Analysis
-
max time kernel
43s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25/12/2021, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe
Resource
win7-en-20211208
General
-
Target
819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe
-
Size
6.2MB
-
MD5
034469917307c8de1a984ac9fb025166
-
SHA1
a5ad1cb9bdbe68d25d4809e86abc1f8717e5582e
-
SHA256
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
-
SHA512
f965845a9ee4eb187dd909bc1210e4239b8748f41976ef0dfa9523dedf58c673985cb202ea79402446fe50247cd683a95cfc8c48c1720fe887469bf6195ebaf4
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
ANI
45.142.215.47:27643
Extracted
redline
janera
65.108.20.195:6774
Extracted
redline
matthew2009
213.166.69.181:64650
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
resource yara_rule behavioral2/memory/2260-232-0x0000000000910000-0x0000000000F72000-memory.dmp family_redline behavioral2/memory/2260-234-0x0000000000910000-0x0000000000F72000-memory.dmp family_redline behavioral2/memory/2260-250-0x0000000005930000-0x0000000005F36000-memory.dmp family_redline behavioral2/memory/2528-255-0x0000000004AB0000-0x0000000004AD6000-memory.dmp family_redline behavioral2/memory/2024-267-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2024-265-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/2024-259-0x000000000041C5CA-mapping.dmp family_redline behavioral2/memory/2528-258-0x0000000004B20000-0x0000000004B44000-memory.dmp family_redline behavioral2/memory/2024-257-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral2/memory/1640-284-0x000000000041C5FA-mapping.dmp family_redline behavioral2/memory/1640-283-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab46-186.dat family_socelars behavioral2/files/0x000500000001ab46-154.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 3008 created 3808 3008 WerFault.exe 91 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
resource yara_rule behavioral2/files/0x000600000001ab34-123.dat aspack_v212_v242 behavioral2/files/0x000600000001ab34-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab34-126.dat aspack_v212_v242 behavioral2/files/0x000600000001ab35-125.dat aspack_v212_v242 behavioral2/files/0x000600000001ab35-122.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-129.dat aspack_v212_v242 behavioral2/files/0x000600000001ab37-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
pid Process 624 setup_installer.exe 2232 setup_install.exe 2420 Thu13a7cef837ebe31b.exe 1424 Thu135c06033a9903.exe 1496 Thu1333d0a5c4.exe 1316 Thu132d3beffccd.exe 1380 Thu137fba5c145.exe 1800 Thu139a4667a4bcc.exe 2528 Thu13c4f61c88e.exe 2260 Thu13057255b6f0.exe 3228 Thu131b8cfbf6991de.exe 3808 Thu1331399915bc.exe 2264 Thu13b4c97dc09be.exe 3028 Thu13e038722ba1359cc.exe 3188 Thu135c06033a9903.tmp 1296 Thu1357848a7d8b.exe 3856 Thu131d30b4ff3be.exe 2024 Thu137fba5c145.exe 1292 Thu132d3beffccd.exe 1640 Thu132d3beffccd.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Thu13057255b6f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Thu13057255b6f0.exe -
Loads dropped DLL 7 IoCs
