Overview
overview
10Static
static
10022e3c30a1...66.exe
windows7-x64
6022e3c30a1...66.exe
windows10-2004-x64
64d27dca0a1...ef.exe
windows7-x64
104d27dca0a1...ef.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10578a3a7a2b...b3.exe
windows7-x64
10578a3a7a2b...b3.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
109c4880a98c...82.exe
windows7-x64
109c4880a98c...82.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10a1dad4a83d...c4.exe
windows7-x64
10a1dad4a83d...c4.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10acf1b7d80f...e0.exe
windows7-x64
10acf1b7d80f...e0.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10cbf31d825a...d2.exe
windows7-x64
10cbf31d825a...d2.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10db76a117db...12.exe
windows7-x64
10db76a117db...12.exe
windows10-2004-x64
10setup_installer.exe
windows7-x64
10setup_installer.exe
windows10-2004-x64
10e2ffb8aeeb...f6.exe
windows7-x64
10e2ffb8aeeb...f6.exe
windows10-2004-x64
7Analysis
-
max time kernel
34s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06-11-2024 18:26
Behavioral task
behavioral1
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
4d27dca0a1e05e876c2a1a8c09854c847b8e21bc5db294ad63cbfc603b5d62ef.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
setup_installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
9c4880a98c53084391a2e2ec350515da63c1dc8ac929af17f012b690b0453782.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
setup_installer.exe
Resource
win7-20241010-en
Behavioral task
behavioral14
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
a1dad4a83d843acffbf293c0979951255abd9be4524d5a46c2fd48942a8a47c4.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
setup_installer.exe
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
cbf31d825ac364f97420cb6523bca7bbcab24292e93fc9e946e64cb446291ad2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win7-20241010-en
Behavioral task
behavioral28
Sample
db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
setup_installer.exe
Resource
win7-20240729-en
Behavioral task
behavioral30
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
Resource
win10v2004-20241007-en
General
-
Target
setup_installer.exe
-
Size
5.6MB
-
MD5
d30d0f507abdbec4488c6a49edacdbe8
-
SHA1
4ffe73350cdf75461ce21994b26a7c2b90b721cb
-
SHA256
318af6913b0c34dd5183c80569604d8366e052de015aa3f428f89f98dfcec448
-
SHA512
1b0c464279ae6a84b47a5e30743c7e005a63c7ff966f94d5c718357273572a32c15deca80f4c58ce86fa5ae66a386ffcd03ace811a3361343e5c2d1eb2724f21
-
SSDEEP
98304:x9CvLUBsg9ZBeL2967NOJ7540pStWiWFXEYIt5jY8/lSJn3yN5qfMlBs:xeLUCg9ZBe/mW0ktW8YEYnZoQ0Y
Malware Config
Extracted
nullmixer
http://mooorni.xyz/
Extracted
privateloader
http://45.133.1.107/server.txt
pastebin.com/raw/A7dSG1te
http://wfsdragon.ru/api/setStats.php
51.178.186.149
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.efxety.top/
Extracted
redline
ChrisNEW
194.104.136.5:46013
-
auth_value
9491a1c5e11eb6097e68a4fa8627fda8
Extracted
redline
media25
91.121.67.60:23325
-
auth_value
e37d5065561884bb54c8ed1baa6de446
Extracted
gcleaner
gcl-gb.biz
Extracted
redline
pub2
185.215.113.46:80
-
auth_value
4a9525ed658ab62eaade23fdc4f4da23
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral25/files/0x0005000000019228-98.dat family_fabookie -
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Privateloader family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 12 IoCs
resource yara_rule behavioral25/memory/2312-265-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/2312-263-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/2312-256-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/2312-253-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/2312-250-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral25/memory/1508-286-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral25/memory/1508-284-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral25/memory/1508-283-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral25/memory/1508-280-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral25/memory/1508-278-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral25/memory/4000-842-0x0000000002F80000-0x0000000002FA2000-memory.dmp family_redline behavioral25/memory/4000-856-0x0000000003240000-0x0000000003260000-memory.dmp family_redline -
