Analysis
-
max time kernel
31s -
max time network
176s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
23/12/2021, 13:28
Static task
static1
Behavioral task
behavioral1
Sample
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
Resource
win10-en-20211208
General
-
Target
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe
-
Size
9.9MB
-
MD5
d96604e6d61e59a0ada37d738dde3dec
-
SHA1
79e674165810ae7861a8cb1e59230361da2a8f3a
-
SHA256
95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859
-
SHA512
8f9660bb9d6066e08e6cba581c4cfae7487536e6bfbbf1f3852145dc1dfe5900f79637812272c9e2117f638b70752f51dad3c80b1574193670b685e8a1124dde
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
smokeloader
2020
http://rcacademy.at/upload/
http://e-lanpengeonline.com/upload/
http://vjcmvz.cn/upload/
http://galala.ru/upload/
http://witra.ru/upload/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
redline
v3user1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 2932 rundll32.exe 80 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 3 IoCs
resource yara_rule behavioral1/memory/1200-336-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1200-335-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1200-333-0x0000000000419336-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 1 IoCs
resource yara_rule behavioral1/files/0x0007000000012205-146.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x000700000001220f-121.dat WebBrowserPassView behavioral1/files/0x000700000001220f-184.dat WebBrowserPassView behavioral1/files/0x000700000001220f-169.dat WebBrowserPassView -
Nirsoft 4 IoCs
resource yara_rule behavioral1/files/0x000700000001220f-121.dat Nirsoft behavioral1/files/0x000700000001220f-184.dat Nirsoft behavioral1/files/0x000700000001220f-169.dat Nirsoft behavioral1/memory/2360-240-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1028-280-0x0000000000400000-0x000000000053E000-memory.dmp family_vidar behavioral1/memory/1028-281-0x0000000001E30000-0x0000000001F05000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x00070000000121ed-71.dat aspack_v212_v242 behavioral1/files/0x00070000000121ed-72.dat aspack_v212_v242 behavioral1/files/0x00070000000121ec-73.dat aspack_v212_v242 behavioral1/files/0x00070000000121ec-74.dat aspack_v212_v242 behavioral1/files/0x00070000000121ef-78.dat aspack_v212_v242 behavioral1/files/0x00070000000121ef-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 576 setup_installer.exe 560 setup_install.exe -
Loads dropped DLL 16 IoCs
pid Process 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 576 setup_installer.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 560 setup_install.exe 844 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 35 ipinfo.io 36 ipinfo.io 45 ipinfo.io -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2684 572 WerFault.exe 54 2008 1576 WerFault.exe 51 -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 1388 wrote to memory of 576 1388 95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe 27 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 576 wrote to memory of 560 576 setup_installer.exe 28 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 672 560 setup_install.exe 30 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1916 560 setup_install.exe 31 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 1176 560 setup_install.exe 32 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 844 560 setup_install.exe 33 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1552 560 setup_install.exe 34 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 1632 560 setup_install.exe 35 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 536 560 setup_install.exe 36 PID 560 wrote to memory of 296 560 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe"C:\Users\Admin\AppData\Local\Temp\95a7c880a09ee1c63b433c8926ce65671e6609a70dcae0af7719622082079859.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS04280D56\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:672
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1916
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed163cde2f33.exe4⤵PID:1176
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed163cde2f33.exeWed163cde2f33.exe5⤵PID:1680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16814b15e2bbe.exe4⤵
- Loads dropped DLL
PID:844 -
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16814b15e2bbe.exeWed16814b15e2bbe.exe5⤵PID:1576
-
C:\Users\Admin\Pictures\Adobe Films\N2JfxhFkdu55oaTtWRS_tvC4.exe"C:\Users\Admin\Pictures\Adobe Films\N2JfxhFkdu55oaTtWRS_tvC4.exe"6⤵PID:2616
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 12006⤵
- Program crash
PID:2008
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16c449cf8eaf38a8.exe4⤵PID:1552
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16c449cf8eaf38a8.exeWed16c449cf8eaf38a8.exe5⤵PID:1272
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16c449cf8eaf38a8.exe"C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16c449cf8eaf38a8.exe" -u6⤵PID:2060
