Analysis
-
max time kernel
58s -
max time network
97s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25/12/2021, 21:22
Static task
static1
General
-
Target
a82b499dee9c2863b1f9991585e12291.exe
-
Size
6.3MB
-
MD5
a82b499dee9c2863b1f9991585e12291
-
SHA1
52c930ed813c9d7a592e1bb2e912c20dcf063bf2
-
SHA256
bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e
-
SHA512
52c483347e652464da73110286cb81e01c5fb2ac9ba3ba38293f95f5a39d8dbd5706a196371fba07171fb77f52d055c0cee575a6d7debbe8f4bb5321a5b9e35f
Malware Config
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Extracted
socelars
http://www.biohazardgraphics.com/
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 2232 rundll32.exe 141 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 11 IoCs
resource yara_rule behavioral2/memory/1884-290-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1036-291-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1884-296-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1036-293-0x000000000041932A-mapping.dmp family_redline behavioral2/memory/1884-292-0x0000000000419336-mapping.dmp family_redline behavioral2/memory/1036-298-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1884-300-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/1036-301-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral2/memory/3576-350-0x0000000000D90000-0x0000000000F5D000-memory.dmp family_redline behavioral2/memory/3576-341-0x0000000000D90000-0x0000000000F5D000-memory.dmp family_redline behavioral2/memory/4428-460-0x0000000002560000-0x000000000258F000-memory.dmp family_redline -
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000800000001ab44-211.dat family_socelars behavioral2/files/0x000800000001ab44-158.dat family_socelars -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000500000001ab39-146.dat WebBrowserPassView behavioral2/files/0x000500000001ab39-157.dat WebBrowserPassView behavioral2/memory/1640-337-0x0000000000400000-0x000000000047C000-memory.dmp WebBrowserPassView -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x000500000001ab39-146.dat Nirsoft behavioral2/files/0x000500000001ab39-157.dat Nirsoft behavioral2/files/0x000600000001ab2f-282.dat Nirsoft behavioral2/memory/2604-284-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral2/files/0x000600000001ab2f-283.dat Nirsoft behavioral2/memory/1640-337-0x0000000000400000-0x000000000047C000-memory.dmp Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/1248-286-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar behavioral2/memory/1248-279-0x0000000000DC0000-0x0000000000E95000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001ab2f-119.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2f-122.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2e-120.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2e-125.dat aspack_v212_v242 behavioral2/files/0x000500000001ab2e-124.dat aspack_v212_v242 behavioral2/files/0x000500000001ab31-126.dat aspack_v212_v242 behavioral2/files/0x000500000001ab31-127.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 3152 setup_install.exe 3580 Thu097902373d066d7a.exe 1416 Thu09813b41886381b3.exe 1224 Thu09280ea08f6.exe 704 Thu09d383b370e81ac13.exe -
Loads dropped DLL 8 IoCs
pid Process 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe 3152 setup_install.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 ipinfo.io 196 ipinfo.io 198 ipinfo.io 20 ip-api.com 56 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 3 IoCs