Redline family
-
Socelars family
-
Socelars payload 1 IoCs
resource yara_rule behavioral25/files/0x0005000000019384-95.dat family_socelars -
OnlyLogger payload 1 IoCs
resource yara_rule behavioral25/memory/2172-296-0x0000000000400000-0x000000000058E000-memory.dmp family_onlylogger -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2088 powershell.exe 2108 powershell.exe 3984 powershell.exe 5796 powershell.exe -
resource yara_rule behavioral25/files/0x0007000000015f1b-58.dat aspack_v212_v242 behavioral25/files/0x0007000000015e25-61.dat aspack_v212_v242 behavioral25/files/0x00080000000162b8-66.dat aspack_v212_v242 -
Executes dropped EXE 25 IoCs
pid Process 2708 setup_install.exe 2352 Tue018f791563585c0f9.exe 2188 Tue01c451610f4a.exe 1892 Tue01d702368dbba.exe 552 Tue01994ec7a792fea9.exe 2136 Tue0105f10596.exe 2008 Tue0195119235.exe 308 Tue010769fc7f9829.exe 1500 Tue018bc5c5a0a3d4.exe 1988 Tue017abac33187.exe 2056 Tue01bf08f313b912.exe 1132 Tue0133c29150b.exe 2124 Tue01e8898e0d1fce4.exe 2172 Tue0138d4026db6d813e.exe 832 Tue01de2411919659f09.exe 1568 Tue01bba8b80fa4.exe 2552 Tue0195119235.exe 1748 Tue01d702368dbba.tmp 1812 Tue0121ab289cd9a.exe 852 Tue01d702368dbba.exe 2460 Tue01d702368dbba.tmp 2632 GhXkKMW.EXe 2256 Tue01de2411919659f09.exe 2312 Tue017abac33187.exe 1508 Tue01de2411919659f09.exe -
Loads dropped DLL 64 IoCs
pid Process 2888 setup_installer.exe 2888 setup_installer.exe 2888 setup_installer.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2708 setup_install.exe 2096 cmd.exe 2352 Tue018f791563585c0f9.exe 3000 cmd.exe 2352 Tue018f791563585c0f9.exe 2536 cmd.exe 816 cmd.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 1968 cmd.exe 2872 cmd.exe 2880 cmd.exe 2984 cmd.exe 2008 Tue0195119235.exe 2008 Tue0195119235.exe 2136 Tue0105f10596.exe 2136 Tue0105f10596.exe 2568 cmd.exe 1968 cmd.exe 2912 cmd.exe 1960 cmd.exe 1960 cmd.exe 2956 cmd.exe 2956 cmd.exe 2860 cmd.exe 1892 Tue01d702368dbba.exe 1892 Tue01d702368dbba.exe 1988 Tue017abac33187.exe 1988 Tue017abac33187.exe 1132 Tue0133c29150b.exe 1132 Tue0133c29150b.exe 2056 Tue01bf08f313b912.exe 2056 Tue01bf08f313b912.exe 2172 Tue0138d4026db6d813e.exe 2172 Tue0138d4026db6d813e.exe 2124 Tue01e8898e0d1fce4.exe 2124 Tue01e8898e0d1fce4.exe 2944 cmd.exe 2944 cmd.exe 832 Tue01de2411919659f09.exe 832 Tue01de2411919659f09.exe 2008 Tue0195119235.exe 468 cmd.exe 468 cmd.exe 1568 Tue01bba8b80fa4.exe 1568 Tue01bba8b80fa4.exe 1892 Tue01d702368dbba.exe 2920 cmd.exe 1748 Tue01d702368dbba.tmp 1748 Tue01d702368dbba.tmp 1748 Tue01d702368dbba.tmp 1748 Tue01d702368dbba.tmp 852 Tue01d702368dbba.exe 852 Tue01d702368dbba.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 29 iplogger.org 31 iplogger.org 39 iplogger.org 41 iplogger.org 43 iplogger.org 83 pastebin.com 86 pastebin.com 87 pastebin.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com 56 freegeoip.app -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral25/files/0x00050000000193a2-88.dat autoit_exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1988 set thread context of 2312 1988 Tue017abac33187.exe 81 PID 832 set thread context of 1508 832 Tue01de2411919659f09.exe 92 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2748 2708 WerFault.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 55 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue0195119235.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01d702368dbba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01d702368dbba.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01d702368dbba.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue0105f10596.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01d702368dbba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01e8898e0d1fce4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GhXkKMW.EXe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01de2411919659f09.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01c451610f4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01bba8b80fa4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue017abac33187.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue017abac33187.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01bf08f313b912.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue0138d4026db6d813e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue0133c29150b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue0195119235.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue018f791563585c0f9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Tue01de2411919659f09.exe -
