Analysis
-
max time kernel
39s -
max time network
165s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
20/12/2021, 14:03
Static task
static1
Behavioral task
behavioral1
Sample
5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe
Resource
win10-en-20211208
General
-
Target
5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe
-
Size
7.7MB
-
MD5
1cae05a3646796c127912f7e2cb6ef28
-
SHA1
76fbcc90f87a8935149cdd9a55aefd9b7893fc35
-
SHA256
5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d
-
SHA512
991ed48a025cffe2fa7fc94e0ad5ea39b975712645c19630675cd44207a30746900fa2989442768401c3ec656d381e60669d350f0ab6360f5938d1e3ae7d2646
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.1
915
https://noc.social/@sergeev46
https://c.im/@sergeev47
-
profile_id
915
Extracted
raccoon
164fb74855c13a4287d8fe7ac579a35bdf7002ab
-
url4cnc
http://194.180.174.53/takecareandkeepitup
http://91.219.236.18/takecareandkeepitup
http://194.180.174.41/takecareandkeepitup
http://91.219.236.148/takecareandkeepitup
https://t.me/takecareandkeepitup
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2688 2436 rundll32.exe 82 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
resource yara_rule behavioral1/memory/2100-323-0x0000000000419332-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x00060000000132fe-105.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x00060000000132cc-126.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral1/files/0x00060000000132cc-126.dat Nirsoft behavioral1/memory/828-237-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1756-228-0x0000000001DD0000-0x0000000001EA9000-memory.dmp family_vidar behavioral1/memory/1756-229-0x0000000000400000-0x0000000000536000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x000600000001263f-70.dat aspack_v212_v242 behavioral1/files/0x000600000001263f-71.dat aspack_v212_v242 behavioral1/files/0x00070000000125cc-72.dat aspack_v212_v242 behavioral1/files/0x00070000000125cc-73.dat aspack_v212_v242 behavioral1/files/0x0006000000012665-76.dat aspack_v212_v242 behavioral1/files/0x0006000000012665-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 268 setup_installer.exe 564 setup_install.exe 1352 Sat1988552a1d427c.exe 1184 Sat1908ae0c8e3eb49.exe 292 Sat1912c54135c725.exe 800 Sat1901bcef783ac39.exe 360 Sat19ce299a2dc74.exe 1808 timeout.exe 1932 Sat194450a25aea7.exe 1480 Sat19ffa03d0eed4.exe 1724 Sat19bf318872f2f09a.exe 1728 Sat19e81939673f.exe 1756 Sat199c2dca121aeaa18.exe 632 Sat192d00daf043.exe -
Loads dropped DLL 45 IoCs
pid Process 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 268 setup_installer.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 564 setup_install.exe 1476 cmd.exe 1476 cmd.exe 872 cmd.exe 872 cmd.exe 1352 Sat1988552a1d427c.exe 1352 Sat1988552a1d427c.exe 1184 Sat1908ae0c8e3eb49.exe 1184 Sat1908ae0c8e3eb49.exe 1688 cmd.exe 804 cmd.exe 1288 cmd.exe 1288 cmd.exe 1352 Sat1988552a1d427c.exe 1792 cmd.exe 1312 cmd.exe 1312 cmd.exe 1588 cmd.exe 1684 cmd.exe 2024 cmd.exe 1720 cmd.exe 1720 cmd.exe 1728 Sat19e81939673f.exe 1728 Sat19e81939673f.exe 1724 Sat19bf318872f2f09a.exe 1724 Sat19bf318872f2f09a.exe 384 cmd.exe 384 cmd.exe 800 Sat1901bcef783ac39.exe 800 Sat1901bcef783ac39.exe 1756 Sat199c2dca121aeaa18.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 78 api.db-ip.com 16 ip-api.com 51 ipinfo.io 52 ipinfo.io 77 api.db-ip.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2112 1724 WerFault.exe 57 1808 1728 WerFault.exe 56 -
Delays execution with timeout.exe 1 IoCs
pid Process 1808 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 2132 taskkill.exe 2720 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 1576 wrote to memory of 268 1576 5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe 27 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 268 wrote to memory of 564 268 setup_installer.exe 28 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1612 564 setup_install.exe 30 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1988 564 setup_install.exe 31 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1588 564 setup_install.exe 32 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1476 564 setup_install.exe 33 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 1004 564 setup_install.exe 34 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 872 564 setup_install.exe 35 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1688 564 setup_install.exe 36 PID 564 wrote to memory of 1720 564 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe"C:\Users\Admin\AppData\Local\Temp\5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:268 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1612
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1988
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19bf318872f2f09a.exe4⤵
- Loads dropped DLL
PID:1588 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19bf318872f2f09a.exeSat19bf318872f2f09a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\Pictures\Adobe Films\xVLHTAUgznypkXxOPmfq_QKL.exe"C:\Users\Admin\Pictures\Adobe Films\xVLHTAUgznypkXxOPmfq_QKL.exe"6⤵PID:2412
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 5686⤵
- Program crash
PID:2112
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1988552a1d427c.exe4⤵
- Loads dropped DLL
PID:1476 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exeSat1988552a1d427c.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exe"C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exe" -u6⤵PID:1808
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19b31e745e.exe4⤵PID:1004
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1908ae0c8e3eb49.exe4⤵
- Loads dropped DLL
PID:872 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1908ae0c8e3eb49.exeSat1908ae0c8e3eb49.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19ce299a2dc74.exe4⤵
- Loads dropped DLL
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19ce299a2dc74.exeSat19ce299a2dc74.exe5⤵
- Executes dropped EXE
PID:360 -
C:\Users\Admin\AppData\Local\c88629e8-7483-440c-9f55-25e8949d8541.exe"C:\Users\Admin\AppData\Local\c88629e8-7483-440c-9f55-25e8949d8541.exe"6⤵PID:2288
