Analysis
-
max time kernel
157s -
max time network
158s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20/12/2021, 14:02
Static task
static1
Behavioral task
behavioral1
Sample
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
Resource
win7-en-20211208
General
-
Target
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
-
Size
7.8MB
-
MD5
bb627ed9b75d70e535ee848ce917aa65
-
SHA1
7dc9b35117234134d910f53e2345d3157c25e8b2
-
SHA256
345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b
-
SHA512
acbac7166c809f43e50111bb118fac43d09f3219f1e15c593438ed5dc406e0100abf2fca68ba6c2e0545d49c853aeb75e71bf64f034dd0b13f5f48d61acbba67
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media19n
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1980 4864 rundll32.exe 132 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral2/memory/1080-299-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1228-298-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1080-301-0x0000000000419332-mapping.dmp family_redline behavioral2/memory/1228-300-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000600000001ab33-209.dat family_socelars behavioral2/files/0x000600000001ab33-244.dat family_socelars -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000600000001ab35-195.dat WebBrowserPassView behavioral2/files/0x000600000001ab35-234.dat WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral2/files/0x000600000001ab35-195.dat Nirsoft behavioral2/files/0x000600000001ab35-234.dat Nirsoft behavioral2/files/0x000500000001ab47-327.dat Nirsoft behavioral2/files/0x000500000001ab47-326.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2104-391-0x00000000021B0000-0x0000000002289000-memory.dmp family_vidar behavioral2/memory/2104-395-0x0000000000400000-0x0000000000536000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab26-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab26-128.dat aspack_v212_v242 behavioral2/files/0x000500000001ab28-130.dat aspack_v212_v242 behavioral2/files/0x000500000001ab28-132.dat aspack_v212_v242 behavioral2/files/0x000600000001ab1f-127.dat aspack_v212_v242 behavioral2/files/0x000600000001ab1f-134.dat aspack_v212_v242 behavioral2/files/0x000600000001ab1f-133.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 21 IoCs
pid Process 628 setup_installer.exe 1544 setup_install.exe 2924 Sat215d0254132.exe 1436 Sat2186a2fe17bc3.exe 2468 Sat21331fd7d3.exe 2164 Sat2186a2fe17bc3.exe 3572 Sat211f3dc0dc85a790.exe 2864 Sat21a3a382cb.exe 2964 Sat21fad2ad3b493fd4.exe 1452 Sat214f898013408c.exe 1840 Sat21de94a76558.exe 1932 Sat2175f29e38b1.exe 2716 Sat21d2de5c9915e148.exe 3656 Sat21e5d4a320d0.exe 3208 Sat21822ebb0e.exe 2104 Sat2106af2f1b2e3716.exe 656 Sat2184c3c6c75ad8f83.exe 1448 Sat21cab531e24c.exe 1804 Sat2191af1420045d6af.exe 3620 Sat2184c3c6c75ad8f83.exe 2284 Sat211f3dc0dc85a790.tmp -
Loads dropped DLL 6 IoCs
pid Process 1544 setup_install.exe 1544 setup_install.exe 1544 setup_install.exe 1544 setup_install.exe 1544 setup_install.exe 1544 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 51 ipinfo.io 52 ipinfo.io 66 ipinfo.io 287 ipinfo.io 288 ipinfo.io 295 ipinfo.io 31 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1436 set thread context of 2164 1436 Sat2186a2fe17bc3.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 4584 1228 WerFault.exe 114 6948 3632 WerFault.exe 214 -
Kills process with taskkill 2 IoCs
pid Process 4732 taskkill.exe 5384 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1144 powershell.exe 1144 powershell.exe 736 powershell.exe 736 powershell.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