Kills process with taskkill 3 IoCs
pid Process 2764 taskkill.exe 1148 taskkill.exe 1424 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2088 powershell.exe 2108 powershell.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 2056 Tue01bf08f313b912.exe Token: SeAssignPrimaryTokenPrivilege 2056 Tue01bf08f313b912.exe Token: SeLockMemoryPrivilege 2056 Tue01bf08f313b912.exe Token: SeIncreaseQuotaPrivilege 2056 Tue01bf08f313b912.exe Token: SeMachineAccountPrivilege 2056 Tue01bf08f313b912.exe Token: SeTcbPrivilege 2056 Tue01bf08f313b912.exe Token: SeSecurityPrivilege 2056 Tue01bf08f313b912.exe Token: SeTakeOwnershipPrivilege 2056 Tue01bf08f313b912.exe Token: SeLoadDriverPrivilege 2056 Tue01bf08f313b912.exe Token: SeSystemProfilePrivilege 2056 Tue01bf08f313b912.exe Token: SeSystemtimePrivilege 2056 Tue01bf08f313b912.exe Token: SeProfSingleProcessPrivilege 2056 Tue01bf08f313b912.exe Token: SeIncBasePriorityPrivilege 2056 Tue01bf08f313b912.exe Token: SeCreatePagefilePrivilege 2056 Tue01bf08f313b912.exe Token: SeCreatePermanentPrivilege 2056 Tue01bf08f313b912.exe Token: SeBackupPrivilege 2056 Tue01bf08f313b912.exe Token: SeRestorePrivilege 2056 Tue01bf08f313b912.exe Token: SeShutdownPrivilege 2056 Tue01bf08f313b912.exe Token: SeDebugPrivilege 2056 Tue01bf08f313b912.exe Token: SeAuditPrivilege 2056 Tue01bf08f313b912.exe Token: SeSystemEnvironmentPrivilege 2056 Tue01bf08f313b912.exe Token: SeChangeNotifyPrivilege 2056 Tue01bf08f313b912.exe Token: SeRemoteShutdownPrivilege 2056 Tue01bf08f313b912.exe Token: SeUndockPrivilege 2056 Tue01bf08f313b912.exe Token: SeSyncAgentPrivilege 2056 Tue01bf08f313b912.exe Token: SeEnableDelegationPrivilege 2056 Tue01bf08f313b912.exe Token: SeManageVolumePrivilege 2056 Tue01bf08f313b912.exe Token: SeImpersonatePrivilege 2056 Tue01bf08f313b912.exe Token: SeCreateGlobalPrivilege 2056 Tue01bf08f313b912.exe Token: 31 2056 Tue01bf08f313b912.exe Token: 32 2056 Tue01bf08f313b912.exe Token: 33 2056 Tue01bf08f313b912.exe Token: 34 2056 Tue01bf08f313b912.exe Token: 35 2056 Tue01bf08f313b912.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 2108 powershell.exe Token: SeDebugPrivilege 308 Tue010769fc7f9829.exe Token: SeDebugPrivilege 2764 taskkill.exe Token: SeDebugPrivilege 1500 Tue018bc5c5a0a3d4.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 1424 taskkill.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe -
Suspicious use of SendNotifyMessage 7 IoCs
pid Process 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe 2188 Tue01c451610f4a.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2888 wrote to memory of 2708 2888 setup_installer.exe 30 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2140 2708 setup_install.exe 32 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2708 wrote to memory of 2404 2708 setup_install.exe 33 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2404 wrote to memory of 2088 2404 cmd.exe 35 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2140 wrote to memory of 2108 2140 cmd.exe 34 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 2536 2708 setup_install.exe 36 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 1968 2708 setup_install.exe 37 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 816 2708 setup_install.exe 38 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 2096 2708 setup_install.exe 39 PID 2708 wrote to memory of 1960 2708 setup_install.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS84B97746\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01d702368dbba.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01d702368dbba.exeTue01d702368dbba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\is-7HEGI.tmp\Tue01d702368dbba.tmp"C:\Users\Admin\AppData\Local\Temp\is-7HEGI.tmp\Tue01d702368dbba.tmp" /SL5="$30182,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01d702368dbba.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01d702368dbba.exe"C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01d702368dbba.exe" /SILENT6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:852 -
