Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 09:03
Static task
static1
Behavioral task
behavioral1
Sample
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
174723af9c95b2b96817e0cf6363ddf2ef72357c2c3006ed5c0d82870aed3d1e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
setup_installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
setup_installer.exe
Resource
win10v2004-20241007-en
General
-
Target
setup_installer.exe
-
Size
6.9MB
-
MD5
d3e22d7fcc478eaf4b9e03a8a5038c12
-
SHA1
bfa29d4c2535b479102cd37c4a7f4245961daeb3
-
SHA256
6d7f35c19fef11f48a274dcf38e942635e6946eca4ecd3c39dd38de8e0cbf656
-
SHA512
83bc2bd9f2b5fe85a5eabdb6aab5c6ba64ac590b005780cee51d7c01f565a416b674fa9ff1b439325f9e50604fe130c3911c43c50da0254f0309beca742a1956
-
SSDEEP
196608:xkYTPwdk38Jcv2PH7iFO4SzNWRDLR2/oyRZ156yoJ2YWc:xkYTodk30cvIHV4ShYL8oIZ18TP
Malware Config
Extracted
socelars
http://www.anquyebt.com/
Extracted
smokeloader
pub3
Extracted
nullmixer
http://hornygl.xyz/
Extracted
gcleaner
appwebstat.biz
ads-memory.biz
Extracted
redline
media262231
92.255.57.115:11841
-
auth_value
5e0e6c3491655e18f0126b2b32773d57
Signatures
-
Detect Fabookie payload 1 IoCs
resource yara_rule behavioral3/files/0x00050000000191f3-103.dat family_fabookie -
Fabookie family
-
Gcleaner family
-
Nullmixer family
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Onlylogger family
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral3/memory/1632-290-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/1632-287-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/1632-285-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral3/memory/1632-293-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Redline family
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Smokeloader family
-
Socelars family
-
Socelars payload 1 IoCs
resource yara_rule behavioral3/files/0x0008000000015d19-81.dat family_socelars -
Detected Nirsoft tools 4 IoCs
Free utilities often used by attackers which can steal passwords, product keys, etc.
resource yara_rule behavioral3/memory/1696-244-0x0000000000400000-0x0000000000480000-memory.dmp Nirsoft behavioral3/memory/1696-238-0x0000000000400000-0x0000000000480000-memory.dmp Nirsoft behavioral3/memory/2696-304-0x0000000000400000-0x0000000000483000-memory.dmp Nirsoft behavioral3/memory/2696-309-0x0000000000400000-0x0000000000483000-memory.dmp Nirsoft -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral3/memory/2696-304-0x0000000000400000-0x0000000000483000-memory.dmp WebBrowserPassView behavioral3/memory/2696-309-0x0000000000400000-0x0000000000483000-memory.dmp WebBrowserPassView -
OnlyLogger payload 1 IoCs
resource yara_rule behavioral3/memory/1604-265-0x0000000000400000-0x000000000045C000-memory.dmp family_onlylogger -
Blocklisted process makes network request 2 IoCs
flow pid Process 73 2616 rundll32.exe 88 2616 rundll32.exe -
resource yara_rule behavioral3/files/0x0005000000019217-55.dat aspack_v212_v242 behavioral3/files/0x00050000000191fd-57.dat aspack_v212_v242 behavioral3/files/0x0005000000019238-62.dat aspack_v212_v242 -
Executes dropped EXE 31 IoCs
pid Process 2528 setup_install.exe 2348 61f292a50b8fa_Thu12c85191.exe 2416 61f292a3b1188_Thu12926eaf6b3.exe 332 61f292a8a0a6c_Thu12fda79da.exe 2872 61f292ae71b3f_Thu1291f781.exe 1784 61f292adcd500_Thu12dd12e2c.exe 1572 61f292ad20a43_Thu120f4aad3d7.exe 1420 61f292ac194f1_Thu1230653d.exe 1972 61f292a4b3280_Thu12692268df32.exe 2172 61f292a688404_Thu122ae6bbac.exe 2164 61f292aaee251_Thu12817405.exe 1604 61f292b10868e_Thu12702ecb5.exe 2092 61f292a688404_Thu122ae6bbac.exe 1208 61f292aaee251_Thu12817405.tmp 2448 61f292a4b3280_Thu12692268df32.tmp 1640 61f292b465d58_Thu127ed1404d.exe 620 61f292ae24e70_Thu12a74e4137.exe 1584 61f292af47cdd_Thu12168454a4a.exe 3068 61f292b2a8973_Thu12d2978de30.exe 2956 61f292aaee251_Thu12817405.exe 2980 61f292adcd500_Thu12dd12e2c.exe 2828 61f292aaee251_Thu12817405.tmp 1880 Sul.exe.pif 236 Sul.exe.pif 1696 11111.exe 2168 61f292af47cdd_Thu12168454a4a.exe 2964 61f292af47cdd_Thu12168454a4a.exe 2696 11111.exe 1632 61f292af47cdd_Thu12168454a4a.exe 780 Sul.exe.pif 2696 f78d430.