redline | 022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38

Analysis

max time kernel
6s
max time network
152s
platform
windows10_x64
resource
win10-en
submitted
05-09-2021 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14644CC2D4377E98E15DA8E998EE6B54.exe
Size

4.6MB
MD5

14644cc2d4377e98e15da8e998ee6b54
SHA1

c5c38e0c6df24bb414081d9221bf0e300a823c9c
SHA256

022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
SHA512

8f0e8377d373f40de089122c125de9228903fb300ed8ad303d62c7a8289e0628361f55996fc58f04456c431990a8a845e30d7c0054982a47d808b4e5c95034e2

Score

10^/10

redline vidar 706 937 aspackv2 infostealer stealer suricata

Malware Config

Extracted

Family

vidar

Version

40.3

Botnet

706

https://lenko349.tumblr.com/

Attributes

profile_id
706

Extracted

Family

vidar

Version

40.4

Botnet

937

https://romkaxarit.tumblr.com/

Attributes

profile_id
937

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6016	3728	rundll32.exe	12
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6308	3728	rundll32.exe	12

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/3400-297-0x00000000052D0000-0x00000000052FE000-memory.dmp	family_redline
behavioral2/memory/4172-311-0x0000000003B80000-0x0000000003B9F000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral2/memory/3852-219-0x0000000002EC0000-0x0000000002F93000-memory.dmp	family_vidar
behavioral2/memory/3852-235-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar
behavioral2/memory/2760-449-0x0000000000400000-0x00000000021CA000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000500000001ab30-119.dat	aspack_v212_v242
behavioral2/files/0x000500000001ab2d-120.dat	aspack_v212_v242
behavioral2/files/0x000500000001ab30-123.dat	aspack_v212_v242
behavioral2/files/0x000500000001ab2d-122.dat	aspack_v212_v242
behavioral2/files/0x000600000001ab36-125.dat	aspack_v212_v242
behavioral2/files/0x000600000001ab36-128.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
2472	setup_install.exe
3404	Wed2235d696e09087db.exe
3852	Wed22ba1658550.exe
3408	Wed220a78e02f9cdc2.exe
3936	Wed2259ec17c7e3de63.exe
1432	Wed226a1ef36724b3ee.exe
4108	Wed2276f461788d71.exe
4128	Wed220ea31c8d2529.exe
4172	Wed22e50546816d16.exe
4212	Wed2276a59f98c5.exe

Loads dropped DLL 6 IoCs

pid	Process
2472	setup_install.exe
2472	setup_install.exe
2472	setup_install.exe
2472	setup_install.exe
2472	setup_install.exe
2472	setup_install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ipinfo.io
113	ip-api.com
132	ipinfo.io
133	ipinfo.io
238	ip-api.com
34	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
4404	1664	WerFault.exe	108
520	4496	WerFault.exe	141
4676	3852	WerFault.exe	88
4916	5572	WerFault.exe	142
4276	2760	WerFault.exe	135
6412	5572	WerFault.exe	142
6632	2760	WerFault.exe	135
7036	5572	WerFault.exe	142
7164	2760	WerFault.exe	135
6904	5572	WerFault.exe	142
7096	2760	WerFault.exe	135
5156	5648	WerFault.exe	153
6680	2760	WerFault.exe	135
7412	2760	WerFault.exe	135
7452	5648	WerFault.exe	153
5196	2760	WerFault.exe	135
8168	7404	WerFault.exe	259
7560	2760	WerFault.exe	135
4520	2760	WerFault.exe	135
8988	6912	WerFault.exe	224