pid Process 2232 setup_install.exe 2232 setup_install.exe 2232 setup_install.exe 2232 setup_install.exe 2232 setup_install.exe 2232 setup_install.exe 3188 Thu135c06033a9903.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/2260-232-0x0000000000910000-0x0000000000F72000-memory.dmp themida behavioral2/memory/2260-234-0x0000000000910000-0x0000000000F72000-memory.dmp themida behavioral2/files/0x000500000001ab3b-195.dat themida behavioral2/files/0x000500000001ab3b-162.dat themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Thu13057255b6f0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com 107 ipinfo.io 108 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2260 Thu13057255b6f0.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1380 set thread context of 2024 1380 Thu137fba5c145.exe 106 PID 1316 set thread context of 1640 1316 Thu132d3beffccd.exe 108 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
pid pid_target Process procid_target 3852 2232 WerFault.exe 70 2088 1800 WerFault.exe 84 3008 3808 WerFault.exe 91 4412 3228 WerFault.exe 93 4504 3228 WerFault.exe 93 4596 3228 WerFault.exe 93 4648 3228 WerFault.exe 93 4752 3228 WerFault.exe 93 4948 3228 WerFault.exe 93 3160 4776 WerFault.exe 144 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe -
Kills process with taskkill 1 IoCs
pid Process 2200 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 Thu13057255b6f0.exe 2260 Thu13057255b6f0.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 3852 WerFault.exe 1656 powershell.exe 1656 powershell.exe 1656 powershell.exe 1656 powershell.exe 3856 Thu131d30b4ff3be.exe 3856 Thu131d30b4ff3be.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 2088 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe 3008 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3856 Thu131d30b4ff3be.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeCreateTokenPrivilege 1800 Thu139a4667a4bcc.exe Token: SeAssignPrimaryTokenPrivilege 1800 Thu139a4667a4bcc.exe Token: SeLockMemoryPrivilege 1800 Thu139a4667a4bcc.exe Token: SeIncreaseQuotaPrivilege 1800 Thu139a4667a4bcc.exe Token: SeMachineAccountPrivilege 1800 Thu139a4667a4bcc.exe Token: SeTcbPrivilege 1800 Thu139a4667a4bcc.exe Token: SeSecurityPrivilege 1800 Thu139a4667a4bcc.exe Token: SeTakeOwnershipPrivilege 1800 Thu139a4667a4bcc.exe Token: SeLoadDriverPrivilege 1800 Thu139a4667a4bcc.exe Token: SeSystemProfilePrivilege 1800 Thu139a4667a4bcc.exe Token: SeSystemtimePrivilege 1800 Thu139a4667a4bcc.exe Token: SeProfSingleProcessPrivilege 1800 Thu139a4667a4bcc.exe Token: SeIncBasePriorityPrivilege 1800 Thu139a4667a4bcc.exe Token: SeCreatePagefilePrivilege 1800 Thu139a4667a4bcc.exe Token: SeCreatePermanentPrivilege 1800 Thu139a4667a4bcc.exe Token: SeBackupPrivilege 1800 Thu139a4667a4bcc.exe Token: SeRestorePrivilege 1800 Thu139a4667a4bcc.exe Token: SeShutdownPrivilege 1800 Thu139a4667a4bcc.exe Token: SeDebugPrivilege 1800 Thu139a4667a4bcc.exe Token: SeAuditPrivilege 1800 Thu139a4667a4bcc.exe Token: SeSystemEnvironmentPrivilege 1800 Thu139a4667a4bcc.exe Token: SeChangeNotifyPrivilege 1800 Thu139a4667a4bcc.exe Token: SeRemoteShutdownPrivilege 1800 Thu139a4667a4bcc.exe Token: SeUndockPrivilege 1800 Thu139a4667a4bcc.exe Token: SeSyncAgentPrivilege 1800 Thu139a4667a4bcc.exe Token: SeEnableDelegationPrivilege 1800 Thu139a4667a4bcc.exe Token: SeManageVolumePrivilege 1800 Thu139a4667a4bcc.exe Token: SeImpersonatePrivilege 1800 Thu139a4667a4bcc.exe Token: SeCreateGlobalPrivilege 1800 Thu139a4667a4bcc.exe Token: 31 1800 Thu139a4667a4bcc.exe Token: 32 1800 Thu139a4667a4bcc.exe Token: 33 1800 Thu139a4667a4bcc.exe Token: 34 1800 Thu139a4667a4bcc.exe Token: 35 1800 Thu139a4667a4bcc.exe Token: SeDebugPrivilege 3028 Thu13e038722ba1359cc.exe Token: SeRestorePrivilege 3852 