Analysis
-
max time kernel
17s -
max time network
151s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26/12/2021, 06:26
Static task
static1
Behavioral task
behavioral1
Sample
a15fcb15ff8d0824099fe99986c3425f.exe
Resource
win7-en-20211208
General
-
Target
a15fcb15ff8d0824099fe99986c3425f.exe
-
Size
6.3MB
-
MD5
a15fcb15ff8d0824099fe99986c3425f
-
SHA1
b041d309bcb43b100d7f93a99ad43e8725413ceb
-
SHA256
a8608c25f43dcab1c8501cb89b796d75b94a0abd260d3cee39a7e56e889326d6
-
SHA512
1ed23bdf6a454d8dc36abdbdc76eff61c79e0b25970cf98cea71e4873bb417594870ff5500cb0595abb6c3dbb9b451ad92e6e05ba1eedbe9f03f5edf36f73f45
Malware Config
Extracted
socelars
http://www.biohazardgraphics.com/
Extracted
vidar
49.2
915
https://mstdn.social/@kipriauk9
https://qoto.org/@kipriauk8
-
profile_id
915
Extracted
redline
media22ns
65.108.69.168:13293
Extracted
redline
userv1
159.69.246.184:13127
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2848 2636 rundll32.exe 73 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/2388-288-0x0000000000419336-mapping.dmp family_redline behavioral1/memory/1588-287-0x000000000041932A-mapping.dmp family_redline behavioral1/memory/2388-292-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1588-293-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2388-294-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/1588-295-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x0006000000013292-120.dat family_socelars behavioral1/files/0x0006000000013292-169.dat family_socelars behavioral1/files/0x0006000000013292-173.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
-
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/files/0x0006000000013919-178.dat WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/files/0x0006000000013919-178.dat Nirsoft -
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/812-259-0x00000000022D0000-0x00000000023A5000-memory.dmp family_vidar behavioral1/memory/812-260-0x0000000000400000-0x00000000008B0000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000013075-62.dat aspack_v212_v242 behavioral1/files/0x000600000001303f-64.dat aspack_v212_v242 behavioral1/files/0x0006000000013075-63.dat aspack_v212_v242 behavioral1/files/0x000600000001303f-65.dat aspack_v212_v242 behavioral1/files/0x00060000000130ff-68.dat aspack_v212_v242 behavioral1/files/0x00060000000130ff-69.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 19 IoCs
pid Process 524 setup_install.exe 1352 Thu1185ccb71be14d.exe 908 Thu11e9a815c8cbb1a.exe 1760 Thu11905232b5734.exe 784 Thu11d4773c01d6f0.exe 812 Thu115efe21f1a89d5.exe 1364 Thu1179364c94e82.exe 2036 Thu110155a356f.exe 2020 Thu1185475076e48cb16.exe 1060 Thu111723557c117162.exe 1268 Thu11a637868f8aa.exe 1076 Thu11cf387a29397511.exe 1704 Thu11f106a00ed17759.exe 940 Thu11f7717aa35a4ea.exe 1480 Thu11cf387a29397511.exe 1912 Thu11307f0493.exe 548 Thu11a637868f8aa.exe 2176 Thu11307f0493.tmp 2276 Thu11307f0493.exe -
Loads dropped DLL 64 IoCs
pid Process 980 a15fcb15ff8d0824099fe99986c3425f.exe 980 a15fcb15ff8d0824099fe99986c3425f.exe 980 a15fcb15ff8d0824099fe99986c3425f.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 524 setup_install.exe 1512 cmd.exe 1352 Thu1185ccb71be14d.exe 1352 Thu1185ccb71be14d.exe 840 cmd.exe 1156 cmd.exe 1216 cmd.exe 868 cmd.exe 908 Thu11e9a815c8cbb1a.exe 908 Thu11e9a815c8cbb1a.exe 860 cmd.exe 1148 cmd.exe 860 cmd.exe 1148 cmd.exe 784 Thu11d4773c01d6f0.exe 784 Thu11d4773c01d6f0.exe 108 cmd.exe 1720 cmd.exe 1716 cmd.exe 1716 cmd.exe 2036 Thu110155a356f.exe 2036 Thu110155a356f.exe 1428 cmd.exe 1428 cmd.exe 1268 Thu11a637868f8aa.exe 1268 Thu11a637868f8aa.exe 2020 Thu1185475076e48cb16.exe 1076 Thu11cf387a29397511.exe 1076 Thu11cf387a29397511.exe 2020 Thu1185475076e48cb16.exe 1116 cmd.exe 1492 cmd.exe 1116 cmd.exe 1492 cmd.exe 1076 Thu11cf387a29397511.exe 1704 Thu11f106a00ed17759.exe 1704 Thu11f106a00ed17759.exe 812 Thu115efe21f1a89d5.exe 812 Thu115efe21f1a89d5.exe 836 cmd.exe 1268 Thu11a637868f8aa.exe 1060 Thu111723557c117162.exe 1060 Thu111723557c117162.exe 1480 Thu11cf387a29397511.exe 1480 Thu11cf387a29397511.exe 1912 Thu11307f0493.exe 1912 Thu11307f0493.exe 940 Thu11f7717aa35a4ea.exe 940 Thu11f7717aa35a4ea.exe 548 Thu11a637868f8aa.exe 548 Thu11a637868f8aa.exe 1912 Thu11307f0493.exe 1856 msiexec.exe 2176 Thu11307f0493.tmp -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 51 ipinfo.io 52 ipinfo.io 53 ipinfo.io 104 ip-api.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1076 set thread context of 1480 1076 Thu11cf387a29397511.exe 61 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2824 1352 WerFault.exe 38 2864 908 WerFault.exe 45 -
Delays execution with timeout.exe 1 IoCs
pid Process 2096 timeout.exe -
Kills process with taskkill 3 IoCs
pid Process 2504 taskkill.exe 2956 taskkill.exe 2904 taskkill.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeCreateTokenPrivilege 1060 Thu111723557c117162.exe Token: SeAssignPrimaryTokenPrivilege 1060 Thu111723557c117162.exe Token: SeLockMemoryPrivilege 1060 Thu111723557c117162.exe Token: SeIncreaseQuotaPrivilege 1060 Thu111723557c117162.exe Token: SeMachineAccountPrivilege 1060 Thu111723557c117162.exe Token: SeTcbPrivilege 1060 Thu111723557c117162.exe Token: SeSecurityPrivilege 1060 Thu111723557c117162.exe Token: SeTakeOwnershipPrivilege 1060 Thu111723557c117162.exe Token: SeLoadDriverPrivilege 1060 Thu111723557c117162.exe Token: SeSystemProfilePrivilege 1060 Thu111723557c117162.exe Token: SeSystemtimePrivilege 1060 Thu111723557c117162.exe Token: SeProfSingleProcessPrivilege 1060 Thu111723557c117162.exe Token: SeIncBasePriorityPrivilege 1060 Thu111723557c117162.exe Token: SeCreatePagefilePrivilege 1060 Thu111723557c117162.exe Token: SeCreatePermanentPrivilege 1060 Thu111723557c117162.exe Token: SeBackupPrivilege 1060 Thu111723557c117162.exe Token: SeRestorePrivilege 1060 Thu111723557c117162.exe Token: SeShutdownPrivilege 1060 Thu111723557c117162.exe Token: SeDebugPrivilege 1060 Thu111723557c117162.exe Token: SeAuditPrivilege 1060 Thu111723557c117162.exe Token: SeSystemEnvironmentPrivilege 1060 Thu111723557c117162.exe Token: SeChangeNotifyPrivilege 1060 Thu111723557c117162.exe Token: SeRemoteShutdownPrivilege 1060 Thu111723557c117162.exe Token: SeUndockPrivilege 1060 Thu111723557c117162.exe Token: SeSyncAgentPrivilege 1060 Thu111723557c117162.exe Token: SeEnableDelegationPrivilege 1060 Thu111723557c117162.exe Token: SeManageVolumePrivilege 1060 Thu111723557c117162.exe Token: SeImpersonatePrivilege 1060 Thu111723557c117162.exe Token: SeCreateGlobalPrivilege 1060 Thu111723557c117162.exe Token: 31 1060 Thu111723557c117162.exe Token: 32 1060 Thu111723557c117162.exe Token: 33 1060 Thu111723557c117162.exe Token: 34 1060 Thu111723557c117162.exe Token: 35 1060 Thu111723557c117162.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 980 wrote to memory of 524 980 a15fcb15ff8d0824099fe99986c3425f.exe 27 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1120 524 setup_install.exe 29 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1192 524 setup_install.exe 30 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 524 wrote to memory of 1216 524 setup_install.exe 32 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 1192 wrote to memory of 1332 1192 cmd.exe 31 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 524 wrote to memory of 1512 524 setup_install.exe 34 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 1120 wrote to memory of 1284 1120 cmd.exe 33 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 860 524 setup_install.exe 35 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 1148 524 setup_install.exe 36 PID 524 wrote to memory of 840 524 setup_install.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15fcb15ff8d0824099fe99986c3425f.exe"C:\Users\Admin\AppData\Local\Temp\a15fcb15ff8d0824099fe99986c3425f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable3⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵PID:1284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1185475076e48cb16.exe3⤵
- Loads dropped DLL
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu1185475076e48cb16.exeThu1185475076e48cb16.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\62XW.NZd5⤵
- Loads dropped DLL
PID:1856
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1185ccb71be14d.exe3⤵
- Loads dropped DLL
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu1185ccb71be14d.exeThu1185ccb71be14d.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Users\Admin\Pictures\Adobe Films\EHrS_rPTs7P3yEhhKtzByFOn.exe"C:\Users\Admin\Pictures\Adobe Films\EHrS_rPTs7P3yEhhKtzByFOn.exe"5⤵PID:2180
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 15565⤵
- Program crash
PID:2824
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu115efe21f1a89d5.exe3⤵
- Loads dropped DLL
PID:860 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu115efe21f1a89d5.exeThu115efe21f1a89d5.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu115efe21f1a89d5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu115efe21f1a89d5.exe" & del C:\ProgramData\*.dll & exit5⤵PID:2664
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu115efe21f1a89d5.exe /f6⤵
- Kills process with taskkill
PID:2904
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 66⤵
- Delays execution with timeout.exe
PID:2096
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11d4773c01d6f0.exe3⤵
- Loads dropped DLL
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11d4773c01d6f0.exeThu11d4773c01d6f0.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11d4773c01d6f0.exeC:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11d4773c01d6f0.exe5⤵PID:1588
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11e9a815c8cbb1a.exe3⤵
- Loads dropped DLL
PID:840 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11e9a815c8cbb1a.exeThu11e9a815c8cbb1a.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Users\Admin\Pictures\Adobe Films\EHrS_rPTs7P3yEhhKtzByFOn.exe"C:\Users\Admin\Pictures\Adobe Films\EHrS_rPTs7P3yEhhKtzByFOn.exe"5⤵PID:2244
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 15245⤵
- Program crash
PID:2864
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu111723557c117162.exe3⤵
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu111723557c117162.exeThu111723557c117162.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1060 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:2692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:2956
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11905232b5734.exe3⤵
- Loads dropped DLL
PID:1156 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11905232b5734.exeThu11905232b5734.exe4⤵
- Executes dropped EXE
PID:1760 -
C:\Users\Admin\AppData\Local\9a33bcb3-9ffc-4acd-9758-28b9fda1919e.exe"C:\Users\Admin\AppData\Local\9a33bcb3-9ffc-4acd-9758-28b9fda1919e.exe"5⤵PID:1228
-
-
C:\Users\Admin\AppData\Local\3d556e84-9347-47d3-b652-19305515e7d8.exe"C:\Users\Admin\AppData\Local\3d556e84-9347-47d3-b652-19305515e7d8.exe"5⤵PID:1952
-
C:\Users\Admin\AppData\Roaming\42759838\5803443758034437.exe"C:\Users\Admin\AppData\Roaming\42759838\5803443758034437.exe"6⤵PID:1316
-
-
-
C:\Users\Admin\AppData\Local\81ee4d8c-f0d6-4c27-9733-7e467a6da901.exe"C:\Users\Admin\AppData\Local\81ee4d8c-f0d6-4c27-9733-7e467a6da901.exe"5⤵PID:1004
-
-
C:\Users\Admin\AppData\Local\f6425540-15f4-430e-9510-fa3eb448e801.exe"C:\Users\Admin\AppData\Local\f6425540-15f4-430e-9510-fa3eb448e801.exe"5⤵PID:2192
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu110155a356f.exe3⤵
- Loads dropped DLL
PID:868 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu110155a356f.exeThu110155a356f.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /y .\62XW.NZd5⤵PID:2220
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1179364c94e82.exe3⤵
- Loads dropped DLL
PID:108 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu1179364c94e82.exeThu1179364c94e82.exe4⤵
- Executes dropped EXE
PID:1364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11cf387a29397511.exe /mixtwo3⤵
- Loads dropped DLL
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11cf387a29397511.exeThu11cf387a29397511.exe /mixtwo4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1076 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11cf387a29397511.exeThu11cf387a29397511.exe /mixtwo5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Thu11cf387a29397511.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11cf387a29397511.exe" & exit6⤵PID:2432
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Thu11cf387a29397511.exe" /f7⤵
- Kills process with taskkill
PID:2504
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11a637868f8aa.exe3⤵
- Loads dropped DLL
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11a637868f8aa.exeThu11a637868f8aa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11a637868f8aa.exe"C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11a637868f8aa.exe" -u5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f7717aa35a4ea.exe3⤵
- Loads dropped DLL
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11f7717aa35a4ea.exeThu11f7717aa35a4ea.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f281fb2df.exe3⤵PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11307f0493.exe3⤵
- Loads dropped DLL
PID:836 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11307f0493.exeThu11307f0493.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Users\Admin\AppData\Local\Temp\is-FL20K.tmp\Thu11307f0493.tmp"C:\Users\Admin\AppData\Local\Temp\is-FL20K.tmp\Thu11307f0493.tmp" /SL5="$20162,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11307f0493.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11307f0493.exe"C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11307f0493.exe" /SILENT6⤵
- Executes dropped EXE
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\is-0DHUM.tmp\Thu11307f0493.tmp"C:\Users\Admin\AppData\Local\Temp\is-0DHUM.tmp\Thu11307f0493.tmp" /SL5="$30162,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11307f0493.exe" /SILENT7⤵PID:2384
-
C:\Users\Admin\AppData\Local\Temp\is-0NHF1.tmp\windllhost.exe"C:\Users\Admin\AppData\Local\Temp\is-0NHF1.tmp\windllhost.exe" 778⤵PID:2796
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu11f106a00ed17759.exe3⤵
- Loads dropped DLL
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11f106a00ed17759.exeThu11f106a00ed17759.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11f106a00ed17759.exeC:\Users\Admin\AppData\Local\Temp\7zS4D3271B5\Thu11f106a00ed17759.exe5⤵PID:2388
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:2868
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:3016