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
8188	schtasks.exe
3892	schtasks.exe
6788	schtasks.exe
6700	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
6692	taskkill.exe
6008	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4692	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3936	Wed2259ec17c7e3de63.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2472	3960	14644CC2D4377E98E15DA8E998EE6B54.exe	75
PID 3960 wrote to memory of 2472	3960	14644CC2D4377E98E15DA8E998EE6B54.exe	75
PID 3960 wrote to memory of 2472	3960	14644CC2D4377E98E15DA8E998EE6B54.exe	75
PID 2472 wrote to memory of 3180	2472	setup_install.exe	79
PID 2472 wrote to memory of 3180	2472	setup_install.exe	79
PID 2472 wrote to memory of 3180	2472	setup_install.exe	79
PID 2472 wrote to memory of 1112	2472	setup_install.exe	99
PID 2472 wrote to memory of 1112	2472	setup_install.exe	99
PID 2472 wrote to memory of 1112	2472	setup_install.exe	99
PID 2472 wrote to memory of 3096	2472	setup_install.exe	80
PID 2472 wrote to memory of 3096	2472	setup_install.exe	80
PID 2472 wrote to memory of 3096	2472	setup_install.exe	80
PID 2472 wrote to memory of 2152	2472	setup_install.exe	81
PID 2472 wrote to memory of 2152	2472	setup_install.exe	81
PID 2472 wrote to memory of 2152	2472	setup_install.exe	81
PID 2472 wrote to memory of 2120	2472	setup_install.exe	82
PID 2472 wrote to memory of 2120	2472	setup_install.exe	82
PID 2472 wrote to memory of 2120	2472	setup_install.exe	82
PID 2472 wrote to memory of 3892	2472	setup_install.exe	98
PID 2472 wrote to memory of 3892	2472	setup_install.exe	98
PID 2472 wrote to memory of 3892	2472	setup_install.exe	98
PID 2472 wrote to memory of 4020	2472	setup_install.exe	97
PID 2472 wrote to memory of 4020	2472	setup_install.exe	97
PID 2472 wrote to memory of 4020	2472	setup_install.exe	97
PID 2472 wrote to memory of 1420	2472	setup_install.exe	83
PID 2472 wrote to memory of 1420	2472	setup_install.exe	83
PID 2472 wrote to memory of 1420	2472	setup_install.exe	83
PID 2472 wrote to memory of 1772	2472	setup_install.exe	84
PID 2472 wrote to memory of 1772	2472	setup_install.exe	84
PID 2472 wrote to memory of 1772	2472	setup_install.exe	84
PID 2472 wrote to memory of 2740	2472	setup_install.exe	85
PID 2472 wrote to memory of 2740	2472	setup_install.exe	85
PID 2472 wrote to memory of 2740	2472	setup_install.exe	85
PID 2152 wrote to memory of 3404	2152	cmd.exe	86
PID 2152 wrote to memory of 3404	2152	cmd.exe	86
PID 2152 wrote to memory of 3404	2152	cmd.exe	86
PID 3180 wrote to memory of 2148	3180	cmd.exe	87
PID 3180 wrote to memory of 2148	3180	cmd.exe	87
PID 3180 wrote to memory of 2148	3180	cmd.exe	87
PID 1112 wrote to memory of 3408	1112	cmd.exe	96
PID 1112 wrote to memory of 3408	1112	cmd.exe	96
PID 1112 wrote to memory of 3408	1112	cmd.exe	96
PID 2120 wrote to memory of 3852	2120	cmd.exe	88
PID 2120 wrote to memory of 3852	2120	cmd.exe	88
PID 2120 wrote to memory of 3852	2120	cmd.exe	88
PID 2740 wrote to memory of 3936	2740	cmd.exe	95
PID 2740 wrote to memory of 3936	2740	cmd.exe	95
PID 3096 wrote to memory of 1432	3096	cmd.exe	89
PID 3096 wrote to memory of 1432	3096	cmd.exe	89
PID 3892 wrote to memory of 4108	3892	cmd.exe	94
PID 3892 wrote to memory of 4108	3892	cmd.exe	94
PID 3892 wrote to memory of 4108	3892	cmd.exe	94
PID 4020 wrote to memory of 4128	4020	cmd.exe	90
PID 4020 wrote to memory of 4128	4020	cmd.exe	90
PID 4020 wrote to memory of 4128	4020	cmd.exe	90
PID 1772 wrote to memory of 4172	1772	cmd.exe	93
PID 1772 wrote to memory of 4172	1772	cmd.exe	93
PID 1772 wrote to memory of 4172	1772	cmd.exe	93
PID 1420 wrote to memory of 4212	1420	M28DsPVMbXlJIYB0mtgjM5Tr.exe	91
PID 1420 wrote to memory of 4212	1420	M28DsPVMbXlJIYB0mtgjM5Tr.exe	91

