Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 12:01
Static task
static1
Behavioral task
behavioral1
Sample
6f36bb5a55e529c45eaff76ec91f1949.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
6f36bb5a55e529c45eaff76ec91f1949.exe
Resource
win10v2004-20241007-en
General
-
Target
setup_installer.exe
-
Size
8.9MB
-
MD5
3b9cfea9ed7c16c3f27df255da4baf9d
-
SHA1
b7f3f6f1c6e0e2a596b31e242fffced8e3d0c516
-
SHA256
388485cce05113764a70a4d24cbccc85ee63bbe8159dd638f3f307c8c3d2dcf5
-
SHA512
5341e023db4209af75473ba730159e5ad8f226733208977455ff86acae8f64b5ed1a46b43c6cceda1b81e78958a5acc77fe874f32a0634fbab20d26616b8022a
-
SSDEEP
196608:x5kWHY2+T/CohKJTWpCagmfiMIzMRFzQZeA3VOoeMOD:xyWHY2CCiniMLzGFHdOD
Malware Config
Extracted
nullmixer
http://626163618efe7.com/
Extracted
socelars
https://sa-us-bucket.s3.us-east-2.amazonaws.com/ysagdy415/
Extracted
smokeloader
pub3
Extracted
redline
supertest2012
91.213.50.241:25821
-
auth_value
3c9098bc220ccf9739f733015b9ad2db
Extracted
gcleaner
31.210.20.149
212.192.241.16
212.192.246.217
203.159.80.49
-
url_path
/software.php
/software.php
Signatures
-
Detect Fabookie payload 1 IoCs
Processes:
resource yara_rule behavioral3/memory/1608-162-0x0000000140000000-0x00000001406E2000-memory.dmp family_fabookie -
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral3/memory/2448-270-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/2448-268-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/2448-267-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/2448-264-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/2448-262-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Socelars family
-
Socelars payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616375354c4_Thu1489cd3f.exe family_socelars -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 59 2084 rundll32.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2616 powershell.exe 2076 powershell.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\7zS4237A2B6\libcurl.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS4237A2B6\libcurlpp.dll aspack_v212_v242 \Users\Admin\AppData\Local\Temp\7zS4237A2B6\libstdc++-6.dll aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636285d1b_Thu14bfc43d37b.exe aspack_v212_v242 -
Executes dropped EXE 23 IoCs
Processes:
setup_install.exe6261636285d1b_Thu14bfc43d37b.exe62616364495a4_Thu14652e42c0a.exe6261636964cb0_Thu1476d1f4ee.exe626163638f111_Thu147fb285819e.exe6261636bd5887_Thu140cd692e88.exe62616365ede4e_Thu1434cdb52.exe626163705fdd8_Thu1454a3a2ecd.exe62616375354c4_Thu1489cd3f.exe6261636804fe8_Thu147d5377a.exe62616365ede4e_Thu1434cdb52.exe626163713dc7a_Thu1481e15b0.exe626163725d1ab_Thu142a4ef3e1a.exe62616376636b2_Thu14254a34538.exe6261636dc936c_Thu144f505bc8c.exe6261636804fe8_Thu147d5377a.tmp6261636af257b_Thu144d45764b03.exe626163725d1ab_Thu142a4ef3e1a.tmp626163705fdd8_Thu1454a3a2ecd.exe6261636804fe8_Thu147d5377a.exe6261636804fe8_Thu147d5377a.tmp62616364495a4_Thu14652e42c0a.exe62616364495a4_Thu14652e42c0a.exepid process 2916 setup_install.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 596 62616364495a4_Thu14652e42c0a.exe 1920 6261636964cb0_Thu1476d1f4ee.exe 2808 626163638f111_Thu147fb285819e.exe 2008 6261636bd5887_Thu140cd692e88.exe 2968 62616365ede4e_Thu1434cdb52.exe 2080 626163705fdd8_Thu1454a3a2ecd.exe 2488 62616375354c4_Thu1489cd3f.exe 3004 6261636804fe8_Thu147d5377a.exe 2600 62616365ede4e_Thu1434cdb52.exe 2032 626163713dc7a_Thu1481e15b0.exe 3000 626163725d1ab_Thu142a4ef3e1a.exe 1004 62616376636b2_Thu14254a34538.exe 1608 6261636dc936c_Thu144f505bc8c.exe 1832 6261636804fe8_Thu147d5377a.tmp 2180 6261636af257b_Thu144d45764b03.exe 2056 626163725d1ab_Thu142a4ef3e1a.tmp 2200 626163705fdd8_Thu1454a3a2ecd.exe 848 6261636804fe8_Thu147d5377a.exe 2052 6261636804fe8_Thu147d5377a.tmp 2388 62616364495a4_Thu14652e42c0a.exe 2448 62616364495a4_Thu14652e42c0a.exe -
Loads dropped DLL 64 IoCs
Processes:
