Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
27/12/2021, 00:11
Static task
static1
Behavioral task
behavioral1
Sample
a485cb752e66e54c92ef00a9ae8f2eba.exe
Resource
win7-en-20211208
General
-
Target
a485cb752e66e54c92ef00a9ae8f2eba.exe
-
Size
6.4MB
-
MD5
a485cb752e66e54c92ef00a9ae8f2eba
-
SHA1
c267fb5e1d5bd1abd6b3d4d4faea91587b600586
-
SHA256
1d7c3a08d1e69e704039850f64a88363fc6c9f3721907aa3c0d8165ae20de3a1
-
SHA512
c8b4a0c892f00a395ad01edcc2798f1ba51c1efe94b7579c5f857277658f6ce18e6da46dfde3969fd1dfc45083de68552b86a8d16658816f2c91c8eec2b278b1
Malware Config
Extracted
socelars
http://www.chosenncrowned.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral1/files/0x00060000000132db-148.dat family_socelars behavioral1/files/0x00060000000132db-185.dat family_socelars -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013096-109.dat WebBrowserPassView behavioral1/files/0x0006000000013096-166.dat WebBrowserPassView behavioral1/files/0x0006000000013096-172.dat WebBrowserPassView behavioral1/memory/2272-213-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral1/files/0x0006000000013096-109.dat Nirsoft behavioral1/files/0x0006000000013096-166.dat Nirsoft behavioral1/files/0x0006000000013096-172.dat Nirsoft behavioral1/memory/2192-208-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2272-213-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1400-204-0x0000000001FA0000-0x0000000002075000-memory.dmp family_vidar behavioral1/memory/1400-205-0x0000000000400000-0x0000000000535000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00060000000134d9-70.dat aspack_v212_v242 behavioral1/files/0x00060000000134d9-71.dat aspack_v212_v242 behavioral1/files/0x00060000000133dd-72.dat aspack_v212_v242 behavioral1/files/0x00060000000133dd-73.dat aspack_v212_v242 behavioral1/files/0x00060000000138be-76.dat aspack_v212_v242 behavioral1/files/0x00060000000138be-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 21 IoCs
pid Process 524 setup_installer.exe 1392 setup_install.exe 1400 Fri0573cd0e4548.exe 1732 Fri055ab567d9ab89d73.exe 1940 Fri0519054cecb36fc1b.exe 456 Fri05e80376d7965136.exe 1468 Fri053a5ee7e3db.exe 1240 Fri0506cb2ead94f.exe 976 Fri059521701074cbcde.exe 1676 Fri05cac54300eb.exe 280 Fri0573351d0136.exe 1128 Fri05c25ad4f6fe4.exe 1280 Fri0550507893048c.exe 2192 11111.exe 2272 11111.exe 2564 Fri05d87299ab2865e.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2860 Fri0573351d0136.exe 3056 Fri0573351d0136.exe 1088 560C.exe 1068 560C.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\International\Geo\Nation Fri0506cb2ead94f.exe -
Loads dropped DLL 64 IoCs
pid Process 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1392 setup_install.exe 1616 cmd.exe 832 cmd.exe 832 cmd.exe 1696 cmd.exe 1400 Fri0573cd0e4548.exe 1400 Fri0573cd0e4548.exe 1488 cmd.exe 1416 cmd.exe 708 cmd.exe 1544 cmd.exe 1940 Fri0519054cecb36fc1b.exe 1940 Fri0519054cecb36fc1b.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1728 cmd.exe 1728 cmd.exe 1600 cmd.exe 976 Fri059521701074cbcde.exe 976 Fri059521701074cbcde.exe 1020 cmd.exe 1020 cmd.exe 1560 cmd.exe 1560 cmd.exe 1676 Fri05cac54300eb.exe 1676 Fri05cac54300eb.exe 280 Fri0573351d0136.exe 280 Fri0573351d0136.exe 1208 cmd.exe 1280 Fri0550507893048c.exe 1280 Fri0550507893048c.exe 2192 11111.exe 2192 11111.exe 2272 11111.exe 2272 11111.exe 316 cmd.exe 2564 Fri05d87299ab2865e.exe 2564 Fri05d87299ab2865e.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2352 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 1240 Fri0506cb2ead94f.exe 280 Fri0573351d0136.exe 280 Fri0573351d0136.exe 3056 Fri0573351d0136.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 40 ipinfo.io 42 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 280 set thread context of 3056 280 Fri0573351d0136.exe 79 PID 1088 set thread context of 1068 1088 560C.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3044 1240 WerFault.exe 54 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri059521701074cbcde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri059521701074cbcde.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fri059521701074cbcde.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fri0573cd0e4548.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Fri0573cd0e4548.