C:\Users\Admin\AppData\Local\Temp\14644CC2D4377E98E15DA8E998EE6B54.exe
"C:\Users\Admin\AppData\Local\Temp\14644CC2D4377E98E15DA8E998EE6B54.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Local\Temp\7zS87F98824\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS87F98824\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed226a1ef36724b3ee.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed226a1ef36724b3ee.exe
      Wed226a1ef36724b3ee.exe
      4⤵
      Executes dropped EXE
      PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\tmp28DB_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp28DB_tmp.exe"
        5⤵
        
        PID:4608
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Corpo.xlsx
        6⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        7⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^OthMvGQXeAyqUhASvlyrPDCQZpoKXyPgrCBJMOmLquNCguqHiGGcDIHkBbMhbyZWLRXsMRyHLzrIPZCToACsmzKxUdofejgUuRRvoIVdBYJlFZ$" Vedi.xlsx
        8⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com
        
        Apparenze.exe.com s
        8⤵
        
        PID:6712
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com s
        9⤵
        
        PID:7376
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com s
        10⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com s
        11⤵
        
        PID:9200
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparenze.exe.com s
        12⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:4692
      - C:\Windows\SysWOW64\dllhost.exe
        
        dllhost.exe
        6⤵
        
        PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2235d696e09087db.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed2235d696e09087db.exe
      Wed2235d696e09087db.exe
      4⤵
      Executes dropped EXE
      PID:3404
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe"
        5⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\PlsWnEU2.exe"
        6⤵
        
        PID:9212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed22ba1658550.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed22ba1658550.exe
      Wed22ba1658550.exe
      4⤵
      Executes dropped EXE
      PID:3852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 1724
        5⤵
        Program crash
        
        PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2276a59f98c5.exe
    3⤵
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed2276a59f98c5.exe
      Wed2276a59f98c5.exe
      4⤵
      Executes dropped EXE
      PID:4212
    - - C:\Users\Admin\AppData\Roaming\5958753.exe
        
        "C:\Users\Admin\AppData\Roaming\5958753.exe"
        5⤵
        
        PID:5088
    - - C:\Users\Admin\AppData\Roaming\8078720.exe
        
        "C:\Users\Admin\AppData\Roaming\8078720.exe"
        5⤵
        
        PID:1332
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        
        PID:5312
    - - C:\Users\Admin\AppData\Roaming\2643813.exe
        
        "C:\Users\Admin\AppData\Roaming\2643813.exe"
        5⤵
        
        PID:3400
    - - C:\Users\Admin\AppData\Roaming\7782951.exe
        
        "C:\Users\Admin\AppData\Roaming\7782951.exe"
        5⤵
        
        PID:5536
    - - C:\Users\Admin\AppData\Roaming\5444584.exe
        
        "C:\Users\Admin\AppData\Roaming\5444584.exe"
        5⤵
        
        PID:5652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed22e50546816d16.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed22e50546816d16.exe
      Wed22e50546816d16.exe
      4⤵
      Executes dropped EXE
      PID:4172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2259ec17c7e3de63.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed2259ec17c7e3de63.exe
      Wed2259ec17c7e3de63.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        
        PID:4956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:1896
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:6788
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:5356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        
        PID:8524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:8300
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:3892
      - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        6⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\3037946.exe
        
        "C:\Users\Admin\AppData\Roaming\3037946.exe"
        7⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Roaming\5482418.exe
        
        "C:\Users\Admin\AppData\Roaming\5482418.exe"
        7⤵
        
        PID:7628
        
        C:\Users\Admin\AppData\Roaming\5901128.exe
        
        "C:\Users\Admin\AppData\Roaming\5901128.exe"
        7⤵
        
        PID:7680
        
        C:\Users\Admin\AppData\Roaming\5238228.exe
        
        "C:\Users\Admin\AppData\Roaming\5238228.exe"
        7⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Roaming\5971864.exe
        