-
-
C:\Users\Admin\AppData\Local\2bd82bdd-859a-40df-8c4b-8ec443c34ca4.exe"C:\Users\Admin\AppData\Local\2bd82bdd-859a-40df-8c4b-8ec443c34ca4.exe"6⤵PID:2808
-
C:\Users\Admin\AppData\Roaming\13323327\285471613652657.exe"C:\Users\Admin\AppData\Roaming\13323327\285471613652657.exe"7⤵PID:772
-
-
-
C:\Users\Admin\AppData\Local\8cf84daf-b625-43a7-821e-154376175a40.exe"C:\Users\Admin\AppData\Local\8cf84daf-b625-43a7-821e-154376175a40.exe"6⤵PID:2688
-
-
C:\Users\Admin\AppData\Local\74b92d8b-b105-467c-911f-05460b07a139.exe"C:\Users\Admin\AppData\Local\74b92d8b-b105-467c-911f-05460b07a139.exe"6⤵PID:2992
-
-
C:\Users\Admin\AppData\Local\399f5f93-ce6c-4bb1-943c-98af1db4660b.exe"C:\Users\Admin\AppData\Local\399f5f93-ce6c-4bb1-943c-98af1db4660b.exe"6⤵PID:3008
-
C:\Users\Admin\AppData\Roaming\3131639.exe"C:\Users\Admin\AppData\Roaming\3131639.exe"7⤵PID:276
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",8⤵PID:2216
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",9⤵PID:1716
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat199c2dca121aeaa18.exe4⤵
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199c2dca121aeaa18.exeSat199c2dca121aeaa18.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Sat199c2dca121aeaa18.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199c2dca121aeaa18.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2604
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Sat199c2dca121aeaa18.exe /f7⤵
- Kills process with taskkill
PID:2720
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Executes dropped EXE
- Delays execution with timeout.exe
PID:1808
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat192d00daf043.exe4⤵
- Loads dropped DLL
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat192d00daf043.exeSat192d00daf043.exe5⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\5LQZ.CB6⤵PID:2392
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\5LQZ.CB7⤵PID:2456
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\5LQZ.CB8⤵PID:2520
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19ffa03d0eed4.exe4⤵
- Loads dropped DLL
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19ffa03d0eed4.exeSat19ffa03d0eed4.exe5⤵
- Executes dropped EXE
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd6⤵PID:1864
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"7⤵PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmdC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd7⤵PID:1536
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat199e3c11cc71143ca.exe4⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199e3c11cc71143ca.exeSat199e3c11cc71143ca.exe5⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2280
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1901bcef783ac39.exe /mixtwo4⤵
- Loads dropped DLL
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exeSat1901bcef783ac39.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exeSat1901bcef783ac39.exe /mixtwo6⤵PID:1040
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sat1901bcef783ac39.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exe" & exit7⤵PID:1976
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sat1901bcef783ac39.exe" /f8⤵
- Kills process with taskkill
PID:2132
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat197d72e4232.exe4⤵
- Loads dropped DLL
PID:384 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exeSat197d72e4232.exe5⤵PID:1020
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exeC:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe6⤵PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exeC:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe6⤵PID:2724
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1958c142005a6c92.exe4⤵PID:920
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exeSat1958c142005a6c92.exe5⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\is-98QKI.tmp\Sat1958c142005a6c92.tmp"C:\Users\Admin\AppData\Local\Temp\is-98QKI.tmp\Sat1958c142005a6c92.tmp" /SL5="$20166,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe"6⤵PID:1736
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe"C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe" /SILENT7⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\is-MCGAF.tmp\Sat1958c142005a6c92.tmp"C:\Users\Admin\AppData\Local\Temp\is-MCGAF.tmp\Sat1958c142005a6c92.tmp" /SL5="$101B6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe" /SILENT8⤵PID:2360
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat1912c54135c725.exe4⤵
- Loads dropped DLL
PID:804 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1912c54135c725.exeSat1912c54135c725.exe5⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" .\5LQZ.CB6⤵PID:2628
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\5LQZ.CB7⤵PID:2668
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\5LQZ.CB8⤵PID:2396
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\5LQZ.CB9⤵PID:2388
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat19e81939673f.exe4⤵
- Loads dropped DLL
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19e81939673f.exeSat19e81939673f.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Users\Admin\Pictures\Adobe Films\17mE5VuCxCdX2ACcyEj8E_Xh.exe"C:\Users\Admin\Pictures\Adobe Films\17mE5VuCxCdX2ACcyEj8E_Xh.exe"6⤵PID:1828
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 3966⤵
- Program crash
PID:1808
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat194450a25aea7.exe4⤵
- Loads dropped DLL
PID:1792 -
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat194450a25aea7.exeSat194450a25aea7.exe5⤵
- Executes dropped EXE
PID:1932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sat197b041c46.exe4⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exeSat197b041c46.exe5⤵PID:316
-
C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exeC:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exe6⤵PID:2100
-
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2688 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2700
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2792