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2292 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2196 taskkill.exe 2592 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fri05cac54300eb.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Fri05cac54300eb.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1700 powershell.exe 1068 powershell.exe 2272 11111.exe 976 Fri059521701074cbcde.exe 976 Fri059521701074cbcde.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 1240 Fri0506cb2ead94f.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 1380 Process not Found 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe 1380 Process not Found 2748 aXsiEubc0n7fJWBLEuPsyQeI.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1380 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 976 Fri059521701074cbcde.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeCreateTokenPrivilege 1676 Fri05cac54300eb.exe Token: SeAssignPrimaryTokenPrivilege 1676 Fri05cac54300eb.exe Token: SeLockMemoryPrivilege 1676 Fri05cac54300eb.exe Token: SeIncreaseQuotaPrivilege 1676 Fri05cac54300eb.exe Token: SeMachineAccountPrivilege 1676 Fri05cac54300eb.exe Token: SeTcbPrivilege 1676 Fri05cac54300eb.exe Token: SeSecurityPrivilege 1676 Fri05cac54300eb.exe Token: SeTakeOwnershipPrivilege 1676 Fri05cac54300eb.exe Token: SeLoadDriverPrivilege 1676 Fri05cac54300eb.exe Token: SeSystemProfilePrivilege 1676 Fri05cac54300eb.exe Token: SeSystemtimePrivilege 1676 Fri05cac54300eb.exe Token: SeProfSingleProcessPrivilege 1676 Fri05cac54300eb.exe Token: SeIncBasePriorityPrivilege 1676 Fri05cac54300eb.exe Token: SeCreatePagefilePrivilege 1676 Fri05cac54300eb.exe Token: SeCreatePermanentPrivilege 1676 Fri05cac54300eb.exe Token: SeBackupPrivilege 1676 Fri05cac54300eb.exe Token: SeRestorePrivilege 1676 Fri05cac54300eb.exe Token: SeShutdownPrivilege 1676 Fri05cac54300eb.exe Token: SeDebugPrivilege 1676 Fri05cac54300eb.exe Token: SeAuditPrivilege 1676 Fri05cac54300eb.exe Token: SeSystemEnvironmentPrivilege 1676 Fri05cac54300eb.exe Token: SeChangeNotifyPrivilege 1676 Fri05cac54300eb.exe Token: SeRemoteShutdownPrivilege 1676 Fri05cac54300eb.exe Token: SeUndockPrivilege 1676 Fri05cac54300eb.exe Token: SeSyncAgentPrivilege 1676 Fri05cac54300eb.exe Token: SeEnableDelegationPrivilege 1676 Fri05cac54300eb.exe Token: SeManageVolumePrivilege 1676 Fri05cac54300eb.exe Token: SeImpersonatePrivilege 1676 Fri05cac54300eb.exe Token: SeCreateGlobalPrivilege 1676 Fri05cac54300eb.exe Token: 31 1676 Fri05cac54300eb.exe Token: 32 1676 Fri05cac54300eb.exe Token: 33 1676 Fri05cac54300eb.exe Token: 34 1676 Fri05cac54300eb.exe Token: 35 1676 Fri05cac54300eb.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1068 powershell.exe Token: SeDebugPrivilege 280 Fri0573351d0136.exe Token: SeDebugPrivilege 2592 taskkill.exe Token: SeDebugPrivilege 2196 taskkill.exe Token: SeDebugPrivilege 1088 560C.exe Token: SeShutdownPrivilege 1380 Process not Found Token: SeDebugPrivilege 1732 Fri055ab567d9ab89d73.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 836 wrote to memory of 524 836 a485cb752e66e54c92ef00a9ae8f2eba.exe 27 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 524 wrote to memory of 1392 524 setup_installer.exe 28 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1760 1392 setup_install.exe 30 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1088 1392 setup_install.exe 31 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 1488 1392 setup_install.exe 32 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 832 1392 setup_install.exe 33 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1544 1392 setup_install.exe 34 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 1616 1392 setup_install.exe 35 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1392 wrote to memory of 316 1392 setup_install.exe 37 PID 1088 wrote to memory of 1700 1088 cmd.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\a485cb752e66e54c92ef00a9ae8f2eba.exe"C:\Users\Admin\AppData\Local\Temp\a485cb752e66e54c92ef00a9ae8f2eba.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1760
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05e80376d7965136.exe4⤵