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 setup_installer.exe 2112 setup_installer.exe 2112 setup_installer.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 2528 setup_install.exe 1876 cmd.exe 2348 61f292a50b8fa_Thu12c85191.exe 2348 61f292a50b8fa_Thu12c85191.exe 2996 cmd.exe 2104 cmd.exe 2104 cmd.exe 1624 cmd.exe 2416 61f292a3b1188_Thu12926eaf6b3.exe 2416 61f292a3b1188_Thu12926eaf6b3.exe 1792 cmd.exe 1792 cmd.exe 2600 cmd.exe 2600 cmd.exe 3008 cmd.exe 1836 cmd.exe 1836 cmd.exe 1572 61f292ad20a43_Thu120f4aad3d7.exe 1572 61f292ad20a43_Thu120f4aad3d7.exe 1420 61f292ac194f1_Thu1230653d.exe 1420 61f292ac194f1_Thu1230653d.exe 1972 61f292a4b3280_Thu12692268df32.exe 1972 61f292a4b3280_Thu12692268df32.exe 1896 cmd.exe 1896 cmd.exe 2400 cmd.exe 2164 61f292aaee251_Thu12817405.exe 2164 61f292aaee251_Thu12817405.exe 2172 61f292a688404_Thu122ae6bbac.exe 2172 61f292a688404_Thu122ae6bbac.exe 1708 cmd.exe 1708 cmd.exe 1604 61f292b10868e_Thu12702ecb5.exe 1604 61f292b10868e_Thu12702ecb5.exe 2172 61f292a688404_Thu122ae6bbac.exe 2164 61f292aaee251_Thu12817405.exe 1972 61f292a4b3280_Thu12692268df32.exe 332 61f292a8a0a6c_Thu12fda79da.exe 332 61f292a8a0a6c_Thu12fda79da.exe 1784 61f292adcd500_Thu12dd12e2c.exe 1784 61f292adcd500_Thu12dd12e2c.exe 2092 61f292a688404_Thu122ae6bbac.exe 2092 61f292a688404_Thu122ae6bbac.exe 2144 cmd.exe 2448 61f292a4b3280_Thu12692268df32.tmp 2448 61f292a4b3280_Thu12692268df32.tmp 2620 cmd.exe 1508 cmd.exe 1508 cmd.exe 620 61f292ae24e70_Thu12a74e4137.exe 620 61f292ae24e70_Thu12a74e4137.exe 2448 61f292a4b3280_Thu12692268df32.tmp 1208 61f292aaee251_Thu12817405.tmp 2004 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\"" 61f292ae24e70_Thu12a74e4137.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
pid Process 1364 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 31 IoCs
flow ioc 100 iplogger.org 71 iplogger.org 75 iplogger.org 89 iplogger.org 58 iplogger.org 117 iplogger.org 38 iplogger.org 39 iplogger.org 48 iplogger.org 70 iplogger.org 93 iplogger.org 103 iplogger.org 106 iplogger.org 15 iplogger.org 36 iplogger.org 64 iplogger.org 31 iplogger.org 56 iplogger.org 77 iplogger.org 109 iplogger.org 66 iplogger.org 82 iplogger.org 96 iplogger.org 112 iplogger.org 47 iplogger.org 61 iplogger.org 84 iplogger.org 68 iplogger.org 17 iplogger.org 33 iplogger.org 63 iplogger.org -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 32 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates processes with tasklist 1 TTPs 1 IoCs
pid Process 2268 tasklist.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1572 61f292ad20a43_Thu120f4aad3d7.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2172 set thread context of 2092 2172 61f292a688404_Thu122ae6bbac.exe 60 PID 1584 set thread context of 1632 1584 61f292af47cdd_Thu12168454a4a.exe 95 PID 236 set thread context of 780 236 Sul.exe.pif 99 -
resource yara_rule behavioral3/files/0x000700000001960e-237.dat upx behavioral3/memory/1696-244-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral3/memory/1696-238-0x0000000000400000-0x0000000000480000-memory.dmp upx behavioral3/files/0x000800000001960e-264.dat upx behavioral3/memory/2696-266-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral3/memory/2696-304-0x0000000000400000-0x0000000000483000-memory.dmp upx behavioral3/memory/2696-309-0x0000000000400000-0x0000000000483000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 2880 2528 WerFault.exe 31 1928 332 WerFault.exe 50 2648 1604 WerFault.exe 59 2040 2348 WerFault.exe 42 2932 2696 WerFault.exe 105 -
