Analysis
-
max time kernel
10s -
max time network
150s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 07:51
Static task
static1
Behavioral task
behavioral1
Sample
setup_installx86-x64.exe
Resource
win7-en-20211208
General
-
Target
setup_installx86-x64.exe
-
Size
7.1MB
-
MD5
d06111bbd0a0f6349839b9797debc907
-
SHA1
3fa1a7536f313f159eeedfa9d220eeae0a93c50e
-
SHA256
f5554b622bea1b21acb4b2bb7b4355f20f4f05984c6fddad79b146d0a60fec3a
-
SHA512
26518f831334fd1c17fdaa2c33b0714532381724554c2265c348a79ff5bdd66c14e6ff90f1b9c96904f3e177c2f927b5c1c61c2126f4e6563c05ecdc0cc07492
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2948 2820 rundll32.exe 78 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/3036-275-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/3036-280-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/3036-281-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/864-290-0x000000000041932A-mapping.dmp family_redline behavioral1/memory/864-294-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/864-295-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral1/files/0x0006000000013921-185.dat family_socelars behavioral1/files/0x0006000000013921-123.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013905-103.dat WebBrowserPassView behavioral1/files/0x0006000000013905-140.dat WebBrowserPassView behavioral1/files/0x0006000000013905-127.dat WebBrowserPassView behavioral1/memory/2684-256-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 5 IoCs
resource yara_rule behavioral1/files/0x0006000000013905-103.dat Nirsoft behavioral1/files/0x0006000000013905-140.dat Nirsoft behavioral1/files/0x0006000000013905-127.dat Nirsoft behavioral1/memory/2432-238-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral1/memory/2684-256-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/1700-324-0x0000000002270000-0x0000000002345000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000013306-70.dat aspack_v212_v242 behavioral1/files/0x0006000000013302-72.dat aspack_v212_v242 behavioral1/files/0x0006000000013306-71.dat aspack_v212_v242 behavioral1/files/0x0006000000013302-73.dat aspack_v212_v242 behavioral1/files/0x0006000000013327-76.dat aspack_v212_v242 behavioral1/files/0x0006000000013327-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
pid Process 1880 setup_installer.exe 1496 setup_install.exe 960 Thu07d6a2267aa5.exe 1336 Thu0730521211247da.exe 1284 Thu070f7f2b1c41c43.exe 2024 Thu0747267ec544d.exe 860 Thu0799abc000783e72.exe 1724 Thu0779f12e8f87b68dc.exe -
Loads dropped DLL 29 IoCs
pid Process 1700 setup_installx86-x64.exe 1880 setup_installer.exe 1880 setup_installer.exe 1880 setup_installer.exe 1880 setup_installer.exe 1880 setup_installer.exe 1880 setup_installer.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1496 setup_install.exe 1328 cmd.exe 1328 cmd.exe 1636 cmd.exe 1532 cmd.exe 988 cmd.exe 988 cmd.exe 864 Thu079dbbbe564.exe 960 Thu07d6a2267aa5.exe 960 Thu07d6a2267aa5.exe 1284 Thu070f7f2b1c41c43.exe 1284 Thu070f7f2b1c41c43.exe 1964 cmd.exe 2024 Thu0747267ec544d.exe 2024 Thu0747267ec544d.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 ip-api.com 48 ipinfo.io 49 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1364 2024 WerFault.exe 42 -
Delays execution with timeout.exe 1 IoCs
pid Process 2608 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 2628 taskkill.exe 1260 taskkill.exe 2516 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1700 wrote to memory of 1880 1700 setup_installx86-x64.exe 27 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1880 wrote to memory of 1496 1880 setup_installer.exe 28 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1900 1496 setup_install.exe 30 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1668 1496 setup_install.exe 31 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1636 1496 setup_install.exe 32 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1328 1496 setup_install.exe 33 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 1532 1496 setup_install.exe 34 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 988 1496 setup_install.exe 35 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1016 1496 setup_install.exe 36 PID 1496 wrote to memory of 1992 1496 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_installx86-x64.exe"C:\Users\Admin\AppData\Local\Temp\setup_installx86-x64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1900
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:1712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1668
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0730521211247da.exe4⤵
- Loads dropped DLL
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0730521211247da.exeThu0730521211247da.exe5⤵
- Executes dropped EXE
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2432
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2684
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu070f7f2b1c41c43.exe /mixtwo4⤵
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exeThu070f7f2b1c41c43.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0747267ec544d.exe4⤵
- Loads dropped DLL