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri05e80376d7965136.exeFri05e80376d7965136.exe5⤵
- Executes dropped EXE
PID:456
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0573cd0e4548.exe4⤵
- Loads dropped DLL
PID:832 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573cd0e4548.exeFri0573cd0e4548.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Fri0573cd0e4548.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573cd0e4548.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2120
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Fri0573cd0e4548.exe /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
PID:2292
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri053a5ee7e3db.exe4⤵
- Loads dropped DLL
PID:1544 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri053a5ee7e3db.exeFri053a5ee7e3db.exe5⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2272
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri055ab567d9ab89d73.exe4⤵
- Loads dropped DLL
PID:1616 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri055ab567d9ab89d73.exeFri055ab567d9ab89d73.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05d87299ab2865e.exe4⤵
- Loads dropped DLL
PID:316 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri05d87299ab2865e.exeFri05d87299ab2865e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",6⤵PID:2652
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",7⤵
- Loads dropped DLL
PID:2684
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05f64325d01.exe4⤵
- Loads dropped DLL
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri05f64325d01.exeFri05f64325d01.exe5⤵PID:888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri058313bd59e.exe4⤵PID:1888
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0510f5b933f.exe /mixtwo4⤵PID:1528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0519054cecb36fc1b.exe4⤵
- Loads dropped DLL
PID:1416 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0519054cecb36fc1b.exeFri0519054cecb36fc1b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri059521701074cbcde.exe4⤵
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri059521701074cbcde.exeFri059521701074cbcde.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:976
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05cac54300eb.exe4⤵
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri05cac54300eb.exeFri05cac54300eb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2540
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0573351d0136.exe4⤵
- Loads dropped DLL
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573351d0136.exeFri0573351d0136.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:280 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573351d0136.exeC:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573351d0136.exe6⤵
- Executes dropped EXE
PID:2860
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573351d0136.exeC:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0573351d0136.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0506cb2ead94f.exe4⤵
- Loads dropped DLL
PID:708 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0506cb2ead94f.exeFri0506cb2ead94f.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1240 -
C:\Users\Admin\Pictures\Adobe Films\aXsiEubc0n7fJWBLEuPsyQeI.exe"C:\Users\Admin\Pictures\Adobe Films\aXsiEubc0n7fJWBLEuPsyQeI.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 15126⤵
- Program crash
PID:3044
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri05c25ad4f6fe4.exe4⤵
- Loads dropped DLL
PID:1020 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri05c25ad4f6fe4.exeFri05c25ad4f6fe4.exe5⤵
- Executes dropped EXE
PID:1128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri0550507893048c.exe4⤵
- Loads dropped DLL
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\7zSC024FDF5\Fri0550507893048c.exeFri0550507893048c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",6⤵PID:2324
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\KGG6K.cpL",7⤵
- Loads dropped DLL
PID:2352
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\560C.exeC:\Users\Admin\AppData\Local\Temp\560C.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\560C.exeC:\Users\Admin\AppData\Local\Temp\560C.exe2⤵
- Executes dropped EXE
PID:1068
-