System Location Discovery: System Language Discovery 1 TTPs 59 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292ae24e70_Thu12a74e4137.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a688404_Thu122ae6bbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a4b3280_Thu12692268df32.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292adcd500_Thu12dd12e2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_installer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292b2a8973_Thu12d2978de30.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a3b1188_Thu12926eaf6b3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292af47cdd_Thu12168454a4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292af47cdd_Thu12168454a4a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a4b3280_Thu12692268df32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sul.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f78d430.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup_install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a688404_Thu122ae6bbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292aaee251_Thu12817405.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sul.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a8a0a6c_Thu12fda79da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292aaee251_Thu12817405.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language control.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292a50b8fa_Thu12c85191.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292aaee251_Thu12817405.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sul.exe.pif Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292adcd500_Thu12dd12e2c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language waitfor.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292ad20a43_Thu120f4aad3d7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292b10868e_Thu12702ecb5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292ac194f1_Thu1230653d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 61f292aaee251_Thu12817405.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1704 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 1548 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1572 61f292ad20a43_Thu120f4aad3d7.exe 1364 powershell.exe 2696 11111.exe 2696 11111.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2828 61f292aaee251_Thu12817405.tmp -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeAssignPrimaryTokenPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeLockMemoryPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeIncreaseQuotaPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeMachineAccountPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeTcbPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeSecurityPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeTakeOwnershipPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeLoadDriverPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeSystemProfilePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeSystemtimePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeProfSingleProcessPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeIncBasePriorityPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeCreatePagefilePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeCreatePermanentPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeBackupPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeRestorePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeShutdownPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeDebugPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeAuditPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeSystemEnvironmentPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeChangeNotifyPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeRemoteShutdownPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeUndockPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeSyncAgentPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeEnableDelegationPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeManageVolumePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeImpersonatePrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeCreateGlobalPrivilege 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: 31 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: 32 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: 33 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: 34 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: 35 2416 61f292a3b1188_Thu12926eaf6b3.exe Token: SeDebugPrivilege 2872 61f292ae71b3f_Thu1291f781.exe Token: SeDebugPrivilege 1584 61f292af47cdd_Thu12168454a4a.exe Token: SeDebugPrivilege 1572 61f292ad20a43_Thu120f4aad3d7.exe Token: SeDebugPrivilege 2268 tasklist.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeDebugPrivilege 2348 61f292a50b8fa_Thu12c85191.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1880 Sul.exe.pif 1880 Sul.exe.pif 1880 Sul.exe.pif 236 Sul.exe.pif 236 Sul.exe.pif 236 Sul.exe.pif -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1880 Sul.exe.pif 1880 Sul.exe.pif 1880 Sul.exe.pif 236 Sul.exe.pif 236 Sul.exe.pif 236 Sul.exe.pif -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1784 61f292adcd500_Thu12dd12e2c.exe 1784 61f292adcd500_Thu12dd12e2c.exe 2980 61f292adcd500_Thu12dd12e2c.exe 2980 61f292adcd500_Thu12dd12e2c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2112 wrote to memory of 2528 2112 setup_installer.exe 31 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2884 2528 setup_install.exe 33 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 2996 2528 setup_install.exe 34 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 3008 2528 setup_install.exe 35 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1876 2528 setup_install.exe 36 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 1896 2528 setup_install.exe 37 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2104 2528 setup_install.exe 38 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 2400 2528 setup_install.exe 39 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 2528 wrote to memory of 1792 2528 setup_install.exe 40 PID 1876 wrote to memory of 2348 1876 cmd.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292a3b1188_Thu12926eaf6b3.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a3b1188_Thu12926eaf6b3.exe61f292a3b1188_Thu12926eaf6b3.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2416 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292a4b3280_Thu12692268df32.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe61f292a4b3280_Thu12692268df32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp"C:\Users\Admin\AppData\Local\Temp\is-0PM59.tmp\61f292a4b3280_Thu12692268df32.tmp" /SL5="$70158,140559,56832,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a4b3280_Thu12692268df32.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292a50b8fa_Thu12c85191.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a50b8fa_Thu12c85191.exe61f292a50b8fa_Thu12c85191.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C timeout 195⤵
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\timeout.exetimeout 196⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1704
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 11485⤵
- Program crash
PID:2040
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292a688404_Thu122ae6bbac.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe61f292a688404_Thu122ae6bbac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a688404_Thu122ae6bbac.exe61f292a688404_Thu122ae6bbac.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292a8a0a6c_Thu12fda79da.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292a8a0a6c_Thu12fda79da.exe61f292a8a0a6c_Thu12fda79da.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 14245⤵
- Program crash
PID:1928