WerFault.exe Token: SeBackupPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 1656 powershell.exe Token: SeDebugPrivilege 1296 Thu1357848a7d8b.exe Token: SeDebugPrivilege 3852 WerFault.exe Token: SeDebugPrivilege 2200 taskkill.exe Token: SeDebugPrivilege 2088 WerFault.exe Token: SeDebugPrivilege 3008 WerFault.exe Token: SeDebugPrivilege 4412 WerFault.exe Token: SeDebugPrivilege 4504 WerFault.exe Token: SeDebugPrivilege 4596 WerFault.exe Token: SeDebugPrivilege 4648 WerFault.exe Token: SeDebugPrivilege 4752 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3780 wrote to memory of 624 3780 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 69 PID 3780 wrote to memory of 624 3780 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 69 PID 3780 wrote to memory of 624 3780 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 69 PID 624 wrote to memory of 2232 624 setup_installer.exe 70 PID 624 wrote to memory of 2232 624 setup_installer.exe 70 PID 624 wrote to memory of 2232 624 setup_installer.exe 70 PID 2232 wrote to memory of 3376 2232 setup_install.exe 73 PID 2232 wrote to memory of 3376 2232 setup_install.exe 73 PID 2232 wrote to memory of 3376 2232 setup_install.exe 73 PID 2232 wrote to memory of 2632 2232 setup_install.exe 74 PID 2232 wrote to memory of 2632 2232 setup_install.exe 74 PID 2232 wrote to memory of 2632 2232 setup_install.exe 74 PID 2232 wrote to memory of 1272 2232 setup_install.exe 75 PID 2232 wrote to memory of 1272 2232 setup_install.exe 75 PID 2232 wrote to memory of 1272 2232 setup_install.exe 75 PID 2232 wrote to memory of 1420 2232 setup_install.exe 105 PID 2232 wrote to memory of 1420 2232 setup_install.exe 105 PID 2232 wrote to memory of 1420 2232 setup_install.exe 105 PID 2232 wrote to memory of 2116 2232 setup_install.exe 76 PID 2232 wrote to memory of 2116 2232 setup_install.exe 76 PID 2232 wrote to memory of 2116 2232 setup_install.exe 76 PID 2232 wrote to memory of 1320 2232 setup_install.exe 77 PID 2232 wrote to memory of 1320 2232 setup_install.exe 77 PID 2232 wrote to memory of 1320 2232 setup_install.exe 77 PID 2232 wrote to memory of 1348 2232 setup_install.exe 104 PID 2232 wrote to memory of 1348 2232 setup_install.exe 104 PID 2232 wrote to memory of 1348 2232 setup_install.exe 104 PID 2232 wrote to memory of 2712 2232 setup_install.exe 103 PID 2232 wrote to memory of 2712 2232 setup_install.exe 103 PID 2232 wrote to memory of 2712 2232 setup_install.exe 103 PID 2232 wrote to memory of 1144 2232 setup_install.exe 78 PID 2232 wrote to memory of 1144 2232 setup_install.exe 78 PID 2232 wrote to memory of 1144 2232 setup_install.exe 78 PID 2232 wrote to memory of 2080 2232 setup_install.exe 79 PID 2232 wrote to memory of 2080 2232 setup_install.exe 79 PID 2232 wrote to memory of 2080 2232 setup_install.exe 79 PID 2232 wrote to memory of 1428 2232 setup_install.exe 80 PID 2232 wrote to memory of 1428 2232 setup_install.exe 80 PID 2232 wrote to memory of 1428 2232 setup_install.exe 80 PID 2232 wrote to memory of 60 2232 setup_install.exe 81 PID 2232 wrote to memory of 60 2232 setup_install.exe 81 PID 2232 wrote to memory of 60 2232 setup_install.exe 81 PID 2632 wrote to memory of 2420 2632 cmd.exe 82 PID 2632 wrote to memory of 2420 2632 cmd.exe 82 PID 2632 wrote to memory of 2420 2632 cmd.exe 82 PID 2232 wrote to memory of 2736 2232 setup_install.exe 102 PID 2232 wrote to memory of 2736 2232 setup_install.exe 