setup_installer.exesetup_install.execmd.exe6261636285d1b_Thu14bfc43d37b.execmd.exe62616364495a4_Thu14652e42c0a.execmd.execmd.execmd.exe6261636964cb0_Thu1476d1f4ee.execmd.execmd.exe6261636bd5887_Thu140cd692e88.execmd.execmd.exe62616365ede4e_Thu1434cdb52.exe62616375354c4_Thu1489cd3f.execmd.exe6261636804fe8_Thu147d5377a.execmd.exe626163705fdd8_Thu1454a3a2ecd.execmd.execmd.execmd.exe62616365ede4e_Thu1434cdb52.exe626163713dc7a_Thu1481e15b0.exe626163725d1ab_Thu142a4ef3e1a.exe62616376636b2_Thu14254a34538.exe6261636af257b_Thu144d45764b03.exepid process 804 setup_installer.exe 804 setup_installer.exe 804 setup_installer.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2916 setup_install.exe 2640 cmd.exe 2640 cmd.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 2708 cmd.exe 2708 cmd.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 3056 6261636285d1b_Thu14bfc43d37b.exe 596 62616364495a4_Thu14652e42c0a.exe 596 62616364495a4_Thu14652e42c0a.exe 2164 cmd.exe 2164 cmd.exe 680 cmd.exe 680 cmd.exe 2660 cmd.exe 1920 6261636964cb0_Thu1476d1f4ee.exe 1920 6261636964cb0_Thu1476d1f4ee.exe 320 cmd.exe 1936 cmd.exe 1936 cmd.exe 2008 6261636bd5887_Thu140cd692e88.exe 2008 6261636bd5887_Thu140cd692e88.exe 1508 cmd.exe 1508 cmd.exe 2356 cmd.exe 2968 62616365ede4e_Thu1434cdb52.exe 2968 62616365ede4e_Thu1434cdb52.exe 2968 62616365ede4e_Thu1434cdb52.exe 2488 62616375354c4_Thu1489cd3f.exe 576 cmd.exe 576 cmd.exe 3004 6261636804fe8_Thu147d5377a.exe 2488 62616375354c4_Thu1489cd3f.exe 1352 cmd.exe 2080 626163705fdd8_Thu1454a3a2ecd.exe 1100 cmd.exe 1100 cmd.exe 844 cmd.exe 3004 6261636804fe8_Thu147d5377a.exe 3004 6261636804fe8_Thu147d5377a.exe 2080 626163705fdd8_Thu1454a3a2ecd.exe 1424 cmd.exe 2600 62616365ede4e_Thu1434cdb52.exe 2032 626163713dc7a_Thu1481e15b0.exe 2600 62616365ede4e_Thu1434cdb52.exe 3000 626163725d1ab_Thu142a4ef3e1a.exe 2032 626163713dc7a_Thu1481e15b0.exe 1004 62616376636b2_Thu14254a34538.exe 3000 626163725d1ab_Thu142a4ef3e1a.exe 2180 6261636af257b_Thu144d45764b03.exe 2180 6261636af257b_Thu144d45764b03.exe 1004 62616376636b2_Thu14254a34538.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636dc936c_Thu144f505bc8c.exe vmprotect behavioral3/memory/1608-162-0x0000000140000000-0x00000001406E2000-memory.dmp vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
626163705fdd8_Thu1454a3a2ecd.exe62616364495a4_Thu14652e42c0a.exedescription pid process target process PID 2080 set thread context of 2200 2080 626163705fdd8_Thu1454a3a2ecd.exe 626163705fdd8_Thu1454a3a2ecd.exe PID 596 set thread context of 2448 596 62616364495a4_Thu14652e42c0a.exe 62616364495a4_Thu14652e42c0a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1720 1004 WerFault.exe 62616376636b2_Thu14254a34538.exe -
System Location Discovery: System Language Discovery 1 TTPs 46 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.execmd.execmd.exe6261636804fe8_Thu147d5377a.execmd.exe62616364495a4_Thu14652e42c0a.exe6261636804fe8_Thu147d5377a.tmptaskkill.exesetup_install.exe6261636285d1b_Thu14bfc43d37b.execmd.exe6261636bd5887_Thu140cd692e88.execmd.exepowershell.execmd.execmd.exe6261636964cb0_Thu1476d1f4ee.exe62616365ede4e_Thu1434cdb52.exe6261636804fe8_Thu147d5377a.exe62616376636b2_Thu14254a34538.execmd.execmd.execmd.execmd.execmd.exe62616365ede4e_Thu1434cdb52.exe626163713dc7a_Thu1481e15b0.exe6261636804fe8_Thu147d5377a.tmp6261636af257b_Thu144d45764b03.exesetup_installer.execmd.exe62616375354c4_Thu1489cd3f.execmd.execmd.exe626163725d1ab_Thu142a4ef3e1a.tmpcontrol.exerundll32.exerundll32.exe626163705fdd8_Thu1454a3a2ecd.exetaskkill.exe62616364495a4_Thu14652e42c0a.execmd.execmd.exepowershell.exe626163705fdd8_Thu1454a3a2ecd.exe626163725d1ab_Thu142a4ef3e1a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636804fe8_Thu147d5377a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616364495a4_Thu14652e42c0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636804fe8_Thu147d5377a.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636285d1b_Thu14bfc43d37b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636bd5887_Thu140cd692e88.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636964cb0_Thu1476d1f4ee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616365ede4e_Thu1434cdb52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636804fe8_Thu147d5377a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616376636b2_Thu14254a34538.