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292aaee251_Thu12817405.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe61f292aaee251_Thu12817405.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp"C:\Users\Admin\AppData\Local\Temp\is-HIOL3.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$8015A,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp"C:\Users\Admin\AppData\Local\Temp\is-2F27F.tmp\61f292aaee251_Thu12817405.tmp" /SL5="$501EA,870458,780800,C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292aaee251_Thu12817405.exe" /SILENT7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2828
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292ac194f1_Thu1230653d.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ac194f1_Thu1230653d.exe61f292ac194f1_Thu1230653d.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292ad20a43_Thu120f4aad3d7.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ad20a43_Thu120f4aad3d7.exe61f292ad20a43_Thu120f4aad3d7.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292adcd500_Thu12dd12e2c.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe61f292adcd500_Thu12dd12e2c.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1784 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe"C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292adcd500_Thu12dd12e2c.exe" -a5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292ae24e70_Thu12a74e4137.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae24e70_Thu12a74e4137.exe61f292ae24e70_Thu12a74e4137.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\cmd.execmd /c cmd < Esistenza.wbk5⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\cmd.execmd6⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"7⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"7⤵
- System Location Discovery: System Language Discovery
PID:2892
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk7⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pifSul.exe.pif J7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pifC:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:236 -
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pifC:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780
-
-
-
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy7⤵
- System Location Discovery: System Language Discovery
PID:1644
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll325⤵
- System Location Discovery: System Language Discovery
PID:2780
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292ae71b3f_Thu1291f781.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292ae71b3f_Thu1291f781.exe61f292ae71b3f_Thu1291f781.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292af47cdd_Thu12168454a4a.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe61f292af47cdd_Thu12168454a4a.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exeC:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe5⤵
- Executes dropped EXE
PID:2168
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exeC:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe5⤵
- Executes dropped EXE
PID:2964
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exeC:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292af47cdd_Thu12168454a4a.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292b10868e_Thu12702ecb5.exe /mixtwo3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b10868e_Thu12702ecb5.exe61f292b10868e_Thu12702ecb5.exe /mixtwo4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 4845⤵
- Program crash
PID:2648
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292b2a8973_Thu12d2978de30.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b2a8973_Thu12d2978de30.exe61f292b2a8973_Thu12d2978de30.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\CZlKA.Q55⤵
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\CZlKA.Q56⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\CZlKA.Q57⤵PID:2264
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\CZlKA.Q58⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\f78d430.exe"C:\Users\Admin\AppData\Local\Temp\f78d430.exe"9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 65210⤵