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16b7f58bed.exe4⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16b7f58bed.exeWed16b7f58bed.exe5⤵PID:1028
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Wed16b7f58bed.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16b7f58bed.exe" & del C:\ProgramData\*.dll & exit6⤵PID:2832
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed161aa00221.exe /mixtwo4⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed161aa00221.exeWed161aa00221.exe /mixtwo5⤵PID:776
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed161aa00221.exeWed161aa00221.exe /mixtwo6⤵PID:1716
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed161aa00221.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed161aa00221.exe" & exit7⤵PID:2436
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16c0128f84198.exe4⤵PID:296
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16c0128f84198.exeWed16c0128f84198.exe5⤵PID:1160
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed168409f03a6ee66.exe4⤵PID:1708
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed168409f03a6ee66.exeWed168409f03a6ee66.exe5⤵PID:2020
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2360
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵PID:2576
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16430a6d225.exe4⤵PID:1812
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16430a6d225.exeWed16430a6d225.exe5⤵PID:1872
-
C:\Users\Admin\AppData\Local\Temp\is-99QOR.tmp\Wed16430a6d225.tmp"C:\Users\Admin\AppData\Local\Temp\is-99QOR.tmp\Wed16430a6d225.tmp" /SL5="$101AC,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16430a6d225.exe"6⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16430a6d225.exe"C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16430a6d225.exe" /SILENT7⤵PID:2532
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed167ce42a0c123f.exe4⤵PID:2012
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed167ce42a0c123f.exeWed167ce42a0c123f.exe5⤵PID:1104
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",6⤵PID:2648
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed163ae772fc.exe4⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed163ae772fc.exeWed163ae772fc.exe5⤵PID:1328
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed160ef4d04d0cf6.exe4⤵PID:704
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed160ef4d04d0cf6.exeWed160ef4d04d0cf6.exe5⤵PID:1560
-
C:\Users\Admin\AppData\Local\08e40df3-d53f-45a2-9482-35fb9e7a02f6.exe"C:\Users\Admin\AppData\Local\08e40df3-d53f-45a2-9482-35fb9e7a02f6.exe"6⤵PID:1160
-
-
C:\Users\Admin\AppData\Local\058c205f-2194-4da7-b331-31291c4c13b0.exe"C:\Users\Admin\AppData\Local\058c205f-2194-4da7-b331-31291c4c13b0.exe"6⤵PID:1752
-
-
C:\Users\Admin\AppData\Local\c26ced59-2641-4c26-a2ba-482af09e65b9.exe"C:\Users\Admin\AppData\Local\c26ced59-2641-4c26-a2ba-482af09e65b9.exe"6⤵PID:1760
-
C:\Users\Admin\AppData\Roaming\8149433.exe"C:\Users\Admin\AppData\Roaming\8149433.exe"7⤵PID:2516
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16693e79560dd.exe4⤵PID:1620
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16a36d1f6f23.exe4⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exeWed16a36d1f6f23.exe5⤵PID:2036
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exeC:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exe6⤵PID:1520
-
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exeC:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exe6⤵PID:2504
-
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exeC:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exe6⤵PID:1544
-
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exeC:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16a36d1f6f23.exe6⤵PID:1200
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16d53730fd5435.exe4⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16d53730fd5435.exeWed16d53730fd5435.exe5⤵PID:572
-
C:\Users\Admin\Pictures\Adobe Films\nXGZUCM2qRHfSBm36eonDETg.exe"C:\Users\Admin\Pictures\Adobe Films\nXGZUCM2qRHfSBm36eonDETg.exe"6⤵PID:556
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 14806⤵
- Program crash
PID:2684
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed16d7a95b10861.exe4⤵PID:976
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed16d7a95b10861.exeWed16d7a95b10861.exe5⤵PID:668
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",6⤵PID:2660
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",7⤵PID:2724
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",8⤵PID:2152
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed1645070e75.exe4⤵PID:1116
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed1645070e75.exeWed1645070e75.exe5⤵PID:632
-
C:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed1645070e75.exeC:\Users\Admin\AppData\Local\Temp\7zS04280D56\Wed1645070e75.exe6⤵PID:1656
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\SL4L.cpL",1⤵PID:2716
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:1408
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2852
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\nQBIF.cPl",1⤵PID:2268