C:\Users\Admin\AppData\Local\Temp\is-Q4FDA.tmp\Tue01d702368dbba.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q4FDA.tmp\Tue01d702368dbba.tmp" /SL5="$40182,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01d702368dbba.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2460
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0133c29150b.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0133c29150b.exeTue0133c29150b.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1132
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01994ec7a792fea9.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:816 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01994ec7a792fea9.exeTue01994ec7a792fea9.exe4⤵
- Executes dropped EXE
PID:552 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Dzpafigaxd.vbs"5⤵PID:3876
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google\Qekdqa.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:3984
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Dzpafigaxd.vbs"5⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"C:\Users\Admin\AppData\Local\Temp\Fphrgjtnjgrqbtrochalunsaintly_2021-10-24_21-38.exe"6⤵PID:4000
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSBuild.exeC:\Users\Admin\AppData\Local\Temp\MSBuild.exe5⤵PID:4032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com6⤵PID:4160
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\sujqksc.vbs"6⤵PID:5764
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\7⤵
- Command and Scripting Interpreter: PowerShell
PID:5796
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue018f791563585c0f9.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue018f791563585c0f9.exeTue018f791563585c0f9.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue017abac33187.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue017abac33187.exeTue017abac33187.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue017abac33187.exeC:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue017abac33187.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01c451610f4a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01c451610f4a.exeTue01c451610f4a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue010769fc7f9829.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue010769fc7f9829.exeTue010769fc7f9829.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0138d4026db6d813e.exe /mixone3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0138d4026db6d813e.exeTue0138d4026db6d813e.exe /mixone4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue018bc5c5a0a3d4.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue018bc5c5a0a3d4.exeTue018bc5c5a0a3d4.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0195119235.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0195119235.exeTue0195119235.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0195119235.exe"C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0195119235.exe" -u5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01e8898e0d1fce4.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01e8898e0d1fce4.exeTue01e8898e0d1fce4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01e8898e0d1fce4.exe"" ..\GhXkKMW.EXe &&sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If """" == """" for %K in (""C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01e8898e0d1fce4.exe"") do taskkill /f /IM ""%~NXK"" ", 0, tRuE) )5⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01e8898e0d1fce4.exe" ..\GhXkKMW.EXe &&sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv &If "" == "" for %K in ("C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01e8898e0d1fce4.exe") do taskkill /f /IM "%~NXK"6⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscriPT: cLOsE( crEaTeoBjEct ( "wsCriPT.ShEll" ). ruN ( "cMD /Q /r copY /Y ""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"" ..\GhXkKMW.EXe &&sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv & If ""/pzztRb0w26vFPLWe3xRyQv "" == """" for %K in (""C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe"") do taskkill /f /IM ""%~NXK"" ", 0, tRuE) )8⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r copY /Y "C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe" ..\GhXkKMW.EXe &&sTarT ..\GhXkKMW.Exe /pzztRb0w26vFPLWe3xRyQv &If "/pzztRb0w26vFPLWe3xRyQv " == "" for %K in ("C:\Users\Admin\AppData\Local\Temp\GhXkKMW.EXe") do taskkill /f /IM "%~NXK"9⤵