        "C:\Users\Admin\AppData\Roaming\5971864.exe"
        7⤵
        
        PID:5744
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        
        PID:1664
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1664 -s 1532
        7⤵
        Program crash
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:6692
      - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        6⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\is-C0S3C.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C0S3C.tmp\setup_2.tmp" /SL5="$1028C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        8⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\is-PR4SJ.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PR4SJ.tmp\setup_2.tmp" /SL5="$30282,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        9⤵
        
        PID:4328
      - C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        6⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        7⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        6⤵
        
        PID:3188
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        
        PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed220ea31c8d2529.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2276f461788d71.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed220a78e02f9cdc2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1112

C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed220ea31c8d2529.exe
Wed220ea31c8d2529.exe
1⤵
- Executes dropped EXE
PID:4128
- C:\Users\Admin\Documents\L0U6vjQSGyodC_hmRj4NJMEc.exe
  "C:\Users\Admin\Documents\L0U6vjQSGyodC_hmRj4NJMEc.exe"
  2⤵
  PID:2664
- C:\Users\Admin\Documents\zdPAyuXtxacAn9ufjRZXGLBW.exe
  "C:\Users\Admin\Documents\zdPAyuXtxacAn9ufjRZXGLBW.exe"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 760
    3⤵
    - Program crash
    PID:4276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 812
    3⤵
    - Program crash
    PID:6632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 792
    3⤵
    - Program crash
    PID:7164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 824
    3⤵
    - Program crash
    PID:7096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 956
    3⤵
    - Program crash
    PID:6680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 984
    3⤵
    - Program crash
    PID:7412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1048
    3⤵
    - Program crash
    PID:5196
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1364
    3⤵
    - Program crash
    PID:7560
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 1376
    3⤵
    - Program crash
    PID:4520
- C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
  "C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe"
  2⤵
  PID:4920
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:6136
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:6004
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:6196
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:6804
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:5140
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:4848
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:824
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:7444
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:8084
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:7404
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7404 -s 24
      4⤵
      Program crash
      PID:8168
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:3140
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:8668
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:5292
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:6048
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:9096
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:5228
- - C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    C:\Users\Admin\Documents\G9qlmnzdbujqhH72pplzSadp.exe
    3⤵
    PID:9032
- C:\Users\Admin\Documents\XSY94IkWSWsBPt8yETypvTV8.exe
  "C:\Users\Admin\Documents\XSY94IkWSWsBPt8yETypvTV8.exe"
  2⤵
  PID:4232
- - C:\Users\Admin\Documents\XSY94IkWSWsBPt8yETypvTV8.exe
    "C:\Users\Admin\Documents\XSY94IkWSWsBPt8yETypvTV8.exe"
    3⤵
    PID:4168
- C:\Users\Admin\Documents\3StimjTcIBjlvJrc3sWEXTOi.exe
  "C:\Users\Admin\Documents\3StimjTcIBjlvJrc3sWEXTOi.exe"
  2⤵
  PID:3988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:7216
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:7304
- C:\Users\Admin\Documents\w6i5CNL2mETsS8lRyDTMyN8n.exe
  "C:\Users\Admin\Documents\w6i5CNL2mETsS8lRyDTMyN8n.exe"
  2⤵
  PID:5896
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:5692
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:5816
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:5260
- C:\Users\Admin\Documents\Nq8zPbs8yUdxocUiCYIPSjfJ.exe
  "C:\Users\Admin\Documents\Nq8zPbs8yUdxocUiCYIPSjfJ.exe"
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 656
    3⤵
    - Program crash
    PID:4916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 672
    3⤵
    - Program crash
    PID:6412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 628
    3⤵
    - Program crash
    PID:7036
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 712
    3⤵
    - Program crash
    PID:6904
- C:\Users\Admin\Documents\PVddoTLfPRqCZomZfRYDJc1K.exe
  "C:\Users\Admin\Documents\PVddoTLfPRqCZomZfRYDJc1K.exe"
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:8188
- - C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe
    "C:\Users\Admin\Documents\qT3dWYBP7ZsuOrwW4ZcUbjl6.exe"
    3⤵
    PID:8152
- C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
  "C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe"
  2⤵
  PID:5928
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6104
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:3784
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6324
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6920
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6384
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6020
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:7108
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:7476
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:8044
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6848
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:6908
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:8704
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:4784
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:8764
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:9064
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:1380
- - C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    C:\Users\Admin\Documents\WanfNWuBovsEMz3JnqBmtiIp.exe
    3⤵
    PID:8748
- C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe
  "C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe"
  2⤵
  PID:3236
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
    3⤵
    PID:6104
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if ""== "" for %A IN ("C:\Users\Admin\Documents\xoIKb75M1_gUyifttgbZQLcV.exe" ) do taskkill /f -im "%~nxA"
      4⤵
      PID:1896
    - - C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE
        
