to memory of 1836 884 cmd.exe 100 PID 884 wrote to memory of 1836 884 cmd.exe 100 PID 884 wrote to memory of 1836 884 cmd.exe 100 PID 3132 wrote to memory of 1716 3132 cmd.exe 88 PID 3132 wrote to memory of 1716 3132 cmd.exe 88 PID 3132 wrote to memory of 1716 3132 cmd.exe 88 PID 4324 wrote to memory of 2052 4324 setup_install.exe 89 PID 4324 wrote to memory of 2052 4324 setup_install.exe 89 PID 4324 wrote to memory of 2052 4324 setup_install.exe 89 PID 1376 wrote to memory of 2188 1376 cmd.exe 99 PID 1376 wrote to memory of 2188 1376 cmd.exe 99 PID 1376 wrote to memory of 2188 1376 cmd.exe 99 PID 1428 wrote to memory of 2416 1428 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe"C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS06664586\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:508 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed163cde2f33.exe4⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed163cde2f33.exeWed163cde2f33.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16c449cf8eaf38a8.exe4⤵
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exeWed16c449cf8eaf38a8.exe5⤵
- Executes dropped EXE
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exe"C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c449cf8eaf38a8.exe" -u6⤵
- Executes dropped EXE
PID:4592
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed161aa00221.exe /mixtwo4⤵
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exeWed161aa00221.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exeWed161aa00221.exe /mixtwo6⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed161aa00221.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed161aa00221.exe" & exit7⤵PID:3556
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed161aa00221.exe" /f8⤵
- Kills process with taskkill
PID:4892
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16c0128f84198.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16c0128f84198.exeWed16c0128f84198.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed168409f03a6ee66.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed168409f03a6ee66.exeWed168409f03a6ee66.exe5⤵
- Executes dropped EXE
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:4960
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:3812
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16430a6d225.exe4⤵PID:1516
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exeWed16430a6d225.exe5⤵
- Executes dropped EXE
PID:2724 -
C:\Users\Admin\AppData\Local\Temp\is-J8E4O.tmp\Wed16430a6d225.tmp"C:\Users\Admin\AppData\Local\Temp\is-J8E4O.tmp\Wed16430a6d225.tmp" /SL5="$70030,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe"C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe" /SILENT7⤵
- Executes dropped EXE
PID:4928 -
C:\Users\Admin\AppData\Local\Temp\is-QU9A7.tmp\Wed16430a6d225.tmp"C:\Users\Admin\AppData\Local\Temp\is-QU9A7.tmp\Wed16430a6d225.tmp" /SL5="$401CC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16430a6d225.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\is-3EUD1.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-3EUD1.tmp\windllhost.exe" 779⤵PID:3216
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16b7f58bed.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16b7f58bed.exeWed16b7f58bed.exe5⤵
- Executes dropped EXE
PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16814b15e2bbe.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16814b15e2bbe.exeWed16814b15e2bbe.exe5⤵
- Executes dropped EXE
PID:1716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed167ce42a0c123f.exe4⤵PID:2052
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed167ce42a0c123f.exeWed167ce42a0c123f.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:4884 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",6⤵PID:1772