102 PID 2232 wrote to memory of 2736 2232 setup_install.exe 102 PID 1420 wrote to memory of 1316 1420 cmd.exe 101 PID 1420 wrote to memory of 1316 1420 cmd.exe 101 PID 1420 wrote to memory of 1316 1420 cmd.exe 101 PID 2116 wrote to memory of 1424 2116 cmd.exe 100 PID 2116 wrote to memory of 1424 2116 cmd.exe 100 PID 2116 wrote to memory of 1424 2116 cmd.exe 100 PID 1272 wrote to memory of 1496 1272 cmd.exe 83 PID 1272 wrote to memory of 1496 1272 cmd.exe 83 PID 1272 wrote to memory of 1496 1272 cmd.exe 83 PID 2232 wrote to memory of 1692 2232 setup_install.exe 98 PID 2232 wrote to memory of 1692 2232 setup_install.exe 98 PID 2232 wrote to memory of 1692 2232 setup_install.exe 98 PID 2712 wrote to memory of 1380 2712 cmd.exe 99 PID 2712 wrote to memory of 1380 2712 cmd.exe 99 PID 2712 wrote to memory of 1380 2712 cmd.exe 99 PID 3376 wrote to memory of 1656 3376 cmd.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe"C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0723C316\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13a7cef837ebe31b.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13a7cef837ebe31b.exeThu13a7cef837ebe31b.exe5⤵
- Executes dropped EXE
PID:2420 -
C:\Users\Admin\Pictures\Adobe Films\9KIN69wJR7AKohFOKaFWAy76.exe"C:\Users\Admin\Pictures\Adobe Films\9KIN69wJR7AKohFOKaFWAy76.exe"6⤵PID:5044
-
-
C:\Users\Admin\Pictures\Adobe Films\6Wtiauv9WCjJKOGx4igD2Jmd.exe"C:\Users\Admin\Pictures\Adobe Films\6Wtiauv9WCjJKOGx4igD2Jmd.exe"6⤵PID:4500
-
-
C:\Users\Admin\Pictures\Adobe Films\VVfR9XYWSW3P76nFiCI6tgkA.exe"C:\Users\Admin\Pictures\Adobe Films\VVfR9XYWSW3P76nFiCI6tgkA.exe"6⤵PID:4488
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:4724
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"7⤵PID:2660
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵PID:4676
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yt8oCnbhHAwaBZcjsBUqGzFq.exe"C:\Users\Admin\Pictures\Adobe Films\yt8oCnbhHAwaBZcjsBUqGzFq.exe"6⤵PID:4400
-
-
C:\Users\Admin\Pictures\Adobe Films\AiL5fgZ1TlyroxJdJ7LFcIkf.exe"C:\Users\Admin\Pictures\Adobe Films\AiL5fgZ1TlyroxJdJ7LFcIkf.exe"6⤵PID:4476
-
-
C:\Users\Admin\Pictures\Adobe Films\BNNXORXyasSW5XvokTUvozMc.exe"C:\Users\Admin\Pictures\Adobe Films\BNNXORXyasSW5XvokTUvozMc.exe"6⤵PID:2956
-
-
C:\Users\Admin\Pictures\Adobe Films\iFVz9HRIit_90nJPXaXu3zvc.exe"C:\Users\Admin\Pictures\Adobe Films\iFVz9HRIit_90nJPXaXu3zvc.exe"6⤵PID:4428
-
-
C:\Users\Admin\Pictures\Adobe Films\fwJCjRXBkFejOvSm2bSqOLvH.exe"C:\Users\Admin\Pictures\Adobe Films\fwJCjRXBkFejOvSm2bSqOLvH.exe"6⤵PID:4416
-
-
C:\Users\Admin\Pictures\Adobe Films\Y_ka9fgsy7AFnZgsCRTic9Iq.exe"C:\Users\Admin\Pictures\Adobe Films\Y_ka9fgsy7AFnZgsCRTic9Iq.exe"6⤵PID:4464
-
-
C:\Users\Admin\Pictures\Adobe Films\NwaViJo787Bz6ClmC7Nk4hhe.exe"C:\Users\Admin\Pictures\Adobe Films\NwaViJo787Bz6ClmC7Nk4hhe.exe"6⤵PID:4460
-
-
C:\Users\Admin\Pictures\Adobe Films\kh5J2xJvTayCm0cDmOtWpVNw.exe"C:\Users\Admin\Pictures\Adobe Films\kh5J2xJvTayCm0cDmOtWpVNw.exe"6⤵PID:4448
-
-
C:\Users\Admin\Pictures\Adobe Films\dAUJZGXkDgiPWmzfDyZjzr44.exe"C:\Users\Admin\Pictures\Adobe Films\dAUJZGXkDgiPWmzfDyZjzr44.exe"6⤵PID:4444
-
-
C:\Users\Admin\Pictures\Adobe Films\4sWAqp8isdfp14bSF_MNGERz.exe"C:\Users\Admin\Pictures\Adobe Films\4sWAqp8isdfp14bSF_MNGERz.exe"6⤵PID:4424
-
-
C:\Users\Admin\Pictures\Adobe Films\9pwScL3GdiOKr0hg2JE_rJPn.exe"C:\Users\Admin\Pictures\Adobe Films\9pwScL3GdiOKr0hg2JE_rJPn.exe"6⤵PID:4388