        X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV
        5⤵
        
        PID:7204
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if ""-PXPoqL0iOUHHP7hXFattB5ZvsV ""== """" for %A IN (""C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
        6⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /c TYPE "C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE"> X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV &if "-PXPoqL0iOUHHP7hXFattB5ZvsV "== "" for %A IN ("C:\Users\Admin\AppData\Local\Temp\X4d4XArNWDu.eXE" ) do taskkill /f -im "%~nxA"
        7⤵
        
        PID:6312
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" -S fOUT6o7J.Mj
        6⤵
        
        PID:5456
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -im "xoIKb75M1_gUyifttgbZQLcV.exe"
        5⤵
        Kills process with taskkill
        
        PID:6008
- C:\Users\Admin\Documents\UMuvQbhaQgfyRQBXBGD6gbJq.exe
  "C:\Users\Admin\Documents\UMuvQbhaQgfyRQBXBGD6gbJq.exe"
  2⤵
  PID:660
- C:\Users\Admin\Documents\hHYj_BsJgRkFoiNsNrj56U4G.exe
  "C:\Users\Admin\Documents\hHYj_BsJgRkFoiNsNrj56U4G.exe"
  2⤵
  PID:5660
- C:\Users\Admin\Documents\M28DsPVMbXlJIYB0mtgjM5Tr.exe
  "C:\Users\Admin\Documents\M28DsPVMbXlJIYB0mtgjM5Tr.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1420
- C:\Users\Admin\Documents\KoIis8YcD9ImWjI8FiRenrcT.exe
  "C:\Users\Admin\Documents\KoIis8YcD9ImWjI8FiRenrcT.exe"
  2⤵
  PID:5648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 900
    3⤵
    - Program crash
    PID:5156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 1116
    3⤵
    - Program crash
    PID:7452
- C:\Users\Admin\Documents\wBhLhfzrISDkYZvfpLzkHIdX.exe
  "C:\Users\Admin\Documents\wBhLhfzrISDkYZvfpLzkHIdX.exe"
  2⤵
  PID:2220
- C:\Users\Admin\Documents\8AJVnky7gn5Jym6gEShwPEiJ.exe
  "C:\Users\Admin\Documents\8AJVnky7gn5Jym6gEShwPEiJ.exe"
  2⤵
  PID:1540
- C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe
  "C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe"
  2⤵
  PID:5412
- - C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe
    "C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe"
    3⤵
    PID:5636
- - C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe
    "C:\Users\Admin\Documents\m4EGYH5IWzkfFCRWYj27ujo6.exe"
    3⤵
    PID:8384
- C:\Users\Admin\Documents\kWYIZ9QSKXQwYzD3yRd2ydfb.exe
  "C:\Users\Admin\Documents\kWYIZ9QSKXQwYzD3yRd2ydfb.exe"
  2⤵
  PID:4120
- C:\Users\Admin\Documents\Wypvrba98FBRU3ABqUndvBvT.exe
  "C:\Users\Admin\Documents\Wypvrba98FBRU3ABqUndvBvT.exe"
  2⤵
  PID:800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6220
- C:\Users\Admin\Documents\Lqg6OzmDcUWrNgYQUpBjWPbj.exe
  "C:\Users\Admin\Documents\Lqg6OzmDcUWrNgYQUpBjWPbj.exe"
  2⤵
  PID:4372
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:6852
- C:\Users\Admin\Documents\Q8ehJKZ7eRkJlI6rfGPMFpYE.exe
  "C:\Users\Admin\Documents\Q8ehJKZ7eRkJlI6rfGPMFpYE.exe"
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\DPRwKy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\DPRwKy.exe"
    3⤵
    PID:6912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 252
      4⤵
      Program crash
      PID:8988
- C:\Users\Admin\Documents\cFW1_EJaqy6fp4XeXiLKO24j.exe
  "C:\Users\Admin\Documents\cFW1_EJaqy6fp4XeXiLKO24j.exe"
  2⤵
  PID:4124
- C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
  "C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe"
  2⤵
  PID:5008
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:7080
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:6752
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:6956
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:2080
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:7652
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:8016
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:5128
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:5492
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:8720
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:4616
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:1108
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:9152
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:8552
- - C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    C:\Users\Admin\Documents\vh85snETKO6YyFcZ6k6LxHQ2.exe
    3⤵
    PID:8788
- C:\Users\Admin\Documents\EP39b0Pv1urDCAHo9jvclfK2.exe
  "C:\Users\Admin\Documents\EP39b0Pv1urDCAHo9jvclfK2.exe"
  2⤵
  PID:6732
- C:\Users\Admin\Documents\trb8b7fkcKn7MxfTG00vdjVW.exe
  "C:\Users\Admin\Documents\trb8b7fkcKn7MxfTG00vdjVW.exe"
  2⤵
  PID:6940
- C:\Users\Admin\Documents\mWodjyFY9tuZokdFyCkFjjHm.exe
  "C:\Users\Admin\Documents\mWodjyFY9tuZokdFyCkFjjHm.exe"
  2⤵
  PID:6696
- - C:\Users\Admin\Documents\mWodjyFY9tuZokdFyCkFjjHm.exe
    "C:\Users\Admin\Documents\mWodjyFY9tuZokdFyCkFjjHm.exe" -u
    3⤵
    PID:8160
- C:\Users\Admin\Documents\ndsqpWMy6Hv_c5fbswaGoh1U.exe
  "C:\Users\Admin\Documents\ndsqpWMy6Hv_c5fbswaGoh1U.exe"
  2⤵
  PID:7276