description pid Process Token: SeDebugPrivilege 1932 Sat2175f29e38b1.exe Token: SeCreateTokenPrivilege 1804 Sat2191af1420045d6af.exe Token: SeAssignPrimaryTokenPrivilege 1804 Sat2191af1420045d6af.exe Token: SeLockMemoryPrivilege 1804 Sat2191af1420045d6af.exe Token: SeIncreaseQuotaPrivilege 1804 Sat2191af1420045d6af.exe Token: SeMachineAccountPrivilege 1804 Sat2191af1420045d6af.exe Token: SeTcbPrivilege 1804 Sat2191af1420045d6af.exe Token: SeSecurityPrivilege 1804 Sat2191af1420045d6af.exe Token: SeTakeOwnershipPrivilege 1804 Sat2191af1420045d6af.exe Token: SeLoadDriverPrivilege 1804 Sat2191af1420045d6af.exe Token: SeSystemProfilePrivilege 1804 Sat2191af1420045d6af.exe Token: SeSystemtimePrivilege 1804 Sat2191af1420045d6af.exe Token: SeProfSingleProcessPrivilege 1804 Sat2191af1420045d6af.exe Token: SeIncBasePriorityPrivilege 1804 Sat2191af1420045d6af.exe Token: SeCreatePagefilePrivilege 1804 Sat2191af1420045d6af.exe Token: SeCreatePermanentPrivilege 1804 Sat2191af1420045d6af.exe Token: SeBackupPrivilege 1804 Sat2191af1420045d6af.exe Token: SeRestorePrivilege 1804 Sat2191af1420045d6af.exe Token: SeShutdownPrivilege 1804 Sat2191af1420045d6af.exe Token: SeDebugPrivilege 1804 Sat2191af1420045d6af.exe Token: SeAuditPrivilege 1804 Sat2191af1420045d6af.exe Token: SeSystemEnvironmentPrivilege 1804 Sat2191af1420045d6af.exe Token: SeChangeNotifyPrivilege 1804 Sat2191af1420045d6af.exe Token: SeRemoteShutdownPrivilege 1804 Sat2191af1420045d6af.exe Token: SeUndockPrivilege 1804 Sat2191af1420045d6af.exe Token: SeSyncAgentPrivilege 1804 Sat2191af1420045d6af.exe Token: SeEnableDelegationPrivilege 1804 Sat2191af1420045d6af.exe Token: SeManageVolumePrivilege 1804 Sat2191af1420045d6af.exe Token: SeImpersonatePrivilege 1804 Sat2191af1420045d6af.exe Token: SeCreateGlobalPrivilege 1804 Sat2191af1420045d6af.exe Token: 31 1804 Sat2191af1420045d6af.exe Token: 32 1804 Sat2191af1420045d6af.exe Token: 33 1804 Sat2191af1420045d6af.exe Token: 34 1804 Sat2191af1420045d6af.exe Token: 35 1804 Sat2191af1420045d6af.exe Token: SeDebugPrivilege 3208 1640433316404333.exe Token: SeDebugPrivilege 2864 Sat21a3a382cb.exe Token: SeDebugPrivilege 1144 powershell.exe Token: SeDebugPrivilege 736 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 628 3168 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 69 PID 3168 wrote to memory of 628 3168 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 69 PID 3168 wrote to memory of 628 3168 345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe 69 PID 628 wrote to memory of 1544 628 setup_installer.exe 70 PID 628 wrote to memory of 1544 628 setup_installer.exe 70 PID 628 wrote to memory of 1544 628 setup_installer.exe 70 PID 1544 wrote to memory of 1580 1544 setup_install.exe 73 PID 1544 wrote to memory of 1580 1544 setup_install.exe 73 PID 1544 wrote to memory of 1580 1544 setup_install.exe 73 PID 1544 wrote to memory of 1064 1544 setup_install.exe 74 PID 1544 wrote to memory of 1064 1544 setup_install.exe 74 PID 1544 wrote to memory of 1064 1544 setup_install.exe 74 PID 1064 wrote to memory of 736 1064 cmd.exe 75 PID 1064 wrote to memory of 736 1064 cmd.exe 75 PID 1064 wrote to memory of 736 1064 cmd.exe 75 PID 1580 wrote to memory of 1144 1580 cmd.exe 77 PID 1580 wrote to memory of 1144 1580 cmd.exe 77 PID 1580 wrote to memory of 1144 1580 cmd.exe 77 PID 1544 wrote to memory of 3456 1544 setup_install.exe 76 PID 1544 wrote to memory of 3456 1544 setup_install.exe 76 PID 1544 wrote to memory of 3456 1544 setup_install.exe 76 PID 1544 wrote to memory of 3064 1544 setup_install.exe 78 PID 1544 wrote to memory of 3064 1544 setup_install.exe 78 PID 1544 wrote to memory of 3064 1544 setup_install.exe 78 PID 1544 wrote to memory of 3148 1544 setup_install.exe 82 PID 1544 wrote to memory of 3148 1544 setup_install.exe 82 PID 1544 wrote to memory of 3148 1544 setup_install.exe 82 PID 1544 wrote to memory of 1236 1544 setup_install.exe 81 PID 1544 wrote to memory of 1236 1544 setup_install.exe 81 PID 1544 wrote to memory of 1236 1544 setup_install.exe 81 PID 3456 wrote to memory of 2924 3456 cmd.exe 79 PID 3456 wrote to memory of 2924 3456 cmd.exe 79 PID 3456 wrote to memory of 2924 3456 cmd.exe 79 PID 1544 wrote to memory of 1036 1544 setup_install.exe 80 PID 1544 wrote to memory of 1036 1544 setup_install.exe 80 PID 1544 wrote to memory of 1036 1544 setup_install.exe 80 PID 1544 wrote to memory of 2236 1544 setup_install.exe 83 PID 1544 wrote to memory of 2236 1544 setup_install.exe 83 PID 1544 wrote to memory of 2236 1544 setup_install.exe 83 PID 1544 wrote to memory of 2936 1544 setup_install.exe 98 PID 1544 wrote to memory of 2936 1544 setup_install.exe 98 PID 1544 wrote to memory of 2936 1544 setup_install.exe 98 PID 3064 wrote to memory of 1436 3064 cmd.exe 97 PID 3064 wrote to memory of 1436 3064 cmd.exe 97 PID 3064 wrote to memory of 1436 3064 cmd.exe 97 PID 1544 wrote to memory of 1712 1544 setup_install.exe 96 PID 1544 wrote to memory of 1712 1544 setup_install.exe 96 PID 1544 wrote to memory of 1712 1544 setup_install.exe 96 PID 1544 wrote to memory of 2068 1544 setup_install.exe 95 PID 1544 wrote to memory of 2068 1544 setup_install.exe 95 PID 1544 wrote to memory of 2068 1544 setup_install.exe 95 PID 1544 wrote to memory of 1588 1544 setup_install.exe 84 PID 1544 wrote to memory of 1588 1544 setup_install.exe 84 PID 1544 wrote to memory of 1588 1544 setup_install.exe 84 PID 1544 wrote to memory of 2004 1544 setup_install.exe 94 PID 1544 wrote to memory of 2004 1544 setup_install.exe 94 PID 1544 wrote to memory of 2004 1544 setup_install.exe 94 PID 1544 wrote to memory of 1824 1544 setup_install.exe 93 PID 1544 wrote to memory of 1824 1544 setup_install.exe 93 PID 1544 wrote to memory of 1824 1544 setup_install.exe 93 PID 1436 wrote to memory of 2164 1436 Sat2186a2fe17bc3.exe 85 PID 1436 wrote to memory of 2164 1436 Sat2186a2fe17bc3.exe 85 PID 1436 wrote to memory of 2164 1436 Sat2186a2fe17bc3.exe 85 PID 1436 wrote to memory of 2164 1436 Sat2186a2fe17bc3.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4721B236\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:736
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat215d0254132.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat215d0254132.exeSat215d0254132.exe5⤵
- Executes dropped EXE
PID:2924 -
C:\Users\Admin\Pictures\Adobe Films\880obRJ2peZVljWcvPfwSLYQ.exe"C:\Users\Admin\Pictures\Adobe Films\880obRJ2peZVljWcvPfwSLYQ.exe"6⤵PID:4912
-
-
C:\Users\Admin\Pictures\Adobe Films\vPfSSfVH3k5wJDIC1o_huerb.exe"C:\Users\Admin\Pictures\Adobe Films\vPfSSfVH3k5wJDIC1o_huerb.exe"6⤵PID:6116
-
-
C:\Users\Admin\Pictures\Adobe Films\OoGcmDX43QVOqqOfwhrWveZU.exe"C:\Users\Admin\Pictures\Adobe Films\OoGcmDX43QVOqqOfwhrWveZU.exe"6⤵PID:5536
-
-
C:\Users\Admin\Pictures\Adobe Films\pKfT649gIz9ZLtXSj447kq71.exe"C:\Users\Admin\Pictures\Adobe Films\pKfT649gIz9ZLtXSj447kq71.exe"6⤵PID:5528
-
-
C:\Users\Admin\Pictures\Adobe Films\shs_R95LC6mIDYkurkxcHFKY.exe"C:\Users\Admin\Pictures\Adobe Films\shs_R95LC6mIDYkurkxcHFKY.exe"6⤵PID:5500
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"7⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵PID:4368
-
-
-
C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"7⤵PID:4668
-
-
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"7⤵PID:1392
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EZOzdpUS0_hiMYu4aND1lcte.exe"C:\Users\Admin\Pictures\Adobe Films\EZOzdpUS0_hiMYu4aND1lcte.exe"6⤵PID:5444
-
-
C:\Users\Admin\Pictures\Adobe Films\ijcU8m0tyKZq1WtjIu4ar2GV.exe"C:\Users\Admin\Pictures\Adobe Films\ijcU8m0tyKZq1WtjIu4ar2GV.exe"6⤵PID:2744
-
-
C:\Users\Admin\Pictures\Adobe Films\WJ8DKICj9QEHjJJyLDoXQ7Eg.exe"C:\Users\Admin\Pictures\Adobe Films\WJ8DKICj9QEHjJJyLDoXQ7Eg.exe"6⤵PID:4728
-
-
C:\Users\Admin\Pictures\Adobe Films\RO1ZkncEfAhuKET5ToB8W8Zm.exe"C:\Users\Admin\Pictures\Adobe Films\RO1ZkncEfAhuKET5ToB8W8Zm.exe"6⤵PID:6044
-
-
C:\Users\Admin\Pictures\Adobe Films\mOgpsEbKEaGKcs048SacWWJJ.exe"C:\Users\Admin\Pictures\Adobe Films\mOgpsEbKEaGKcs048SacWWJJ.exe"6⤵PID:5688
-
-
C:\Users\Admin\Pictures\Adobe Films\ymqrQuypkEhs2hJHfmzZSOPK.exe"C:\Users\Admin\Pictures\Adobe Films\ymqrQuypkEhs2hJHfmzZSOPK.exe"6⤵PID:2844
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"7⤵PID:7072
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ZXPOnilabxCgKqx7mafMB8i1.exe"C:\Users\Admin\Pictures\Adobe Films\ZXPOnilabxCgKqx7mafMB8i1.exe"6⤵PID:4040
-
-
C:\Users\Admin\Pictures\Adobe Films\nAxi5YZZZSzvDlR74nfMxLBh.exe"C:\Users\Admin\Pictures\Adobe Films\nAxi5YZZZSzvDlR74nfMxLBh.exe"6⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\7zS53F3.tmp\Install.exe.\Install.exe7⤵PID:6432
-
C:\Users\Admin\AppData\Local\Temp\7zS8796.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:6792
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9ra5i0bFeJdqTXU7_J6hjLWO.exe"C:\Users\Admin\Pictures\Adobe Films\9ra5i0bFeJdqTXU7_J6hjLWO.exe"6⤵PID:6128
-
-
C:\Users\Admin\Pictures\Adobe Films\FN9w0XFS2p4xLClz_bPvHTgC.exe"C:\Users\Admin\Pictures\Adobe Films\FN9w0XFS2p4xLClz_bPvHTgC.exe"6⤵PID:6600
-
-
C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"6⤵PID:4480
-
C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"7⤵PID:6184
-
-
-
C:\Users\Admin\Pictures\Adobe Films\_W6jHmCW0avL60jMD77p4aY5.exe"C:\Users\Admin\Pictures\Adobe Films\_W6jHmCW0avL60jMD77p4aY5.exe"6⤵PID:7040
-
-
C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"6⤵PID:5508
-
C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"7⤵PID:3632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 248⤵
- Program crash
PID:6948
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CRwrfzVBfvoRW_3iVaSC9TuT.exe"C:\Users\Admin\Pictures\Adobe Films\CRwrfzVBfvoRW_3iVaSC9TuT.exe"6⤵PID:6304
-
-
C:\Users\Admin\Pictures\Adobe Films\5IkqZ3toTZ3BJ3lzUYt6ZEnT.exe"C:\Users\Admin\Pictures\Adobe Films\5IkqZ3toTZ3BJ3lzUYt6ZEnT.exe"6⤵PID:6232
-
-
C:\Users\Admin\Pictures\Adobe Films\8Fy7pOpaW9G5f_VEwo4hw5L0.exe"C:\Users\Admin\Pictures\Adobe Films\8Fy7pOpaW9G5f_VEwo4hw5L0.exe"6⤵PID:6980
-
-
C:\Users\Admin\Pictures\Adobe Films\CNZTzSDEzk2YVEBGALjvKLhO.exe"C:\Users\Admin\Pictures\Adobe Films\CNZTzSDEzk2YVEBGALjvKLhO.exe"6⤵PID:7020
-
-
C:\Users\Admin\Pictures\Adobe Films\GGA8POjM688o_sdJPqk4tQdg.exe"C:\Users\Admin\Pictures\Adobe Films\GGA8POjM688o_sdJPqk4tQdg.exe"6⤵PID:7132
-
-
C:\Users\Admin\Pictures\Adobe Films\ETxQKzCYSpXi2kkcg3WSr1bQ.exe"C:\Users\Admin\Pictures\Adobe Films\ETxQKzCYSpXi2kkcg3WSr1bQ.exe"6⤵PID:7128
-
-
C:\Users\Admin\Pictures\Adobe Films\5EhWvdmUwhG7QQ9fr9nW8AGz.exe"C:\Users\Admin\Pictures\Adobe Films\5EhWvdmUwhG7QQ9fr9nW8AGz.exe"6⤵PID:6520
-
-
C:\Users\Admin\Pictures\Adobe Films\_oxs0vHXmG5AnrbmwYwSZ89R.exe"C:\Users\Admin\Pictures\Adobe Films\_oxs0vHXmG5AnrbmwYwSZ89R.exe"6⤵PID:2208
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2186a2fe17bc3.exe /mixtwo4⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exeSat2186a2fe17bc3.exe /mixtwo5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat211f3dc0dc85a790.exe4⤵PID:1036
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exeSat211f3dc0dc85a790.exe5⤵
- Executes dropped EXE
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\is-EVBHU.tmp\Sat211f3dc0dc85a790.tmp"C:\Users\Admin\AppData\Local\Temp\is-EVBHU.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$60060,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe"6⤵
- Executes dropped EXE
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe"C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe" /SILENT7⤵PID:856
-
C:\Users\Admin\AppData\Local\Temp\is-5TM8H.tmp\Sat211f3dc0dc85a790.tmp"C:\Users\Admin\AppData\Local\Temp\is-5TM8H.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$20206,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe" /SILENT8⤵PID:4120
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat214f898013408c.exe4⤵PID:1236
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat214f898013408c.exeSat214f898013408c.exe5⤵
- Executes dropped EXE
PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21a3a382cb.exe4⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exeSat21a3a382cb.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exeC:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exe6⤵PID:1228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 247⤵
- Program crash
PID:4584
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21331fd7d3.exe4⤵PID:2236
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21331fd7d3.exeSat21331fd7d3.exe5⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\T2bGV.~6⤵PID:3224
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~7⤵PID:4132
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~8⤵PID:3744
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~9⤵PID:5548
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2175f29e38b1.exe4⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2175f29e38b1.exeSat2175f29e38b1.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵PID:4784
-
C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"7⤵PID:4128
-
-
C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"7⤵PID:1552
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21822ebb0e.exe4⤵PID:3256
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exeSat21822ebb0e.exe5⤵
- Executes dropped EXE
PID:3208 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exeC:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exe6⤵PID:1080
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21cab531e24c.exe4⤵PID:3060
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21cab531e24c.exeSat21cab531e24c.exe5⤵
- Executes dropped EXE
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:4572
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:4960
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21fad2ad3b493fd4.exe4⤵PID:1824
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21e5d4a320d0.exe4⤵PID:2004
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21e5d4a320d0.exeSat21e5d4a320d0.exe5⤵
- Executes dropped EXE
PID:3656 -
C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run6⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe" /SpecialRun 4101d8 30087⤵PID:4568
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force6⤵PID:4996
-
-
C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\34f8a741-c325-4b33-9552-a01ea3633ea2.exe"C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\34f8a741-c325-4b33-9552-a01ea3633ea2.exe" /o /c "Windows-Defender" /r6⤵PID:3152
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force6⤵PID:2196
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21e5d4a320d0.exe" -Force6⤵PID:2812
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"6⤵PID:936
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"6⤵PID:4728
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"6⤵PID:4820
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"6⤵PID:5264
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21de94a76558.exe4⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21de94a76558.exeSat21de94a76558.exe5⤵
- Executes dropped EXE
PID:1840 -
C:\Users\Admin\Pictures\Adobe Films\bENXrHqz8bRohr5r3xBqsO1F.exe"C:\Users\Admin\Pictures\Adobe Films\bENXrHqz8bRohr5r3xBqsO1F.exe"6⤵PID:4476
-
-
C:\Users\Admin\Pictures\Adobe Films\dwm2b84989tejiglmLPLiKJI.exe"C:\Users\Admin\Pictures\Adobe Films\dwm2b84989tejiglmLPLiKJI.exe"6⤵PID:6076
-
-
C:\Users\Admin\Pictures\Adobe Films\r1i9oC5EdQwV2UvO7hvdApFY.exe"C:\Users\Admin\Pictures\Adobe Films\r1i9oC5EdQwV2UvO7hvdApFY.exe"6⤵PID:668
-
-
C:\Users\Admin\Pictures\Adobe Films\OtyFnL2iOD3HA7nmznvDlcFU.exe"C:\Users\Admin\Pictures\Adobe Films\OtyFnL2iOD3HA7nmznvDlcFU.exe"6⤵PID:5584
-
-
C:\Users\Admin\Pictures\Adobe Films\eSIhQfvjChZA1qPbL8qffvQY.exe"C:\Users\Admin\Pictures\Adobe Films\eSIhQfvjChZA1qPbL8qffvQY.exe"6⤵PID:512
-
-
C:\Users\Admin\Pictures\Adobe Films\Ygn5N1H14gI8IljYx2Zmvb1u.exe"C:\Users\Admin\Pictures\Adobe Films\Ygn5N1H14gI8IljYx2Zmvb1u.exe"6⤵PID:4776
-
-
C:\Users\Admin\Pictures\Adobe Films\_kj4FXQXpt_iG8HgZkaf9QrR.exe"C:\Users\Admin\Pictures\Adobe Films\_kj4FXQXpt_iG8HgZkaf9QrR.exe"6⤵PID:5884
-
-
C:\Users\Admin\Pictures\Adobe Films\gKkgVRaZcQw1OrXNvLFpZUdF.exe"C:\Users\Admin\Pictures\Adobe Films\gKkgVRaZcQw1OrXNvLFpZUdF.exe"6⤵PID:1912
-
-
C:\Users\Admin\Pictures\Adobe Films\n685NpOXMOXzRokqpO9M_Ygl.exe"C:\Users\Admin\Pictures\Adobe Films\n685NpOXMOXzRokqpO9M_Ygl.exe"6⤵PID:2192
-
C:\Users\Admin\AppData\Local\Temp\7zS648D.tmp\Install.exe.\Install.exe7⤵PID:6512
-
C:\Users\Admin\AppData\Local\Temp\7zS8C97.tmp\Install.exe.\Install.exe /S /site_id "525403"8⤵PID:2964
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\KtgkOQ1zjjVq4WUOkdyY4Ikh.exe"C:\Users\Admin\Pictures\Adobe Films\KtgkOQ1zjjVq4WUOkdyY4Ikh.exe"6⤵PID:5892
-
-
C:\Users\Admin\Pictures\Adobe Films\A5WgVguV5bJg2atIEhV54OsM.exe"C:\Users\Admin\Pictures\Adobe Films\A5WgVguV5bJg2atIEhV54OsM.exe"6⤵PID:5588
-
-
C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"6⤵PID:612
-
C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"7⤵PID:6660
-
-
-
C:\Users\Admin\Pictures\Adobe Films\uPQyPaFr6nks2aZQ9MrNog6P.exe"C:\Users\Admin\Pictures\Adobe Films\uPQyPaFr6nks2aZQ9MrNog6P.exe"6⤵PID:5392
-
-
C:\Users\Admin\Pictures\Adobe Films\GgWGI0s4t0TJ_ms9rIiOop9p.exe"C:\Users\Admin\Pictures\Adobe Films\GgWGI0s4t0TJ_ms9rIiOop9p.exe"6⤵PID:6500
-
-
C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"6⤵PID:2208
-
C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"7⤵PID:4844
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Q4R_7EhHkn2G3Ft_SH5XIZr7.exe"C:\Users\Admin\Pictures\Adobe Films\Q4R_7EhHkn2G3Ft_SH5XIZr7.exe"6⤵PID:1644
-
-
C:\Users\Admin\Pictures\Adobe Films\cXsLWo9chnycB3PD3PGLzzxj.exe"C:\Users\Admin\Pictures\Adobe Films\cXsLWo9chnycB3PD3PGLzzxj.exe"6⤵PID:5804
-
-
C:\Users\Admin\Pictures\Adobe Films\y36J83KsPS3Z0w5IvKlA0Jlj.exe"C:\Users\Admin\Pictures\Adobe Films\y36J83KsPS3Z0w5IvKlA0Jlj.exe"6⤵PID:6968
-
-
C:\Users\Admin\Pictures\Adobe Films\tXDfUCeICEt8kO0AQB4fFtSR.exe"C:\Users\Admin\Pictures\Adobe Films\tXDfUCeICEt8kO0AQB4fFtSR.exe"6⤵PID:5488
-
-
C:\Users\Admin\Pictures\Adobe Films\zLcPbq2DL9uvf23CqPLkSIAH.exe"C:\Users\Admin\Pictures\Adobe Films\zLcPbq2DL9uvf23CqPLkSIAH.exe"6⤵PID:5716
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2106af2f1b2e3716.exe4⤵PID:1712
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2106af2f1b2e3716.exeSat2106af2f1b2e3716.exe5⤵
- Executes dropped EXE
PID:2104
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat21d2de5c9915e148.exe4⤵PID:2936
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21d2de5c9915e148.exeSat21d2de5c9915e148.exe5⤵
- Executes dropped EXE
PID:2716 -
C:\Users\Admin\AppData\Local\efb9624f-cc2e-4a1f-bf67-b57bcbb044a2.exe"C:\Users\Admin\AppData\Local\efb9624f-cc2e-4a1f-bf67-b57bcbb044a2.exe"6⤵PID:4676
-
-
C:\Users\Admin\AppData\Local\a526dff2-4fc5-4797-94fc-684db9956f30.exe"C:\Users\Admin\AppData\Local\a526dff2-4fc5-4797-94fc-684db9956f30.exe"6⤵PID:4696
-
C:\Users\Admin\AppData\Roaming\52285273\1640433316404333.exe"C:\Users\Admin\AppData\Roaming\52285273\1640433316404333.exe"7⤵
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Users\Admin\AppData\Local\72bfc834-71c8-4a2e-9d8d-6fcb5d59b771.exe"C:\Users\Admin\AppData\Local\72bfc834-71c8-4a2e-9d8d-6fcb5d59b771.exe"6⤵PID:4872
-
-
C:\Users\Admin\AppData\Local\429e20d6-b092-4135-a050-5a1943f63a02.exe"C:\Users\Admin\AppData\Local\429e20d6-b092-4135-a050-5a1943f63a02.exe"6⤵PID:4972
-
-
C:\Users\Admin\AppData\Local\1fca6883-42b8-42fc-95fa-d97bb1210ed7.exe"C:\Users\Admin\AppData\Local\1fca6883-42b8-42fc-95fa-d97bb1210ed7.exe"6⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\5751764.exe"C:\Users\Admin\AppData\Roaming\5751764.exe"7⤵PID:4404
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:5256
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:5448
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2191af1420045d6af.exe4⤵PID:3972
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2191af1420045d6af.exeSat2191af1420045d6af.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4344
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:5384
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat2184c3c6c75ad8f83.exe4⤵PID:3648
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exeSat2184c3c6c75ad8f83.exe5⤵
- Executes dropped EXE
PID:656 -
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exe"C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exe" -u6⤵
- Executes dropped EXE
PID:3620
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exeSat2186a2fe17bc3.exe /mixtwo1⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat2186a2fe17bc3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exe" & exit2⤵PID:4452
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat2186a2fe17bc3.exe" /f3⤵
- Kills process with taskkill
PID:4732
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21fad2ad3b493fd4.exeSat21fad2ad3b493fd4.exe1⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\T2bGV.~2⤵PID:4336
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~3⤵PID:4464
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~4⤵PID:2440
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~5⤵PID:5844
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:1980 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:5116
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4484