pid Process 4124 taskkill.exe 4220 taskkill.exe 1016 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2480 wrote to memory of 3152 2480 a82b499dee9c2863b1f9991585e12291.exe 68 PID 2480 wrote to memory of 3152 2480 a82b499dee9c2863b1f9991585e12291.exe 68 PID 2480 wrote to memory of 3152 2480 a82b499dee9c2863b1f9991585e12291.exe 68 PID 3152 wrote to memory of 3828 3152 setup_install.exe 71 PID 3152 wrote to memory of 3828 3152 setup_install.exe 71 PID 3152 wrote to memory of 3828 3152 setup_install.exe 71 PID 3152 wrote to memory of 3360 3152 setup_install.exe 72 PID 3152 wrote to memory of 3360 3152 setup_install.exe 72 PID 3152 wrote to memory of 3360 3152 setup_install.exe 72 PID 3152 wrote to memory of 3376 3152 setup_install.exe 73 PID 3152 wrote to memory of 3376 3152 setup_install.exe 73 PID 3152 wrote to memory of 3376 3152 setup_install.exe 73 PID 3152 wrote to memory of 1568 3152 setup_install.exe 74 PID 3152 wrote to memory of 1568 3152 setup_install.exe 74 PID 3152 wrote to memory of 1568 3152 setup_install.exe 74 PID 3152 wrote to memory of 3508 3152 setup_install.exe 75 PID 3152 wrote to memory of 3508 3152 setup_install.exe 75 PID 3152 wrote to memory of 3508 3152 setup_install.exe 75 PID 3152 wrote to memory of 3576 3152 setup_install.exe 115 PID 3152 wrote to memory of 3576 3152 setup_install.exe 115 PID 3152 wrote to memory of 3576 3152 setup_install.exe 115 PID 3376 wrote to memory of 3580 3376 cmd.exe 114 PID 3376 wrote to memory of 3580 3376 cmd.exe 114 PID 3828 wrote to memory of 652 3828 cmd.exe 76 PID 3828 wrote to memory of 652 3828 cmd.exe 76 PID 3828 wrote to memory of 652 3828 cmd.exe 76 PID 3152 wrote to memory of 1504 3152 setup_install.exe 113 PID 3152 wrote to memory of 1504 3152 setup_install.exe 113 PID 3152 wrote to memory of 1504 3152 setup_install.exe 113 PID 3360 wrote to memory of 2812 3360 cmd.exe 77 PID 3360 wrote to memory of 2812 3360 cmd.exe 77 PID 3360 wrote to memory of 2812 3360 cmd.exe 77 PID 3152 wrote to memory of 1612 3152 setup_install.exe 112 PID 3152 wrote to memory of 1612 3152 setup_install.exe 112 PID 3152 wrote to memory of 1612 3152 setup_install.exe 112 PID 3576 wrote to memory of 1416 3576 cmd.exe 111 PID 3576 wrote to memory of 1416 3576 cmd.exe 111 PID 3576 wrote to memory of 1416 3576 cmd.exe 111 PID 3152 wrote to memory of 1076 3152 setup_install.exe 110 PID 3152 wrote to memory of 1076 3152 setup_install.exe 110 PID 3152 wrote to memory of 1076 3152 setup_install.exe 110 PID 3152 wrote to memory of 3264 3152 setup_install.exe 109 PID 3152 wrote to memory of 3264 3152 setup_install.exe 109 PID 3152 wrote to memory of 3264 3152 setup_install.exe 109 PID 1568 wrote to memory of 1224 1568 cmd.exe 108 PID 1568 wrote to memory of 1224 1568 cmd.exe 108 PID 1568 wrote to memory of 1224 1568 cmd.exe 108 PID 1612 wrote to memory of 704 1612 cmd.exe 78 PID 1612 wrote to memory of 704 1612 cmd.exe 78 PID 1612 wrote to memory of 704 1612 cmd.exe 78 PID 3152 wrote to memory of 2976 3152 setup_install.exe 79 PID 3152 wrote to memory of 2976 3152 setup_install.exe 79 PID 3152 wrote to memory of 2976 3152 setup_install.exe 79 PID 3152 wrote to memory of 4008 3152 setup_install.exe 80 PID 3152 wrote to memory of 4008 3152 setup_install.exe 80 PID 3152 wrote to memory of 4008 3152 setup_install.exe 80 PID 3152 wrote to memory of 1216 3152 setup_install.exe 81 PID 3152 wrote to memory of 1216 3152 setup_install.exe 81 PID 3152 wrote to memory of 1216 3152 setup_install.exe 81 PID 3152 wrote to memory of 2360 3152 setup_install.exe 107 PID 3152 wrote to memory of 2360 3152 setup_install.exe 107 PID 3152 wrote to memory of 2360 3152 setup_install.exe 107 PID 3152 wrote to memory of 2352 3152 setup_install.exe 82 PID 3152 wrote to memory of 2352 3152 setup_install.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\a82b499dee9c2863b1f9991585e12291.exe"C:\Users\Admin\AppData\Local\Temp\a82b499dee9c2863b1f9991585e12291.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu097902373d066d7a.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu097902373d066d7a.exeThu097902373d066d7a.exe4⤵
- Executes dropped EXE