C:\Users\Admin\AppData\Local\Temp\is-03AF2.tmp\Wed2276f461788d71.tmp
"C:\Users\Admin\AppData\Local\Temp\is-03AF2.tmp\Wed2276f461788d71.tmp" /SL5="$101DE,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed2276f461788d71.exe"
1⤵
PID:4396
- C:\Users\Admin\AppData\Local\Temp\is-8T4HF.tmp\zab2our.exe
  "C:\Users\Admin\AppData\Local\Temp\is-8T4HF.tmp\zab2our.exe" /S /UID=burnerch2
  2⤵
  PID:4940
- - C:\Program Files\Windows Defender\BBEAFCVFMW\ultramediaburner.exe
    "C:\Program Files\Windows Defender\BBEAFCVFMW\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:7868
  - - C:\Users\Admin\AppData\Local\Temp\is-P78BI.tmp\ultramediaburner.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-P78BI.tmp\ultramediaburner.tmp" /SL5="$50416,281924,62464,C:\Program Files\Windows Defender\BBEAFCVFMW\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:7296
    - - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        5⤵
        
        PID:8936
- - C:\Users\Admin\AppData\Local\Temp\69-04dc9-4f4-9c0a9-409475c040e46\Noluwyluwy.exe
    "C:\Users\Admin\AppData\Local\Temp\69-04dc9-4f4-9c0a9-409475c040e46\Noluwyluwy.exe"
    3⤵
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\2e-d5203-0de-4b2b1-dd6c7385c36c0\Recixonugo.exe
    "C:\Users\Admin\AppData\Local\Temp\2e-d5203-0de-4b2b1-dd6c7385c36c0\Recixonugo.exe"
    3⤵
    PID:8200