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616365ede4e_Thu1434cdb52.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626163713dc7a_Thu1481e15b0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636804fe8_Thu147d5377a.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6261636af257b_Thu144d45764b03.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616375354c4_Thu1489cd3f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626163725d1ab_Thu142a4ef3e1a.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626163705fdd8_Thu1454a3a2ecd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 62616364495a4_Thu14652e42c0a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626163705fdd8_Thu1454a3a2ecd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 626163725d1ab_Thu142a4ef3e1a.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
626163638f111_Thu147fb285819e.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 626163638f111_Thu147fb285819e.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 626163638f111_Thu147fb285819e.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1612 taskkill.exe 1652 taskkill.exe -
Processes:
626163725d1ab_Thu142a4ef3e1a.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 626163725d1ab_Thu142a4ef3e1a.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 626163725d1ab_Thu142a4ef3e1a.tmp -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exe626163638f111_Thu147fb285819e.exepid process 2616 powershell.exe 2076 powershell.exe 2808 626163638f111_Thu147fb285819e.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
6261636804fe8_Thu147d5377a.tmp6261636bd5887_Thu140cd692e88.exepid process 2052 6261636804fe8_Thu147d5377a.tmp 2008 6261636bd5887_Thu140cd692e88.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
62616375354c4_Thu1489cd3f.exepowershell.exepowershell.exe62616376636b2_Thu14254a34538.exetaskkill.exe626163638f111_Thu147fb285819e.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeAssignPrimaryTokenPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeLockMemoryPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeIncreaseQuotaPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeMachineAccountPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeTcbPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeSecurityPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeTakeOwnershipPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeLoadDriverPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeSystemProfilePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeSystemtimePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeProfSingleProcessPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeIncBasePriorityPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeCreatePagefilePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeCreatePermanentPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeBackupPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeRestorePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeShutdownPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeDebugPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeAuditPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeSystemEnvironmentPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeChangeNotifyPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeRemoteShutdownPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeUndockPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeSyncAgentPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeEnableDelegationPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeManageVolumePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeImpersonatePrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: SeCreateGlobalPrivilege 2488 62616375354c4_Thu1489cd3f.exe Token: 31 2488 62616375354c4_Thu1489cd3f.exe Token: 32 2488 62616375354c4_Thu1489cd3f.exe Token: 33 2488 62616375354c4_Thu1489cd3f.exe Token: 34 2488 62616375354c4_Thu1489cd3f.exe Token: 35 2488 62616375354c4_Thu1489cd3f.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 1004 62616376636b2_Thu14254a34538.exe Token: SeDebugPrivilege 1652 taskkill.exe Token: SeDebugPrivilege 2808 626163638f111_Thu147fb285819e.exe Token: SeDebugPrivilege 1612 taskkill.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