PID:3580 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:1640
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09280ea08f6.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09280ea08f6.exeThu09280ea08f6.exe4⤵
- Executes dropped EXE
PID:1224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09da317d75c68.exe3⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09da317d75c68.exeThu09da317d75c68.exe4⤵PID:1532
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",5⤵PID:812
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu090d5088a23.exe3⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu090d5088a23.exeThu090d5088a23.exe4⤵PID:2172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu098e6c1c066.exe3⤵PID:4008
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu098e6c1c066.exeThu098e6c1c066.exe4⤵PID:4016
-
C:\Users\Admin\Pictures\Adobe Films\G768lktOMYtb5Vr9xd4NCRju.exe"C:\Users\Admin\Pictures\Adobe Films\G768lktOMYtb5Vr9xd4NCRju.exe"5⤵PID:4712
-
-
C:\Users\Admin\Pictures\Adobe Films\CuRCHgjVPgpRMXt4LcE4mOds.exe"C:\Users\Admin\Pictures\Adobe Films\CuRCHgjVPgpRMXt4LcE4mOds.exe"5⤵PID:4252
-
-
C:\Users\Admin\Pictures\Adobe Films\OlkXcA5grLaR4NbazsSIWXLz.exe"C:\Users\Admin\Pictures\Adobe Films\OlkXcA5grLaR4NbazsSIWXLz.exe"5⤵PID:4192
-
-
C:\Users\Admin\Pictures\Adobe Films\PKJcqrs7skBc_78hXN8sAbHe.exe"C:\Users\Admin\Pictures\Adobe Films\PKJcqrs7skBc_78hXN8sAbHe.exe"5⤵PID:4644
-
-
C:\Users\Admin\Pictures\Adobe Films\rCohLfZTpaY8YIHsdSBvmmgK.exe"C:\Users\Admin\Pictures\Adobe Films\rCohLfZTpaY8YIHsdSBvmmgK.exe"5⤵PID:2128
-
-
C:\Users\Admin\Pictures\Adobe Films\kgLBNnFfVTwMYE1fyAiNC5cO.exe"C:\Users\Admin\Pictures\Adobe Films\kgLBNnFfVTwMYE1fyAiNC5cO.exe"5⤵PID:4128
-
-
C:\Users\Admin\Pictures\Adobe Films\T_HLJdslI8olVTjgKJQ4Ce6u.exe"C:\Users\Admin\Pictures\Adobe Films\T_HLJdslI8olVTjgKJQ4Ce6u.exe"5⤵PID:4436
-
-
C:\Users\Admin\Pictures\Adobe Films\nyn2GxyKVDBGtc4f9yKqgYdy.exe"C:\Users\Admin\Pictures\Adobe Films\nyn2GxyKVDBGtc4f9yKqgYdy.exe"5⤵PID:5104
-
-
C:\Users\Admin\Pictures\Adobe Films\gEXd0BXswtNiLDvg7cmJsmB6.exe"C:\Users\Admin\Pictures\Adobe Films\gEXd0BXswtNiLDvg7cmJsmB6.exe"5⤵PID:3560
-
-
C:\Users\Admin\Pictures\Adobe Films\oqAqFGpApuBhxSwnmNFBCBox.exe"C:\Users\Admin\Pictures\Adobe Films\oqAqFGpApuBhxSwnmNFBCBox.exe"5⤵PID:4420
-
-
C:\Users\Admin\Pictures\Adobe Films\dNaCouUcqPLXFpFKpapXpOv9.exe"C:\Users\Admin\Pictures\Adobe Films\dNaCouUcqPLXFpFKpapXpOv9.exe"5⤵PID:3588
-
-
C:\Users\Admin\Pictures\Adobe Films\Rw476lKzeMZ5_LnA7gYWA8uk.exe"C:\Users\Admin\Pictures\Adobe Films\Rw476lKzeMZ5_LnA7gYWA8uk.exe"5⤵PID:644
-
-
C:\Users\Admin\Pictures\Adobe Films\dai2eiyPHX7QWyhsDYUyteBZ.exe"C:\Users\Admin\Pictures\Adobe Films\dai2eiyPHX7QWyhsDYUyteBZ.exe"5⤵PID:5284
-
-
C:\Users\Admin\Pictures\Adobe Films\7ZfSTbikcUG1io8cffZ2rQF9.exe"C:\Users\Admin\Pictures\Adobe Films\7ZfSTbikcUG1io8cffZ2rQF9.exe"5⤵PID:5304
-
-
C:\Users\Admin\Pictures\Adobe Films\jTB2NnweM0CXWMJQdWfaMTcb.exe"C:\Users\Admin\Pictures\Adobe Films\jTB2NnweM0CXWMJQdWfaMTcb.exe"5⤵PID:5364
-
-
C:\Users\Admin\Pictures\Adobe Films\fGNeNPHPKcAxzYY1N75ZQtKF.exe"C:\Users\Admin\Pictures\Adobe Films\fGNeNPHPKcAxzYY1N75ZQtKF.exe"5⤵PID:5344
-
-
C:\Users\Admin\Pictures\Adobe Films\hOjqgsNbxJ2lSV9_UENC2ryy.exe"C:\Users\Admin\Pictures\Adobe Films\hOjqgsNbxJ2lSV9_UENC2ryy.exe"5⤵PID:5276
-
-
C:\Users\Admin\Pictures\Adobe Films\n1fypXcD2CzguSRblGRcu2kV.exe"C:\Users\Admin\Pictures\Adobe Films\n1fypXcD2CzguSRblGRcu2kV.exe"5⤵PID:5268
-
-
C:\Users\Admin\Pictures\Adobe Films\yrtiRsYZKNKWDxPtfr5cc7BE.exe"C:\Users\Admin\Pictures\Adobe Films\yrtiRsYZKNKWDxPtfr5cc7BE.exe"5⤵PID:5480
-
-
C:\Users\Admin\Pictures\Adobe Films\BHF2xAbDGwHZM6rAHPKCZ5Rj.exe"C:\Users\Admin\Pictures\Adobe Films\BHF2xAbDGwHZM6rAHPKCZ5Rj.exe"5⤵PID:5412
-
-
C:\Users\Admin\Pictures\Adobe Films\Bzx3eAQefiivgSAiboWi00JL.exe"C:\Users\Admin\Pictures\Adobe Films\Bzx3eAQefiivgSAiboWi00JL.exe"5⤵PID:5576
-
-
C:\Users\Admin\Pictures\Adobe Films\d4BgUgBr6aXlZnDTqfz0xYfv.exe"C:\Users\Admin\Pictures\Adobe Films\d4BgUgBr6aXlZnDTqfz0xYfv.exe"5⤵PID:5404
-
-
C:\Users\Admin\Pictures\Adobe Films\R9hwZ_Swp3YF_uUr5e3q6394.exe"C:\Users\Admin\Pictures\Adobe Films\R9hwZ_Swp3YF_uUr5e3q6394.exe"5⤵PID:5836
-
-
C:\Users\Admin\Pictures\Adobe Films\_ZZAaL4aXnlDItIT4qrgwHYG.exe"C:\Users\Admin\Pictures\Adobe Films\_ZZAaL4aXnlDItIT4qrgwHYG.exe"5⤵PID:5700
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09d363d30d3bc2c.exe3⤵PID:1216
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d363d30d3bc2c.exeThu09d363d30d3bc2c.exe4⤵PID:2092
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d363d30d3bc2c.exeC:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d363d30d3bc2c.exe5⤵PID:1036
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09dcf557d3d060f.exe3⤵PID:2352
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09dcf557d3d060f.exeThu09dcf557d3d060f.exe4⤵PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu093fc976065980.exe3⤵PID:2724
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu093fc976065980.exeThu093fc976065980.exe4⤵PID:1044
-
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",5⤵PID:3640
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",6⤵PID:1100
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",7⤵PID:3520
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu091431ade7b72e2.exe /mixtwo3⤵PID:1292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09db0c7d9e965e.exe3⤵PID:2360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09b4267b2e4.exe3⤵PID:3264
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09284c81371.exe3⤵PID:1076
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09d383b370e81ac13.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09e1aa1424.exe3⤵PID:1504
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu09813b41886381b3.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3576
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d383b370e81ac13.exeThu09d383b370e81ac13.exe1⤵
- Executes dropped EXE
PID:704 -
C:\Users\Admin\AppData\Local\Temp\is-GDASQ.tmp\Thu09d383b370e81ac13.tmp"C:\Users\Admin\AppData\Local\Temp\is-GDASQ.tmp\Thu09d383b370e81ac13.tmp" /SL5="$5005E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d383b370e81ac13.exe"2⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d383b370e81ac13.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d383b370e81ac13.exe" /SILENT3⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\is-UDTA8.tmp\Thu09d383b370e81ac13.tmp"C:\Users\Admin\AppData\Local\Temp\is-UDTA8.tmp\Thu09d383b370e81ac13.tmp" /SL5="$10216,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09d383b370e81ac13.exe" /SILENT4⤵PID:1912
-
C:\Users\Admin\AppData\Local\Temp\is-D428P.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-D428P.tmp\windllhost.exe" 775⤵PID:4112
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09284c81371.exeThu09284c81371.exe1⤵PID:1248
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu09284c81371.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09284c81371.exe" & del C:\ProgramData\*.dll & exit2⤵PID:1640
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu09284c81371.exe /f3⤵
- Kills process with taskkill
PID:1016
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu091431ade7b72e2.exeThu091431ade7b72e2.exe /mixtwo1⤵PID:3600
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu091431ade7b72e2.exeThu091431ade7b72e2.exe /mixtwo2⤵PID:3584
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu091431ade7b72e2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu091431ade7b72e2.exe" & exit3⤵PID:4724
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu091431ade7b72e2.exe" /f4⤵
- Kills process with taskkill
PID:4220
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09db0c7d9e965e.exeThu09db0c7d9e965e.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Local\9fb462b3-34d2-489c-9203-a4430579e7b0.exe"C:\Users\Admin\AppData\Local\9fb462b3-34d2-489c-9203-a4430579e7b0.exe"2⤵PID:1280
-
-
C:\Users\Admin\AppData\Local\a8981651-e903-4455-964c-482cf3bf69db.exe"C:\Users\Admin\AppData\Local\a8981651-e903-4455-964c-482cf3bf69db.exe"2⤵PID:2960
-
C:\Users\Admin\AppData\Roaming\68799571\6879925968799259.exe"C:\Users\Admin\AppData\Roaming\68799571\6879925968799259.exe"3⤵PID:4544
-
-
-
C:\Users\Admin\AppData\Local\36cb54dd-3bcd-4b76-bca2-5689b0cbd9b9.exe"C:\Users\Admin\AppData\Local\36cb54dd-3bcd-4b76-bca2-5689b0cbd9b9.exe"2⤵PID:3576
-
-
C:\Users\Admin\AppData\Local\bc3304c9-2940-4cdf-b89b-34ae85269bcd.exe"C:\Users\Admin\AppData\Local\bc3304c9-2940-4cdf-b89b-34ae85269bcd.exe"2⤵PID:3180
-
C:\Users\Admin\AppData\Roaming\5176412.exe"C:\Users\Admin\AppData\Roaming\5176412.exe"3⤵PID:5096
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\LeVEJ.Q4⤵PID:4264
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09280ea08f6.exeC:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09280ea08f6.exe1⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09813b41886381b3.exe"C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09813b41886381b3.exe" -u1⤵PID:2796
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09e1aa1424.exeThu09e1aa1424.exe1⤵PID:1552
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵PID:4616
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
PID:4124
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09b4267b2e4.exeThu09b4267b2e4.exe1⤵PID:2324
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"2⤵PID:1348
-
C:\Users\Admin\AppData\Local\Temp\mystnnewfile.exe"C:\Users\Admin\AppData\Local\Temp\mystnnewfile.exe"3⤵PID:3664
-
-
C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"3⤵PID:2688
-
C:\Users\Admin\AppData\Local\15eb1bd5-2657-423f-9ba9-597be7927519.exe"C:\Users\Admin\AppData\Local\15eb1bd5-2657-423f-9ba9-597be7927519.exe"4⤵PID:4552
-
-
C:\Users\Admin\AppData\Local\f555bf5f-d932-44fe-8db9-de64ec9fc962.exe"C:\Users\Admin\AppData\Local\f555bf5f-d932-44fe-8db9-de64ec9fc962.exe"4⤵PID:2256
-
-
C:\Users\Admin\AppData\Local\4fdcb64f-b6a6-45d7-a076-0e4453e46488.exe"C:\Users\Admin\AppData\Local\4fdcb64f-b6a6-45d7-a076-0e4453e46488.exe"4⤵PID:3412
-
-
C:\Users\Admin\AppData\Local\fdf948ea-bf3b-4e9a-8353-294fe4a078dd.exe"C:\Users\Admin\AppData\Local\fdf948ea-bf3b-4e9a-8353-294fe4a078dd.exe"4⤵PID:5080
-
-
C:\Users\Admin\AppData\Local\3f6b2548-6be1-4130-9d69-a107a42b2ec9.exe"C:\Users\Admin\AppData\Local\3f6b2548-6be1-4130-9d69-a107a42b2ec9.exe"4⤵PID:4028
-
C:\Users\Admin\AppData\Roaming\5630625.exe"C:\Users\Admin\AppData\Roaming\5630625.exe"5⤵PID:5752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst.exe"C:\Users\Admin\AppData\Local\Temp\inst.exe"3⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\compan.exe"C:\Users\Admin\AppData\Local\Temp\compan.exe"3⤵PID:4228
-
C:\Users\Admin\AppData\Local\Temp\Skype.exeC:\Users\Admin\AppData\Local\Temp\Skype.exe4⤵PID:4428
-
-
-
C:\Users\Admin\AppData\Local\Temp\extension.exe"C:\Users\Admin\AppData\Local\Temp\extension.exe"3⤵PID:4340
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"4⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\tempfile.exe"C:\Users\Admin\AppData\Local\Temp\tempfile.exe"5⤵PID:3220
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0B9E7695\Thu09813b41886381b3.exeThu09813b41886381b3.exe1⤵
- Executes dropped EXE
PID:1416
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",1⤵PID:2496
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:4396 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:3232
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:5584