-
-
C:\Users\Admin\Pictures\Adobe Films\5b79NzT_Yjfs_q6bpDXJfurt.exe"C:\Users\Admin\Pictures\Adobe Films\5b79NzT_Yjfs_q6bpDXJfurt.exe"6⤵PID:4376
-
-
C:\Users\Admin\Pictures\Adobe Films\RbfyXHqO2tzvS9HX5UL2FDnG.exe"C:\Users\Admin\Pictures\Adobe Films\RbfyXHqO2tzvS9HX5UL2FDnG.exe"6⤵PID:4372
-
-
C:\Users\Admin\Pictures\Adobe Films\2gMOK10z2l64lXCc5tyNiEfR.exe"C:\Users\Admin\Pictures\Adobe Films\2gMOK10z2l64lXCc5tyNiEfR.exe"6⤵PID:3856
-
-
C:\Users\Admin\Pictures\Adobe Films\eQDP6jhPkHeNvEXFwiVG0RL2.exe"C:\Users\Admin\Pictures\Adobe Films\eQDP6jhPkHeNvEXFwiVG0RL2.exe"6⤵PID:4348
-
-
C:\Users\Admin\Pictures\Adobe Films\HZINPOIZFEAxD5fkPWHFAms8.exe"C:\Users\Admin\Pictures\Adobe Films\HZINPOIZFEAxD5fkPWHFAms8.exe"6⤵PID:4336
-
-
C:\Users\Admin\Pictures\Adobe Films\4tyrzcjyU8NQewDfDRn9h1cw.exe"C:\Users\Admin\Pictures\Adobe Films\4tyrzcjyU8NQewDfDRn9h1cw.exe"6⤵PID:4332
-
-
C:\Users\Admin\Pictures\Adobe Films\YTY9xH9NIuNzyJWryvpunZwj.exe"C:\Users\Admin\Pictures\Adobe Films\YTY9xH9NIuNzyJWryvpunZwj.exe"6⤵PID:4800
-
-
C:\Users\Admin\Pictures\Adobe Films\vIiQCoLaAuKFThK158GcH1jF.exe"C:\Users\Admin\Pictures\Adobe Films\vIiQCoLaAuKFThK158GcH1jF.exe"6⤵PID:4776
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 4007⤵
- Program crash
PID:3160
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5cQ30vu3dSzxHQU5J7980Cnw.exe"C:\Users\Admin\Pictures\Adobe Films\5cQ30vu3dSzxHQU5J7980Cnw.exe"6⤵PID:608
-
-
C:\Users\Admin\Pictures\Adobe Films\WqbVqWp3IL3NUIIiowU6wD2F.exe"C:\Users\Admin\Pictures\Adobe Films\WqbVqWp3IL3NUIIiowU6wD2F.exe"6⤵PID:404
-
-
C:\Users\Admin\Pictures\Adobe Films\mfT4nsQlu4wX1PJ9Ptjuj7CZ.exe"C:\Users\Admin\Pictures\Adobe Films\mfT4nsQlu4wX1PJ9Ptjuj7CZ.exe"6⤵PID:4748
-
-
C:\Users\Admin\Pictures\Adobe Films\CXC7HNS4nhmjB7HsnsDNk3H6.exe"C:\Users\Admin\Pictures\Adobe Films\CXC7HNS4nhmjB7HsnsDNk3H6.exe"6⤵PID:4732
-
-
C:\Users\Admin\Pictures\Adobe Films\EVVs5dVOjZcEMJp2pUt05APX.exe"C:\Users\Admin\Pictures\Adobe Films\EVVs5dVOjZcEMJp2pUt05APX.exe"6⤵PID:4716
-
-
C:\Users\Admin\Pictures\Adobe Films\_N3hQPhPklwj7yoy_i0GRfLp.exe"C:\Users\Admin\Pictures\Adobe Films\_N3hQPhPklwj7yoy_i0GRfLp.exe"6⤵PID:4652
-
-
C:\Users\Admin\Pictures\Adobe Films\ob_DkBa7yHu8fVcLaD47nHlp.exe"C:\Users\Admin\Pictures\Adobe Films\ob_DkBa7yHu8fVcLaD47nHlp.exe"6⤵PID:4700
-
-
C:\Users\Admin\Pictures\Adobe Films\Yf7NHzPdgiYWjjEXwOvfOpRx.exe"C:\Users\Admin\Pictures\Adobe Films\Yf7NHzPdgiYWjjEXwOvfOpRx.exe"6⤵PID:4692
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:4188
-
-
-
C:\Users\Admin\Pictures\Adobe Films\o96Ze6RM53cC9sIzrOREwYaB.exe"C:\Users\Admin\Pictures\Adobe Films\o96Ze6RM53cC9sIzrOREwYaB.exe"6⤵PID:4680
-
-
C:\Users\Admin\Pictures\Adobe Films\9TffQJMn9lcuykQU8UJ3vHoI.exe"C:\Users\Admin\Pictures\Adobe Films\9TffQJMn9lcuykQU8UJ3vHoI.exe"6⤵PID:4664
-
-
C:\Users\Admin\Pictures\Adobe Films\dWdYhNyMaGywMJUPwSb5D_ba.exe"C:\Users\Admin\Pictures\Adobe Films\dWdYhNyMaGywMJUPwSb5D_ba.exe"6⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\7zS5DE.tmp\Install.exe.\Install.exe7⤵PID:4752
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1333d0a5c4.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1333d0a5c4.exeThu1333d0a5c4.exe5⤵
- Executes dropped EXE
PID:1496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu135c06033a9903.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu135c06033a9903.exeThu135c06033a9903.exe5⤵
- Executes dropped EXE
PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu139a4667a4bcc.exe4⤵PID:1320
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu139a4667a4bcc.exeThu139a4667a4bcc.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1800 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1772
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 17126⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13c4f61c88e.exe4⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13c4f61c88e.exeThu13c4f61c88e.exe5⤵
- Executes dropped EXE
PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13057255b6f0.exe4⤵PID:2080
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13057255b6f0.exeThu13057255b6f0.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13b4c97dc09be.exe4⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13b4c97dc09be.exeThu13b4c97dc09be.exe5⤵
- Executes dropped EXE
PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1331399915bc.exe4⤵PID:60
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1331399915bc.exeThu1331399915bc.exe5⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 14366⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 5964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1357848a7d8b.exe4⤵PID:2032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13e038722ba1359cc.exe4⤵PID:1692
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu131d30b4ff3be.exe4⤵PID:2736
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu137fba5c145.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2712
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu131b8cfbf6991de.exe /mixone4⤵PID:1348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu132d3beffccd.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1420
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1357848a7d8b.exeThu1357848a7d8b.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu131d30b4ff3be.exeThu131d30b4ff3be.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3856
-
C:\Users\Admin\AppData\Local\Temp\is-5JAQB.tmp\Thu135c06033a9903.tmp"C:\Users\Admin\AppData\Local\Temp\is-5JAQB.tmp\Thu135c06033a9903.tmp" /SL5="$30084,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu135c06033a9903.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3188
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13e038722ba1359cc.exeThu13e038722ba1359cc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu131b8cfbf6991de.exeThu131b8cfbf6991de.exe /mixone1⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 6602⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 6762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 6802⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 8122⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 8442⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 9002⤵
- Program crash
PID:4948
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exeThu137fba5c145.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exeC:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exe2⤵
- Executes dropped EXE
PID:2024
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exeThu132d3beffccd.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exeC:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe2⤵
- Executes dropped EXE
PID:1292
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exeC:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe2⤵
- Executes dropped EXE
PID:1640
-