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",7⤵
- Loads dropped DLL
PID:4444
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed160ef4d04d0cf6.exe4⤵PID:2780
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed160ef4d04d0cf6.exeWed160ef4d04d0cf6.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460 -
C:\Users\Admin\AppData\Local\53eef956-38a9-4d49-b5ca-1f8c9df70a6e.exe"C:\Users\Admin\AppData\Local\53eef956-38a9-4d49-b5ca-1f8c9df70a6e.exe"6⤵
- Executes dropped EXE
PID:2388
-
-
C:\Users\Admin\AppData\Local\a1026c02-c34c-451e-974b-5af71f08e889.exe"C:\Users\Admin\AppData\Local\a1026c02-c34c-451e-974b-5af71f08e889.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2408
-
-
C:\Users\Admin\AppData\Local\83cc5ae1-ee51-4850-884b-15b54d2dd6a2.exe"C:\Users\Admin\AppData\Local\83cc5ae1-ee51-4850-884b-15b54d2dd6a2.exe"6⤵
- Executes dropped EXE
PID:4960 -
C:\Users\Admin\AppData\Roaming\8378962.exe"C:\Users\Admin\AppData\Roaming\8378962.exe"7⤵PID:1532
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",8⤵PID:5728
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16a36d1f6f23.exe4⤵PID:4864
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exeWed16a36d1f6f23.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exeC:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16a36d1f6f23.exe6⤵
- Executes dropped EXE
PID:4744
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16693e79560dd.exe4⤵PID:4816
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16693e79560dd.exeWed16693e79560dd.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2776
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:1372
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1645070e75.exe4⤵PID:3868
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exeWed1645070e75.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exeC:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed1645070e75.exe6⤵
- Executes dropped EXE
PID:2204
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed163ae772fc.exe4⤵PID:2704
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed163ae772fc.exeWed163ae772fc.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"7⤵
- Executes dropped EXE
PID:4372
-
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"7⤵PID:660
-
-
C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"7⤵PID:5048
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"7⤵PID:364
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16d53730fd5435.exe4⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16d53730fd5435.exeWed16d53730fd5435.exe5⤵
- Executes dropped EXE
- Checks computer location settings
PID:4996 -
C:\Users\Admin\Pictures\Adobe Films\4sebI3D01qcPsCpM9Vgp0hE7.exe"C:\Users\Admin\Pictures\Adobe Films\4sebI3D01qcPsCpM9Vgp0hE7.exe"6⤵PID:4240
-
-
C:\Users\Admin\Pictures\Adobe Films\Miu54K4SHYGGIe2Qh9NPpElJ.exe"C:\Users\Admin\Pictures\Adobe Films\Miu54K4SHYGGIe2Qh9NPpElJ.exe"6⤵PID:1860
-
-
C:\Users\Admin\Pictures\Adobe Films\xj205crxMGRWr9WICccMO2DZ.exe"C:\Users\Admin\Pictures\Adobe Films\xj205crxMGRWr9WICccMO2DZ.exe"6⤵PID:4620
-
-
C:\Users\Admin\Pictures\Adobe Films\mIj_cY7T4_uTb2GbZzvrF2Iq.exe"C:\Users\Admin\Pictures\Adobe Films\mIj_cY7T4_uTb2GbZzvrF2Iq.exe"6⤵PID:2988
-
-
C:\Users\Admin\Pictures\Adobe Films\Q2Z1JPzxk1o_2H8ZFt_O1ySa.exe"C:\Users\Admin\Pictures\Adobe Films\Q2Z1JPzxk1o_2H8ZFt_O1ySa.exe"6⤵PID:2272
-
-
C:\Users\Admin\Pictures\Adobe Films\ow8PMn48zXdt_w5DeFPWzxJC.exe"C:\Users\Admin\Pictures\Adobe Films\ow8PMn48zXdt_w5DeFPWzxJC.exe"6⤵PID:3776
-
-
C:\Users\Admin\Pictures\Adobe Films\Rmwewj05jy62TxXxNF9CRccv.exe"C:\Users\Admin\Pictures\Adobe Films\Rmwewj05jy62TxXxNF9CRccv.exe"6⤵PID:4332
-
-
C:\Users\Admin\Pictures\Adobe Films\JVYBLRj6xzl843MfgFlqZGOO.exe"C:\Users\Admin\Pictures\Adobe Films\JVYBLRj6xzl843MfgFlqZGOO.exe"6⤵PID:3832