C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed2276f461788d71.exe
Wed2276f461788d71.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed220a78e02f9cdc2.exe
Wed220a78e02f9cdc2.exe
1⤵
- Executes dropped EXE
PID:3408
- C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed220a78e02f9cdc2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS87F98824\Wed220a78e02f9cdc2.exe" -u
  2⤵
  PID:4688

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6016
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4496
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4496 -s 492
  2⤵
  - Program crash
  PID:520

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:6612

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-391-0x000002C9D7920000-0x000002C9D7994000-memory.dmp

Filesize
464KB

Download
memory/652-393-0x000001A013430000-0x000001A0134A4000-memory.dmp

Filesize
464KB

Download
memory/652-376-0x000001A013370000-0x000001A0133BD000-memory.dmp

Filesize
308KB

Download
memory/1136-436-0x0000019DE1940000-0x0000019DE19B4000-memory.dmp

Filesize
464KB

Download
memory/1204-462-0x00000240A4030000-0x00000240A40A4000-memory.dmp

Filesize
464KB

Download
memory/1332-268-0x0000000001750000-0x000000000175C000-memory.dmp

Filesize
48KB

Download
memory/1332-277-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/1332-274-0x00000000058D0000-0x00000000058D1000-memory.dmp

Filesize
4KB

Download
memory/1332-272-0x000000000A150000-0x000000000A151000-memory.dmp

Filesize
4KB

Download
memory/1332-253-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1332-265-0x00000000016F0000-0x00000000016F1000-memory.dmp

Filesize
4KB

Download
memory/1392-476-0x0000017B53560000-0x0000017B535D4000-memory.dmp

Filesize
464KB

Download
memory/1408-446-0x00000231D2A80000-0x00000231D2AF4000-memory.dmp

Filesize
464KB

Download
memory/1432-201-0x000001451A512000-0x000001451A514000-memory.dmp

Filesize
8KB

Download
memory/1432-204-0x000001451A515000-0x000001451A517000-memory.dmp

Filesize
8KB

Download
memory/1432-202-0x000001451A514000-0x000001451A515000-memory.dmp

Filesize
4KB

Download
memory/1432-196-0x000001451D510000-0x000001451D58E000-memory.dmp

Filesize
504KB

Download
memory/1432-178-0x000001457FE70000-0x000001457FE71000-memory.dmp

Filesize
4KB

Download
memory/1432-193-0x000001451A510000-0x000001451A512000-memory.dmp

Filesize
8KB

Download
memory/1432-185-0x00000145002F0000-0x00000145002FB000-memory.dmp

Filesize
44KB

Download
memory/1540-472-0x0000000000CE0000-0x0000000000CE2000-memory.dmp

Filesize
8KB

Download
memory/1664-239-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1664-252-0x000000001AF80000-0x000000001AF82000-memory.dmp

Filesize
8KB

Download
memory/1836-458-0x000001E49C4B0000-0x000001E49C524000-memory.dmp

Filesize
464KB

Download
memory/2084-444-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2148-205-0x00000000074E0000-0x00000000074E1000-memory.dmp

Filesize
4KB

Download
memory/2148-198-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/2148-186-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/2148-250-0x0000000007EB0000-0x0000000007EB1000-memory.dmp

Filesize
4KB

Download
memory/2148-190-0x0000000006702000-0x0000000006703000-memory.dmp

Filesize
4KB

Download
memory/2148-276-0x0000000007CB0000-0x0000000007CB1000-memory.dmp

Filesize
4KB

Download
memory/2148-203-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/2148-189-0x0000000006D40000-0x0000000006D41000-memory.dmp

Filesize
4KB

Download
memory/2148-187-0x0000000006700000-0x0000000006701000-memory.dmp

Filesize
4KB

Download
memory/2148-241-0x0000000006D10000-0x0000000006D11000-memory.dmp

Filesize
4KB

Download
memory/2148-208-0x0000000007550000-0x0000000007551000-memory.dmp

Filesize
4KB

Download
memory/2148-398-0x000000007EEF0000-0x000000007EEF1000-memory.dmp

Filesize
4KB

Download
memory/2376-403-0x0000000000400000-0x000000000217A000-memory.dmp

Filesize
29.5MB

Download
memory/2376-360-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/2392-414-0x000001E9835A0000-0x000001E983614000-memory.dmp