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0747267ec544d.exeThu0747267ec544d.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Users\Admin\Pictures\Adobe Films\ljZFPBpBKzSG0yxzK6p_qJn1.exe"C:\Users\Admin\Pictures\Adobe Films\ljZFPBpBKzSG0yxzK6p_qJn1.exe"6⤵PID:3056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 14966⤵
- Program crash
PID:1364
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07d6a2267aa5.exe4⤵
- Loads dropped DLL
PID:988 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exeThu07d6a2267aa5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exeC:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07d6a2267aa5.exe6⤵PID:3036
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07e0c0ba7cb480.exe4⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exeThu07e0c0ba7cb480.exe5⤵PID:588
-
C:\Users\Admin\AppData\Local\Temp\is-OEGJ7.tmp\Thu07e0c0ba7cb480.tmp"C:\Users\Admin\AppData\Local\Temp\is-OEGJ7.tmp\Thu07e0c0ba7cb480.tmp" /SL5="$70116,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe"6⤵PID:2068
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe"C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe" /SILENT7⤵PID:2188
-
C:\Users\Admin\AppData\Local\Temp\is-CPK5K.tmp\Thu07e0c0ba7cb480.tmp"C:\Users\Admin\AppData\Local\Temp\is-CPK5K.tmp\Thu07e0c0ba7cb480.tmp" /SL5="$80116,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07e0c0ba7cb480.exe" /SILENT8⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\is-MID62.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-MID62.tmp\windllhost.exe" 779⤵PID:2988
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0778d670dee78.exe4⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0778d670dee78.exeThu0778d670dee78.exe5⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2576
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2628
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0779f12e8f87b68dc.exe4⤵PID:864
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0779f12e8f87b68dc.exeThu0779f12e8f87b68dc.exe5⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0799abc000783e72.exe4⤵
- Loads dropped DLL
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu0799abc000783e72.exeThu0799abc000783e72.exe5⤵
- Executes dropped EXE
PID:860
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07a42530f6.exe4⤵PID:1640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu079dbbbe564.exe4⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exeThu079dbbbe564.exe5⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exeC:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe6⤵PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exeC:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu079dbbbe564.exe6⤵
- Loads dropped DLL
PID:864
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07abc559d21e4.exe4⤵PID:932
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exeThu07abc559d21e4.exe5⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exe"C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07abc559d21e4.exe" -u6⤵PID:2004
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07cf5c06233.exe4⤵PID:1924
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cf5c06233.exeThu07cf5c06233.exe5⤵PID:2208
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /Y .\JaGbR.HX~6⤵PID:2924
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07801c76ea0b42113.exe4⤵PID:1404
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07801c76ea0b42113.exeThu07801c76ea0b42113.exe5⤵PID:1160
-
C:\Users\Admin\AppData\Local\b21aeee9-b86f-47e6-ae70-bcc093c8e804.exe"C:\Users\Admin\AppData\Local\b21aeee9-b86f-47e6-ae70-bcc093c8e804.exe"6⤵PID:1044
-
-
C:\Users\Admin\AppData\Local\7c571f56-a1aa-4b8e-ad96-427e71ff65f1.exe"C:\Users\Admin\AppData\Local\7c571f56-a1aa-4b8e-ad96-427e71ff65f1.exe"6⤵PID:844
-
-
C:\Users\Admin\AppData\Local\f7ab225c-2ed6-4f16-9233-94487b9560ca.exe"C:\Users\Admin\AppData\Local\f7ab225c-2ed6-4f16-9233-94487b9560ca.exe"6⤵PID:2916
-
C:\Users\Admin\AppData\Roaming\2058811.exe"C:\Users\Admin\AppData\Roaming\2058811.exe"7⤵PID:2840
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\N3RJBxU.i8⤵PID:2696
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu070e73a5fc7b63.exe4⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070e73a5fc7b63.exeThu070e73a5fc7b63.exe5⤵PID:1236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu07cb54ae4c.exe4⤵PID:1676
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cb54ae4c.exeThu07cb54ae4c.exe1⤵PID:1700
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu07cb54ae4c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu07cb54ae4c.exe" & del C:\ProgramData\*.dll & exit2⤵PID:1716
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu07cb54ae4c.exe /f3⤵
- Kills process with taskkill
PID:1260
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exeThu070f7f2b1c41c43.exe /mixtwo1⤵PID:2100
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu070f7f2b1c41c43.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS857BDCA5\Thu070f7f2b1c41c43.exe" & exit2⤵PID:2480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu070f7f2b1c41c43.exe" /f3⤵
- Kills process with taskkill
PID:2516
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2968
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:788