- System Location Discovery: System Language Discovery
PID:2768
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBScrIPT: cLose (creATeoBjECt ( "WscriPT.shELL" ).ruN ( "cmD.Exe /c eCHo | SeT /p = ""MZ"" > CejRuqC.56S & copY /Y /b CEJRUqC.56S +D5S9N.M + HOdVbD.N + 6Gk1G.c4O + JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP & del /Q * ", 0 , True ) )8⤵
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c eCHo | SeT /p = "MZ" > CejRuqC.56S & copY /Y /b CEJRUqC.56S +D5S9N.M + HOdVbD.N+ 6Gk1G.c4O +JN1iGT.j ..\32aZBXCS.EP& sTARt msiexec.exe -y ..\32AZBxCS.EP &del /Q *9⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHo "10⤵
- System Location Discovery: System Language Discovery
PID:1536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>CejRuqC.56S"10⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe -y ..\32AZBxCS.EP10⤵
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM "Tue01e8898e0d1fce4.exe"7⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2764
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01bba8b80fa4.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:468 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01bba8b80fa4.exeTue01bba8b80fa4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Tue01bba8b80fa4.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01bba8b80fa4.exe" & exit5⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Tue01bba8b80fa4.exe" /f6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1424
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01bf08f313b912.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01bf08f313b912.exeTue01bf08f313b912.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue01de2411919659f09.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01de2411919659f09.exeTue01de2411919659f09.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:832 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01de2411919659f09.exeC:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01de2411919659f09.exe5⤵
- Executes dropped EXE
PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01de2411919659f09.exeC:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue01de2411919659f09.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1508
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0105f10596.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0105f10596.exeTue0105f10596.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0121ab289cd9a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\7zS84B97746\Tue0121ab289cd9a.exeTue0121ab289cd9a.exe4⤵
- Executes dropped EXE
PID:1812
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 4963⤵
- Program crash
PID:2748
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1688137875-1769860070-1920090901466141922-71090704529337116271431477183612392"1⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
403KB
MD5b4c503088928eef0e973a269f66a0dd2
SHA1eb7f418b03aa9f21275de0393fcbf0d03b9719d5
SHA2562a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2
SHA512c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465
-
Filesize
8KB
MD5734444641dd6db890f6c7f1f20794c01
SHA10e59056f853bd0aa5c35200142c009671c614a6a
SHA256bc55a116cadbc0e86dd0e0e0bcb752fb725b4ea21d562aa150c106a748582f24
SHA512a2fd34199ceb6404fec47d0d35568b7c32c4511dd73c9c4f9b6ac4760bb75ed7eee32a3af2c73b4e9e3ddbb935b57bb19037664ec11a75eb73e1740d3051b747
-
Filesize
1.3MB
MD5bdbbf4f034c9f43e4ab00002eb78b990
SHA199c655c40434d634691ea1d189b5883f34890179
SHA2562da3696e82b2a874191a6f4e3bfd26d4b7e5aa5d187c5afdebbe52263dccd5ae
SHA512dc3e513ad8cbb887652660603ce76437c6d3670637a99c1145c08fa23de658a5c5ca395cc8a2532de7b73302e88e0e8f1c026c4bb1b23481a3a5bb2dc92a68ec
-
Filesize
362KB
MD5dcf289d0f7a31fc3e6913d6713e2adc0
SHA144be915c2c70a387453224af85f20b1e129ed0f0
SHA25606edeee5eaf02a2ee9849ca2b8bc9ec67c39c338c9b184c04f5f0da7c6bedfa5
SHA5127035e016476ce5bd670dc23cf83115bb82b65e58e858e07c843a3e77584a3c0119aaa688f73761ac3388b648ab9dbf88378aa0a6fe82e269b8e9bd347c37ebca
-
Filesize
394KB
MD58e0abf31bbb7005be2893af10fcceaa9
SHA1a48259c2346d7aed8cf14566d066695a8c2db55c
SHA2562df6cc430475ae053ad2772a3a9d1de1a03af31c3ebfdd0e5d5bd7fbdc61866a
SHA512ba76470f4896e6bdac508e6a901b352a3bf731ab5680b9931cc1a8c874482cf0c19a374a6a58dda5237178c1861509529a5174bf76fa768efac7989dbc1c1970
-
Filesize
71KB
MD5d60a08a6456074f895e9f8338ea19515
SHA19547c405520a033bd479a0d20c056a1fdacf18af
SHA256d12662f643b6daf1cfca3b45633eb2bf92c7928dbd0670718e5d57d24fb851e0
SHA512b6cbd259e84826ccd2c99c7a66d90f1c2201d625eea6adcd37205e8adf4383ae44306ae1df682fb81b7e38c18bce017a69fba5141702263e4d480b4a30106c8e
-
Filesize
89KB
MD503137e005bdf813088f651d5b2b53e5d
SHA10aa1fb7e5fc80bed261c805e15ee4e3709564258
SHA256258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd
SHA51223bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd
-
Filesize
973KB
MD56639386657759bdac5f11fd8b599e353
SHA116947be5f1d997fc36f838a4ae2d53637971e51c
SHA2565a9a3c1a7abfcf03bc270126a2a438713a1927cdfa92e6c8c72d7443ceee2eb8
SHA512ba67c59b89230572f43795f56cf9d057640c3941d49439d7a684256000897ab423cf1a935cd03d67f45dfcf26f0c7a90e433bbab8aefcc8a7eb5ccd999cb20c3
-
Filesize
339KB
MD529365be959a73cd49978e66b45e109b7
SHA1100cae8e2ba712ab3a50a73ca03a82a2ffb54da8
SHA256301448c44c79ea50c1915eaa9269f1b64356a2bc66ece6a34aa9a786a335b5a2
SHA5121c0333981f53f2ee64501902113fdd9d5a42f3c5d790fa48eedca2d06cd82769363d7eab6345835e74d7f27a334d78604b559aad1cf8fe60db16dce6456d2649
-
Filesize
1.4MB
MD577666d51bc3fc167013811198dc282f6
SHA118e03eb6b95fd2e5b51186886f661dcedc791759
SHA2566a3d44d750ba258b1854431d89db135abc5d543ada1b384c5306e98031b8f1c9
SHA512a024f008567a7417fe975063f661a0b278fb70c7576a7453e482f2e3f5c6cc48b5faaa55ec197e3082626faaa3598c9ff7bcca798ba7a1408bf666e61fdf4cd0
-
Filesize
846KB
MD5c9e0bf7a99131848fc562b7b512359e1
SHA1add6942e0e243ccc1b2dc80b3a986385556cc578
SHA25645ed24501cd9c2098197a994aaaf9fe2bcca5bc38d146f1b1e442a19667b4d7b
SHA51287a3422dad08c460c39a3ac8fb985c51ddd21a4f66469f77098770f1396180a40646d81bdae08485f488d8ca4c65264a14fe774799235b52a09b120db6410c5a
-
Filesize
379KB
MD59b07fc470646ce890bcb860a5fb55f13
SHA1ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA5124cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
-
Filesize
390KB
MD5df1afc8383619f98e9265f07e49af8a3
SHA1d59ff86d8f663d67236c2daa25e8845e6abace02
SHA256d1e8b044cfa0635bb25c932d0acb9b9bdba69395c83d8094b1cfee752c89fbd5
SHA512dc914e768214dfc0cf405d74debc74620a619f2e87170354ea5cdbdb8cd2b32a58a963da886be9d997662cced35e7ef55f9b44739cfb45a3203cb79726ec4f83
-
Filesize
1.3MB
MD5b332e882b77e4e0c0502358af4983f4c
SHA1276b033fc9809228bfb9fd8aef13b8784697ee7d
SHA2569bb0600997f4b3aad16b916851c79a8aa394b6a51dbe525415a8a6199cb4757d
SHA512da821607615fb8f883d11960a6df2789535784c8fa0878a154c1ec04c81f2c3ff6c848bcbce359385121ecfe1bc65f6d89421b729746afa7ffc400e8ef7a9231
-
Filesize
2.1MB
MD57fee412ba84f4f8ab2cf2300d5401d17
SHA1960301151dc749ce293270461de5beb5b9534616
SHA25691ab750fbb5d74674615e78e7ac3e52d45048d2689fbb032ba32b182ea2546d2
SHA512bccf48419dac8ee12f055098d8c2e21303297e03a565980cdd03a3ce7d6ec3e110757cd72fd052e30fa61bdda7a60d78c479d99796488971b92dfc72f2a2d44d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
216KB
MD5b37377d34c8262a90ff95a9a92b65ed8
SHA1faeef415bd0bc2a08cf9fe1e987007bf28e7218d
SHA256e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f
SHA51269d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc
-
Filesize
691KB
MD59303156631ee2436db23827e27337be4
SHA1018e0d5b6ccf7000e36af30cebeb8adc5667e5fa
SHA256bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4
SHA5129fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5ff96681b7a3649e3f57caff70537b53d
SHA1349251e5a743a01cc061de724ca89dc89315aa2b
SHA256cf538956dba27de0c5199ca668f2ab876cd80505e93be11e17b2e4cb686dde25
SHA512c4d87d8f68f0f261430984895201dc495d3518e2b2031391ee0c50769dce6e06bac7bd4bec3b394865804eeff124ea5ca81e2073a95e4d4dfa5fe9f1e5427062
-
Filesize
208KB
MD527aa9c1ec3e1b97a80e85754e8804975
SHA142d15be066cc0f4df76bdaf02011e726fe280ca8
SHA256cf6526590e00c45b2215a7ac2dbea4b17ed6a6e8f09e41e566d3fff60b9642c3
SHA512b48b513777d3de57f9aa1e3051bf05f5058ee317df37461a2fbf399751c7686fd78527c327af7e2b504ebfb32ac4ede79fdc4d1f28ebc3bee380935cc1f283d4
-
Filesize
125KB
MD56843ec0e740bdad4d0ba1dbe6e3a1610
SHA19666f20f23ecd7b0f90e057c602cc4413a52d5a3
SHA2564bb1e9ad4974b57a1364463ca28935d024a217791069dd88bedccca5eaad271a
SHA512112a327b9e5f2c049177b2f237f5672e12b438e6d620411c7c50d945a8a3d96ec293d85a50392f62651cdf04a9f68d13d542b1626fb81b768eb342077409d6d3
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61