- Program crash
PID:2932
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 61f292b465d58_Thu127ed1404d.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\7zS0480EDC6\61f292b465d58_Thu127ed1404d.exe61f292b465d58_Thu127ed1404d.exe4⤵
- Executes dropped EXE
PID:1640 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1640 -s 4885⤵PID:1252
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 4803⤵
- Program crash
PID:2880
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
215KB
MD594989927a6611e1919f84e1871922b63
SHA1b602e4c47c9c42c273b68a1ce85f0814c0e05deb
SHA2566abf00e8457005606b0286fba4abc75bdb5d8d8267b17678d719122946db5c17
SHA512ce69c1597f759efdb61ba441a5c16b587b77e3780e134c312dc832a502a1933b04f6b981e0e4b5c998c38d77b25763d2c2875cb790b142f44a416dcf75880b6e
-
Filesize
207KB
MD5d0527733abcc5c58735e11d43061b431
SHA128de9d191826192721e325787b8a50a84328cffd
SHA256b4ef7ee228c1500f7bb3686361b1a246954efe04cf14d218b5ee709bc0d88b45
SHA5127704b215fade38c9a4aa2395263f3d4d9392b318b5644146464d233006a6de86f53a5f6e47cd909c0d968e3ef4db397f52e28ca4d6a1b2e88e1c40a1dbde3fb5
-
Filesize
1.5MB
MD5fbd3940d1ad28166d8539eae23d44d5b
SHA155fff8a0aa435885fc86f7f33fec24558aa21ef5
SHA25621ceb2021197d8b5f73f8f264163e1f73e6a454ff0dffad24e87037f3a0b9ac7
SHA51226efcab71ea6ffd07c800a9ab014adc1813742d99923e17f02d92ffe5fccc8ad1efbf1e6124fd68fd1638e0d9c5f9a79b8c3faf2ae85c71ead6fb8940e26ad11
-
Filesize
380KB
MD55b14369c347439becacaa0883c07f17b
SHA1126b0012934a2bf5aab025d931feb3b4315a2d9a
SHA2568f362cedd16992cd2605b87129e491620b323f2a60e0cbb2f77d66a38f1e2307
SHA5124abd011ac7e4dba50cef3d166ca3c2c4148e737291f196e68c61f3a19e0e2b13bef5bb95fa53223cbc5ae514467309da6c92f1acfa194980624282d7c88c521b
-
Filesize
106KB
MD54fda4b291bdc23439208635f8b4f10e5
SHA16911fce737067d5bbeab05960ecd56d3a0fe0dfb
SHA25679a77b41388477a3cb157995c0ad1757a8ced2b49fc968dc5d8c28806aaee480
SHA5125ca7652ea5c795dd613da2ef773e048efa240d4cb5b6970d91ddb2367eda27e879d735360625725881d4940b23b6e153cb148b630f183d21025b31b4675b17cb
-
Filesize
191KB
MD5a05b981f73e296c8edf29ea9f68b8355
SHA1f959ea0a5569320682e194bd87ae3fbf0b382647
SHA2563b5add40bb6bb0b4cbc7b8de53c265a7310da094767f7c53fd425f3b22248100
SHA512d71c1655c13a4ea043caaa5533fe8b2b25f4146f5c750a801b4b19b3df514fedda7413dd9448be1b09eb6b532384d9439b1bb0628129413706224a051ea34ace
-
Filesize
116KB
MD5b8ecec542a07067a193637269973c2e8
SHA197178479fd0fc608d6c0fbf243a0bb136d7b0ecb
SHA256fc6b5ec20b7f2c902e9413c71be5718eb58640d86189306fe4c592af70fe3b7e
SHA512730d74a72c7af91b10f06ae98235792740bed2afc86eb8ddc15ecaf7c31ec757ac3803697644ac0f60c2e8e0fd875b94299763ac0fed74d392ac828b61689893
-
Filesize
1.5MB
MD5e65bf2d56fcaa18c1a8d0d481072dc62
SHA1c7492c7e09b329bed044e9ee45e425e0817c22f4
SHA256c24f98a0e80be8f215f9b93c9823497c1ea547ca9fdd3621ef6a96dfb1eaa895
SHA51239c3400315055b2c9fdb3d9d9d54f4a8c7120721aa0850c29d313824846cec7aae74b1f25569636d9eb81184f211e0bc391de02c212b6f0994a42096268414a9
-
Filesize
191KB
MD5af0de0482a6545057fb04ece77e0e83e
SHA1a5275870f175a76ae14d965211d02a5214adb5c2
SHA256605f47756284111370f163638d93e580830db4dd10b16a274735c052ea1f2c8a
SHA51292b76a20957a3daafd588434cb6259213af9689a1dd75c97f61f16ceff95e1e79924431ad4f8a075b90535081a00b6ced7ffada6db8a843a4f8ecaa27ca1e96d
-
Filesize
465KB
MD58b361d36500a8a4abd21c08235e6c0c8
SHA1c52bb8ead2e3b7dfb45f8e1163a2ae05588d70ce
SHA256dc791b99f5e4e21d1022fe5cf80231da85fd716cf0132a25d1596b9680e45cf5
SHA5126ebdbd3c45d869bb8852e6662cd0f2f397322f3907377b60f6c70910a8a01d955b30b59ee93d76001688a465449bcbb061169e85a4e67b102a537440909cf10a
-
Filesize
372KB
MD5b0448525c5a00135bb5b658cc6745574
SHA1a08d53ce43ad01d47564a7dcdb87383652ef29f5
SHA256b53ec612c61b38e29a8500f8d495e81dfdedc6b277958f36acfee6b8ee50a859
SHA512b52e28e22916964a3d4d46e8fd09ba1f5c4867bd812d3c9af278bbeaf0ccfd9573e2bfc836c63079bc5de419b2c362247f85c3c494dfc66baf5cbadc6dbf462d
-
Filesize
879KB
MD5cc722fd0bd387cf472350dc2dd7ddd1e
SHA149d288ddbb09265a586dd8d6629c130be7063afa
SHA256588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b
-
Filesize
8KB
MD5ce54b9287c3e4b5733035d0be085d989
SHA107a17e423bf89d9b056562d822a8f651aeb33c96
SHA256e2beaf61ef8408e20b5dd05ffab6e1a62774088b3acdebd834f51d77f9824112
SHA512c85680a63c9e852dfee438c9b8d47443f8b998ea1f8f573b3fcf1e31abc44415a1c18bac2bc6c5fb2caed0872a69fc9be758a510b9049c854fd48e31bf0815a0
-
Filesize
526KB
MD52fd3235d23e379fcca10cf25661689c8
SHA1ac4c74c6c95693a6d9d67caf55a6106eaa408959
SHA256a88f3682d185f01cd91890951a27f04e925f10bd61b1ded566889c0e008c3ccc
SHA512e33873304eba441d8b5938ba1f28636c78ac751633ed209f8970d1aafcf193203941fc8ba59e151ea7d010b9d65476d486e07b4f045d0409222d6f8d99bcfbb0
-
Filesize
339KB
MD56cda68905cfd314c1b5dcafd6adebc96
SHA1c6e952b5190121ab0c082a2de4bc0caf06d1dcf0
SHA256927c40d5808645ff97bbf5fc4c1d517d37a801c81553dc54becd8a0770ee54b0
SHA512952074dffb293dd455751a44f18409adf4afa2c4c2f130dc2b6368791b78af06cf19bdbdc4278ccdb4ca3326db100fc695245543aa5e447927c4c095640d98c6
-
Filesize
2.0MB
MD59691ad5126152a385a01220ee47221c1
SHA148465630edcdc71525c792c0b855ef0d321f6a5e
SHA25634da41baf54a2522aa5b332f1678400f2fb271e12dcfad3870ef47d37ac4ba67
SHA512b7b3ac05988ec34d586f7764bbe2bce43ca3c9361ce3626f041eefb635d8ab3af047009ce74cce50cdddb6dbec35b60139a50e9f2598e86cdf484c60e4be5949
-
Filesize
1.6MB
MD579400b1fd740d9cb7ec7c2c2e9a7d618
SHA18ab8d7dcd469853f61ca27b8afe2ab6e0f2a1bb3
SHA256556d5c93b2ceb585711ccce22e39e3327f388b893d76a3a7974967fe99a6fa7f
SHA5123ed024b02d7410d5ddc7bb772a2b3e8a5516a16d1cb5fac9f5d925da84b376b67117daf238fb53c7707e6bb86a0198534ad1e79b6ebed979b505b3faf9ae55ac
-
Filesize
218KB
MD5d09be1f47fd6b827c81a4812b4f7296f
SHA1028ae3596c0790e6d7f9f2f3c8e9591527d267f7
SHA2560de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e
SHA512857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595
-
Filesize
54KB
MD5e6e578373c2e416289a8da55f1dc5e8e
SHA1b601a229b66ec3d19c2369b36216c6f6eb1c063e
SHA25643e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f
SHA5129df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89
-
Filesize
647KB
MD55e279950775baae5fea04d2cc4526bcc
SHA18aef1e10031c3629512c43dd8b0b5d9060878453
SHA25697de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87
SHA512666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02
-
Filesize
69KB
MD51e0d62c34ff2e649ebc5c372065732ee
SHA1fcfaa36ba456159b26140a43e80fbd7e9d9af2de
SHA256509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723
SHA5123653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61
-
Filesize
2.1MB
MD5b14eef8f9059c67b05c710b51d150f82
SHA1645988e081d1948cae842614cc75875aec8cf68c
SHA2563b9601b7d67b3e2541bf93f753248aae02ea9ba0fb46186d6d0ee97634052e0e
SHA512bdfcac2b5631b38a0555c1f0c70f3bec0d67955adf0d8f679d05a1218e2d9e5d0c7bf0a5d221235b96aec99e35d3521f9030bdab511bfbfeaa6a20f9b3c942e5
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
11KB
MD5620bda3df817bff8deb38758d1dc668c
SHA19933523941851b42047f2b7a1324eb8daa8fb1ff
SHA256b74d7ff45768a1ee6f267e895de3e46cca505edf205563ef3f7db827f38363b3
SHA512bc9e932860f63090bab251057bc1fd6875c410c2358321eaa74fccc117561b91e4ce6b24d5e7bb13dc44732ae151b7c33fe201acbb5af689d7f2d248dfb8c568
-
Filesize
2.5MB
MD583b531c1515044f8241cd9627fbfbe86
SHA1d2f7096e18531abb963fc9af7ecc543641570ac8
SHA256565cb30a640d5cb469f9d93c969aab083fa14dfdf983411c132927665531795c
SHA5129f7304ecb7573c0b8b4d7a2f49bcb9902499523b84502609f81b6f1b84faa1152a46ea13813987567ce574bd7b9d7b3f44b2b76389d8135487dc3c7f5e314f1b
-
Filesize
232KB
MD555c310c0319260d798757557ab3bf636
SHA10892eb7ed31d8bb20a56c6835990749011a2d8de
SHA25654e7e0ad32a22b775131a6288f083ed3286a9a436941377fc20f85dd9ad983ed
SHA512e0082109737097658677d7963cbf28d412dca3fa8f5812c2567e53849336ce45ebae2c0430df74bfe16c0f3eebb46961bc1a10f32ca7947692a900162128ae57
-
Filesize
113KB
MD59aec524b616618b0d3d00b27b6f51da1
SHA164264300801a353db324d11738ffed876550e1d3
SHA25659a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e
SHA5120648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0