-
-
C:\Users\Admin\Pictures\Adobe Films\lar5OaE93kc3QiPt6proJfON.exe"C:\Users\Admin\Pictures\Adobe Films\lar5OaE93kc3QiPt6proJfON.exe"6⤵PID:2448
-
-
C:\Users\Admin\Pictures\Adobe Films\2DC4zWaKe0c5rqQAISCoAb04.exe"C:\Users\Admin\Pictures\Adobe Films\2DC4zWaKe0c5rqQAISCoAb04.exe"6⤵PID:4656
-
C:\Users\Admin\AppData\Local\Temp\7zS372F.tmp\Install.exe.\Install.exe7⤵PID:5288
-
C:\Users\Admin\AppData\Local\Temp\7zS5A28.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:5664
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yyimQKvpHmn2jpoD5dAnBCpr.exe"C:\Users\Admin\Pictures\Adobe Films\yyimQKvpHmn2jpoD5dAnBCpr.exe"6⤵PID:2044
-
-
C:\Users\Admin\Pictures\Adobe Films\mQtNTc4ynfpmopcLeXK0IOCE.exe"C:\Users\Admin\Pictures\Adobe Films\mQtNTc4ynfpmopcLeXK0IOCE.exe"6⤵PID:3192
-
-
C:\Users\Admin\Pictures\Adobe Films\JW0zYvb7iowChPhQDmmZnlta.exe"C:\Users\Admin\Pictures\Adobe Films\JW0zYvb7iowChPhQDmmZnlta.exe"6⤵PID:4928
-
-
C:\Users\Admin\Pictures\Adobe Films\Ee0nHoRPX5POR8ADJ9zFwOLx.exe"C:\Users\Admin\Pictures\Adobe Films\Ee0nHoRPX5POR8ADJ9zFwOLx.exe"6⤵PID:2352
-
-
C:\Users\Admin\Pictures\Adobe Films\IPDDiwQlaqk9cQRTyL5V1D49.exe"C:\Users\Admin\Pictures\Adobe Films\IPDDiwQlaqk9cQRTyL5V1D49.exe"6⤵PID:192
-
-
C:\Users\Admin\Pictures\Adobe Films\h5NYBiiXEmX32cVjFnbQllov.exe"C:\Users\Admin\Pictures\Adobe Films\h5NYBiiXEmX32cVjFnbQllov.exe"6⤵PID:204
-
-
C:\Users\Admin\Pictures\Adobe Films\M939kRmQhirIPRoWq6YqFBWP.exe"C:\Users\Admin\Pictures\Adobe Films\M939kRmQhirIPRoWq6YqFBWP.exe"6⤵
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2832
-
-
C:\Users\Admin\Pictures\Adobe Films\zG3tHipyQ7LpXbwzPPKGi4C4.exe"C:\Users\Admin\Pictures\Adobe Films\zG3tHipyQ7LpXbwzPPKGi4C4.exe"6⤵PID:2964
-
-
C:\Users\Admin\Pictures\Adobe Films\7XsVzVoc44lFz6Pt3NJTChdV.exe"C:\Users\Admin\Pictures\Adobe Films\7XsVzVoc44lFz6Pt3NJTChdV.exe"6⤵PID:2268
-
-
C:\Users\Admin\Pictures\Adobe Films\4INUL6YhM7FrpgiXnHaDA7qK.exe"C:\Users\Admin\Pictures\Adobe Films\4INUL6YhM7FrpgiXnHaDA7qK.exe"6⤵PID:2968
-
-
C:\Users\Admin\Pictures\Adobe Films\I8nj8crYNWTFJ9eB7p8DiSo2.exe"C:\Users\Admin\Pictures\Adobe Films\I8nj8crYNWTFJ9eB7p8DiSo2.exe"6⤵PID:3236
-
-
C:\Users\Admin\Pictures\Adobe Films\2jE7czQlXjeac6ypxoYa0ZCR.exe"C:\Users\Admin\Pictures\Adobe Films\2jE7czQlXjeac6ypxoYa0ZCR.exe"6⤵PID:1396
-
-
C:\Users\Admin\Pictures\Adobe Films\GgGVdh4X1FiBZsSIRilq8uz6.exe"C:\Users\Admin\Pictures\Adobe Films\GgGVdh4X1FiBZsSIRilq8uz6.exe"6⤵PID:2440
-
-
C:\Users\Admin\Pictures\Adobe Films\uRn9cFqfP5ZywV1K7jcLmcNb.exe"C:\Users\Admin\Pictures\Adobe Films\uRn9cFqfP5ZywV1K7jcLmcNb.exe"6⤵PID:3176
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 4007⤵
- Program crash
PID:5176
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yaQ0sXyIIFi43VfCVlRdnMYC.exe"C:\Users\Admin\Pictures\Adobe Films\yaQ0sXyIIFi43VfCVlRdnMYC.exe"6⤵PID:4340
-
-
C:\Users\Admin\Pictures\Adobe Films\eBArWrp_0PF7RvTFFyENe1ck.exe"C:\Users\Admin\Pictures\Adobe Films\eBArWrp_0PF7RvTFFyENe1ck.exe"6⤵PID:2976
-
-
C:\Users\Admin\Pictures\Adobe Films\frbVMvUMiGVTi6xP49byhLDf.exe"C:\Users\Admin\Pictures\Adobe Films\frbVMvUMiGVTi6xP49byhLDf.exe"6⤵PID:5168
-
-
C:\Users\Admin\Pictures\Adobe Films\0_zfF1U5YV_AvXCkoOQCY_qM.exe"C:\Users\Admin\Pictures\Adobe Films\0_zfF1U5YV_AvXCkoOQCY_qM.exe"6⤵PID:5320
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16d7a95b10861.exe4⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\7zS06664586\Wed16d7a95b10861.exeWed16d7a95b10861.exe5⤵
- Executes dropped EXE
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",6⤵PID:1016
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",7⤵PID:3540
-
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4704
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3444