62616365ede4e_Thu1434cdb52.exe62616365ede4e_Thu1434cdb52.exepid process 2968 62616365ede4e_Thu1434cdb52.exe 2968 62616365ede4e_Thu1434cdb52.exe 2600 62616365ede4e_Thu1434cdb52.exe 2600 62616365ede4e_Thu1434cdb52.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
setup_installer.exesetup_install.execmd.exedescription pid process target process PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 804 wrote to memory of 2916 804 setup_installer.exe setup_install.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2632 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2640 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2660 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2708 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1936 2916 setup_install.exe cmd.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2640 wrote to memory of 3056 2640 cmd.exe 6261636285d1b_Thu14bfc43d37b.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2356 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 2164 2916 setup_install.exe cmd.exe PID 2916 wrote to memory of 1424 2916 setup_install.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636285d1b_Thu14bfc43d37b.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636285d1b_Thu14bfc43d37b.exe6261636285d1b_Thu14bfc43d37b.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable6⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 626163638f111_Thu147fb285819e.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163638f111_Thu147fb285819e.exe626163638f111_Thu147fb285819e.exe4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 62616364495a4_Thu14652e42c0a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616364495a4_Thu14652e42c0a.exe62616364495a4_Thu14652e42c0a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:596 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616364495a4_Thu14652e42c0a.exeC:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616364495a4_Thu14652e42c0a.exe5⤵
- Executes dropped EXE
PID:2388
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616364495a4_Thu14652e42c0a.exeC:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616364495a4_Thu14652e42c0a.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 62616365ede4e_Thu1434cdb52.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616365ede4e_Thu1434cdb52.exe62616365ede4e_Thu1434cdb52.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616365ede4e_Thu1434cdb52.exe"C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616365ede4e_Thu1434cdb52.exe" -h5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636804fe8_Thu147d5377a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636804fe8_Thu147d5377a.exe6261636804fe8_Thu147d5377a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Users\Admin\AppData\Local\Temp\is-5JF88.tmp\6261636804fe8_Thu147d5377a.tmp"C:\Users\Admin\AppData\Local\Temp\is-5JF88.tmp\6261636804fe8_Thu147d5377a.tmp" /SL5="$B0194,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636804fe8_Thu147d5377a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636804fe8_Thu147d5377a.exe"C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636804fe8_Thu147d5377a.exe" /SILENT6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848 -
C:\Users\Admin\AppData\Local\Temp\is-F7CT9.tmp\6261636804fe8_Thu147d5377a.tmp"C:\Users\Admin\AppData\Local\Temp\is-F7CT9.tmp\6261636804fe8_Thu147d5377a.tmp" /SL5="$601E0,921146,831488,C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636804fe8_Thu147d5377a.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2052
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636964cb0_Thu1476d1f4ee.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636964cb0_Thu1476d1f4ee.exe6261636964cb0_Thu1476d1f4ee.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636af257b_Thu144d45764b03.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636af257b_Thu144d45764b03.exe6261636af257b_Thu144d45764b03.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\VQY~ZP~Y.g5⤵
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\VQY~ZP~Y.g6⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\VQY~ZP~Y.g7⤵PID:2940
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\VQY~ZP~Y.g8⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2084
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636bd5887_Thu140cd692e88.exe /mixtwo3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636bd5887_Thu140cd692e88.exe6261636bd5887_Thu140cd692e88.exe /mixtwo4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6261636dc936c_Thu144f505bc8c.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:844 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\6261636dc936c_Thu144f505bc8c.exe6261636dc936c_Thu144f505bc8c.exe4⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1608 -s 4885⤵PID:2968
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 626163705fdd8_Thu1454a3a2ecd.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163705fdd8_Thu1454a3a2ecd.exe626163705fdd8_Thu1454a3a2ecd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163705fdd8_Thu1454a3a2ecd.exe626163705fdd8_Thu1454a3a2ecd.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 626163713dc7a_Thu1481e15b0.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:576 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163713dc7a_Thu1481e15b0.exe626163713dc7a_Thu1481e15b0.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "626163713dc7a_Thu1481e15b0.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163713dc7a_Thu1481e15b0.exe" & exit5⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "626163713dc7a_Thu1481e15b0.exe" /f6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 626163725d1ab_Thu142a4ef3e1a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163725d1ab_Thu142a4ef3e1a.exe626163725d1ab_Thu142a4ef3e1a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Users\Admin\AppData\Local\Temp\is-8BAOQ.tmp\626163725d1ab_Thu142a4ef3e1a.tmp"C:\Users\Admin\AppData\Local\Temp\is-8BAOQ.tmp\626163725d1ab_Thu142a4ef3e1a.tmp" /SL5="$30180,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\626163725d1ab_Thu142a4ef3e1a.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies system certificate store
PID:2056
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 62616375354c4_Thu1489cd3f.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:320 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616375354c4_Thu1489cd3f.exe62616375354c4_Thu1489cd3f.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 62616376636b2_Thu14254a34538.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\7zS4237A2B6\62616376636b2_Thu14254a34538.exe62616376636b2_Thu14254a34538.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1004 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 7165⤵
- Program crash
PID:1720
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
20KB
MD598c3385d313ae6d4cf1f192830f6b555
SHA131c572430094e9adbf5b7647c3621b2e8dfa7fe8
SHA2564b2e2adafc390f535254a650a90e6a559fb3613a9f13ce648a024c078fcf40be
SHA512fdd0406ef1abee43877c2ab2be9879e7232e773f7dac48f38a883b14306907c82110c712065a290bafac3cc8b0f4c0a13694847ad60a50a2b87e6aed2fd73aff
-
Filesize
293KB
MD5de0baf5dde93880812b7fde3373d42f8
SHA19d4d740b5a4393042b1683add34cffdc8e1d52c2
SHA256b3ec6129bfe0c89f5f0be94e99a3f88697e5916e6abd92d1d685ea2e64769829
SHA512af780da6ad203c592fff747d4351e46df600f7c4e43d2b9f23b062c591ddbc7b0c4a05b90548d9dd42707809099805ca3ed3588ad5ad252840aadd2c34edebbb
-
Filesize
317KB
MD59a1c1bab31aa4dba5d6f0cb09d69dfbc
SHA1ad8c798f634897c34dd2827916a7e33b7fb3ffd4
SHA256153b24112d3e3035a46cb2f62090a81fc0e5f0f718d7cf80529a8be6b6791e4f
SHA512fe7d2da5def4ab10f091a70a8e6fe7bb753c809c80ec5942f0f64d6537c869369899b5aa6ec7e44998b043a25116f7063f4d77f5d292387b3500a52f41461fc6
-
Filesize
312KB
MD5479ba7ea1f2fa2cd51a3ca59a9638010
SHA18992de6c918131fbe8821dd16cc0277951cd362c
SHA256d66c7fb807beccc1fa5a7d4162d3e8e2d553ba560653a404e1ce6de68ba8c801
SHA51270be353017f77f5b4fd82738700843bdc5848f175a39d07626dd9f4cb59b4d685dadf69de156f00c62dcc76f8fba233656df258ea103e1000ff038305580179f
-
Filesize
1.7MB
MD5c8bb1548826e60e8df3f7df2b05e415e
SHA143a0eeb0482bda8154c029786479bcfd206c5a92
SHA256bc14818a8311eaa73cb4498be999f9835a4c117841e730c8efe35af1d6cf8651
SHA512bac1a4bf4a7d8f37a276ab5cb9584b8f97df024fcf70544ef39f6b7d61799e7fb11f442f213453b74ba12781f28816541cf8b1e8a2087c8f991c3a4714b8106b
-
Filesize
212KB
MD597350a2aea3273bcefccda61f6af2674
SHA1eb68f827aa6061dd63391fa128da23be53143c7d
SHA256d004fa788b84994da697202c540b872caf0d20a892abe0186b0eb49a6bc74acb
SHA512749c8cd1a85d0d649c2602eebf4f6b7c56b375ee39cf6457c2d653210760075ec5b553325211df12c4bf4216da61457ebafaf1d380c0ba97f6fd8b66113f79c0
-
Filesize
2.1MB
MD5d0f116a637710650649550549ac98c97
SHA1a1c2ea57ec195dbbb7ff4ebba46c650ef6d791f9
SHA2567bfb7ae083a4dca6653e6f92484cf5c103be4eb1b6c2e86a058fa38b3c8ae20c
SHA51262211d30aa1f760f7c1ef0e46f89617234e49d97eae0fadcf1ecc8e8ad7c213aa833fe1621c9dfa267db6f7b784870fb3e587ad6b4052472b4516fa2809179cb
-
Filesize
397KB
MD53756e07048157d0ecfd2f525d5335caf
SHA195668f9c9fedc7b4a635b1b06d6aaa3d9d3d349f
SHA256d1cbecdbd6cfb139284af70ad04dac1322cdff40c91b9f8872943e6af894a785
SHA5129c4b96521c60447a3e67f7899cda6c2ff7d922c5e7401f2c07a5d7a1a770a07de9f92225b9304ba9ae3981cf06201a7a3e996445ca9e6cd2b078646926bec8f3
-
Filesize
3.8MB
MD580e4418486e211f787e4204272d4e6e5
SHA115961dada0d264d267cfd9cdaac40c573c1ecaaf
SHA2560472131d01b5d632f539583d82df22d8fbb28ef8b26ea21ed32cd0e1c8493403
SHA512dc3049ad3968c2a978780afb142c983d67545f0b44caf1893f06c31cb988bf4ec1d102a08abf38ac0d44a9f4f6d08d1635d62b6a97773ecdd6d4403d96daa9dd
-
Filesize
212KB
MD5133b38b1cb12eca579e43b73d2c56cc6
SHA186ff545b3ec255f86c2980176c09d0d684241938
SHA256e887443a6fb89a82a8b08e4932119af7527a5e4aa3989dac3790cca047949a02
SHA5123cb554287998f8b4ca7b9694eea6697a068f171f7eaad52f184d79b9ad9240aef6c87ad7bb60758e454d61e02874bebad93b929b78e8c65bedba136349babea9
-
Filesize
307KB
MD5445ad7863238a2486bc53b4c92b8ed44
SHA18cd416361061700f362e00045ecc08d1593dd22c
SHA25626d5e00de4955a2f7b49f6e323ad095187488e12961a08dbce1c73efa503864e
SHA5128d202574a03d5dc6ccea2d9b70224d30cb93a5fbfcc7ff012545283d3ff0502b78476fc781c32b2c8f239e7f66eea43e4bb134d139ca6a793269c252bd22cb11
-
Filesize
752KB
MD5fa5e609a29e13e31b067714efa2379e8
SHA1decad3785cfc7e39826b236284846b8b88d83949
SHA2560a6e47783e8490aae0ac67a21d85b11be43cc465207cc72340e14601feec67a6
SHA512581bc0794ec67a73117e531f1961649f21e115ea9ccc1684168e93a93cc4eea25380706cade9f49187ab66aae3cb4d4d9bd2cb6addba162a873c78a58c0f9f4c
-
Filesize
1.4MB
MD5c9e6095f60607c44fe98d50ef083abfe
SHA120d9688a8f467ac78ccd5010a5a5caa4ac57012b
SHA25629b3888929a2fae6ad930197d0f16494639eecb8b8a8345c64f25085713502e5
SHA512f549c4b306542071c5955babbc5d00386e695c9140be34f79c154833b6eb55b1d44a58b4cb0a3a34e619e3318d755c06bd2fa649babc3d8d33f7e211d8109303
-
Filesize
689KB
MD55b6ce08011a3026a73cf80f93a5507f2
SHA148ae3e983e11daa6e756664f217eeeca51b25686
SHA25683aff773f6652f6a8512a04cd74b652b5e146c5912fd112bc169869838ab1986
SHA5127b8c74fc530549709dc7a42f869cb2561e7cd1f35129baeabc0031d039b79c7b3cc1ccb369f6b04a79f3a589d87ce49eb3d17be28175231e004102320fd01e3a
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
3.0MB
MD5d93107e05fa93f02ff6959eb7eba85de
SHA1fc42e1963f539977ef13332b8fedcc2286809d9d
SHA2565a5c65d12f3f845c947a7f6e58c533f38cfec7ba52ecb28239e96ee788fa71f7
SHA512d60ad42441ab0f2ec425770e383bcbb9671e8981e43f419f7893616865a9af1e0e8ffaa6bac1539d591a8ffabb3487c139943079b0ae7c831d6642537a3edc39
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\107W7HJJVW23X1PT4CAO.temp
Filesize7KB
MD5437e243eb2921329a1167b4fd558d582
SHA1ecd3e11bed002145c2357de748d7c23e52fc9ca7
SHA25620d0100d050dbc017471027c0620de50dccd0c3e083f37410a6be05192269e71
SHA512315706456d0df025841f6a14350f88e33728a5435aab55ce5d0e43fcc6e08bd9d6fb792946eb7acf02c4f350ccb348b97155a0c0e7f1ccd215eade724fee3ccc
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
2.1MB
MD5dfedf85fa892bbabb53d9ae01d35a145
SHA1dbc07d4561e2e3b3afbdb8ab38c5eaebff7bd9be
SHA256dc6f4749010d101176720396d5cdc4a547940bd09e8a56fb7ece82c212cb662b
SHA51299fe1313c610c39993796e55384c3d1acccd69dcc6b3696015482cf61d32840abcb1763debf0ddefb4794a1f07e8a7e3d6a1eb1a92785a87630a40004527e5f2