Filesize
464KB

Download
memory/2432-400-0x000001CB15670000-0x000001CB156E4000-memory.dmp

Filesize
464KB

Download
memory/2472-137-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2472-129-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2472-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2472-131-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2472-134-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2472-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2472-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2608-372-0x0000023EC3970000-0x0000023EC39E4000-memory.dmp

Filesize
464KB

Download
memory/2664-418-0x0000000077A50000-0x0000000077BDE000-memory.dmp

Filesize
1.6MB

Download
memory/2664-461-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/2760-449-0x0000000000400000-0x00000000021CA000-memory.dmp

Filesize
29.8MB

Download
memory/2772-279-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3400-287-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3400-305-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/3400-323-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3400-312-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/3400-301-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/3400-297-0x00000000052D0000-0x00000000052FE000-memory.dmp

Filesize
184KB

Download
memory/3400-307-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/3852-235-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3852-219-0x0000000002EC0000-0x0000000002F93000-memory.dmp

Filesize
844KB

Download
memory/3936-168-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3936-183-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/4108-191-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4128-240-0x00000000038A0000-0x00000000039DF000-memory.dmp

Filesize
1.2MB

Download
memory/4168-440-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4172-304-0x0000000000400000-0x0000000001D9A000-memory.dmp

Filesize
25.6MB

Download
memory/4172-325-0x0000000003F20000-0x0000000003F21000-memory.dmp

Filesize
4KB

Download
memory/4172-335-0x0000000003F24000-0x0000000003F26000-memory.dmp

Filesize
8KB

Download
memory/4172-311-0x0000000003B80000-0x0000000003B9F000-memory.dmp

Filesize
124KB

Download
memory/4172-333-0x0000000003F23000-0x0000000003F24000-memory.dmp

Filesize
4KB

Download
memory/4172-306-0x0000000001E00000-0x0000000001E30000-memory.dmp

Filesize
192KB

Download
memory/4172-330-0x0000000003F22000-0x0000000003F23000-memory.dmp

Filesize
4KB

Download
memory/4212-195-0x0000000001190000-0x00000000011A7000-memory.dmp

Filesize
92KB

Download
memory/4212-184-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/4212-199-0x000000001B930000-0x000000001B932000-memory.dmp

Filesize
8KB

Download
memory/4292-299-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4328-453-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4396-200-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4496-396-0x00000168CF7D0000-0x00000168CF844000-memory.dmp

Filesize
464KB

Download
memory/4668-292-0x0000000002870000-0x0000000002872000-memory.dmp

Filesize
8KB

Download
memory/4668-212-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/4808-217-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4920-422-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4940-248-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download
memory/4956-226-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4956-381-0x00000000019C0000-0x00000000019C2000-memory.dmp

Filesize
8KB

Download
memory/5052-264-0x000000001B580000-0x000000001B582000-memory.dmp

Filesize
8KB

Download
memory/5052-245-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/5052-254-0x0000000000C40000-0x0000000000C57000-memory.dmp

Filesize
92KB

Download
memory/5088-255-0x0000000001400000-0x000000000143E000-memory.dmp

Filesize
248KB

Download
memory/5088-238-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/5088-266-0x000000001B7D0000-0x000000001B7D2000-memory.dmp

Filesize
8KB

Download
memory/5288-294-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/5288-302-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/5312-327-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/5320-386-0x000002344F300000-0x000002344F374000-memory.dmp

Filesize
464KB

Download
memory/5536-349-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/5536-336-0x0000000077A50000-0x0000000077BDE000-memory.dmp

Filesize
1.6MB

Download
memory/5572-467-0x0000000000400000-0x0000000002B59000-memory.dmp

Filesize
39.3MB

Download
memory/5652-339-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/5652-315-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/6044-364-0x0000000004315000-0x0000000004416000-memory.dmp

Filesize
1.0MB

Download
memory/6044-369-0x0000000004240000-0x000000000429F000-memory.dmp

Filesize
380KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads