Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

9

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

9

ﱞﱞﱞ�...ฺฺ

windows10_x64

8

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

8

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

8

win102

windows10_x64

10

win102

windows10_x64

8

win102

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

8

win104

windows10_x64

10

win104

windows10_x64

8

win105

windows10_x64

10

win105

windows10_x64

8

win105

windows10_x64

10

win105

windows10_x64

10

Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    1801s
  • max time network
    1803s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    25-05-2021 05:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Install2.exe

  • Size

    497KB

  • MD5

    41a5f4fd1ea7cac4aa94a87aebccfef0

  • SHA1

    0d0abf079413a4c773754bf4fda338dc5b9a8ddc

  • SHA256

    97e95e99fd499ec45a7c1d8683d5731ce5e7a8fb8b710622e578cd169a00d8d9

  • SHA512

    5ca14bda498f26efff4e1179969b8f2c25244063c7bf25f3ec20b5cd24b5be320bbfb8b3d0b2d66f5c5b415da777a766fece5f251a4247773c6cb991417fb75f

Score
10/10
raccoonsmokeloader5339a5db91bba8fa758672b05e7eb691a224bf94backdoordiscoveryevasionpersistencestealertrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Botnet

5339a5db91bba8fa758672b05e7eb691a224bf94

Attributes
  • url4cnc

    https://tttttt.me/jagressor_kz

rc4.plain
rc4.plain

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Blocklisted process makes network request 64 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 3 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 3 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Install2.exe
    "C:\Users\Admin\AppData\Local\Temp\Install2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:484
    • C:\Users\Admin\AppData\Local\Temp\is-6C8IO.tmp\Install2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6C8IO.tmp\Install2.tmp" /SL5="$50152,235791,152064,C:\Users\Admin\AppData\Local\Temp\Install2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Users\Admin\AppData\Local\Temp\is-OMOVE.tmp\Ultra.exe
        "C:\Users\Admin\AppData\Local\Temp\is-OMOVE.tmp\Ultra.exe" /S /UID=burnerch1
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Program Files\Windows Journal\GVBXSRXBFV\ultramediaburner.exe
          "C:\Program Files\Windows Journal\GVBXSRXBFV\ultramediaburner.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1184
          • C:\Users\Admin\AppData\Local\Temp\is-809SS.tmp\ultramediaburner.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-809SS.tmp\ultramediaburner.tmp" /SL5="$70016,281924,62464,C:\Program Files\Windows Journal\GVBXSRXBFV\ultramediaburner.exe" /VERYSILENT
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:992
            • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
              "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
              6⤵
              • Executes dropped EXE
              PID:1572
        • C:\Users\Admin\AppData\Local\Temp\2d-9c49e-294-8d79a-ee18b0751c552\Tyrashivexa.exe
          "C:\Users\Admin\AppData\Local\Temp\2d-9c49e-294-8d79a-ee18b0751c552\Tyrashivexa.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1080
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:1258713 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:2220
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:996541 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:7572
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:2307103 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:7868
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:668846 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:388
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:2307206 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:7452
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:3224635 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:5840
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:603332 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:6156
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1080 CREDAT:2307232 /prefetch:2
              6⤵
              • Suspicious use of SetWindowsHookEx
              PID:6148
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
            5⤵
              PID:2184
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
              5⤵
                PID:7844
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851513
                5⤵
                  PID:8188
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.directdexchange.com/jump/next.php?r=2087215
                  5⤵
                    PID:7412
                  • C:\Program Files\Internet Explorer\iexplore.exe
                    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.directdexchange.com/jump/next.php?r=4263119
                    5⤵
                      PID:5820
                    • C:\Program Files\Internet Explorer\iexplore.exe
                      "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?id=1294231
                      5⤵
                        PID:6532
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1492888&var=3
                        5⤵
                          PID:2772
                      • C:\Users\Admin\AppData\Local\Temp\9e-ddb26-641-cddae-ce4357e55624a\Nypevahake.exe
                        "C:\Users\Admin\AppData\Local\Temp\9e-ddb26-641-cddae-ce4357e55624a\Nypevahake.exe"
                        4⤵
                        • Executes dropped EXE
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2016
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bamb5wrc.z44\001.exe & exit
                          5⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2268
                          • C:\Users\Admin\AppData\Local\Temp\bamb5wrc.z44\001.exe
                            C:\Users\Admin\AppData\Local\Temp\bamb5wrc.z44\001.exe
                            6⤵
                            • Executes dropped EXE
                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                            PID:2368
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0tldkykt.4zw\GcleanerEU.exe /eufive & exit
                          5⤵
                            PID:2648
                          • C:\Windows\System32\cmd.exe
                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\htdcpidh.p3j\installer.exe /qn CAMPAIGN="654" & exit
                            5⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2908
                            • C:\Users\Admin\AppData\Local\Temp\htdcpidh.p3j\installer.exe
                              C:\Users\Admin\AppData\Local\Temp\htdcpidh.p3j\installer.exe /qn CAMPAIGN="654"
                              6⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Enumerates connected drives
                              • Modifies system certificate store
                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              PID:2980
                              • C:\Windows\SysWOW64\msiexec.exe
                                "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\htdcpidh.p3j\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\htdcpidh.p3j\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1621661626 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                7⤵
                                  PID:3000
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vjcbiymw.1bv\hbggg.exe & exit
                              5⤵
                                PID:3052
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3grzpuic.sat\Setup3310.exe /Verysilent /subid=623 & exit
                                5⤵
                                  PID:2544
                                  • C:\Users\Admin\AppData\Local\Temp\3grzpuic.sat\Setup3310.exe
                                    C:\Users\Admin\AppData\Local\Temp\3grzpuic.sat\Setup3310.exe /Verysilent /subid=623
                                    6⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2596
                                    • C:\Users\Admin\AppData\Local\Temp\is-RBITS.tmp\Setup3310.tmp
                                      "C:\Users\Admin\AppData\Local\Temp\is-RBITS.tmp\Setup3310.tmp" /SL5="$C02BC,138429,56832,C:\Users\Admin\AppData\Local\Temp\3grzpuic.sat\Setup3310.exe" /Verysilent /subid=623
                                      7⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Drops file in Program Files directory
                                      • Suspicious use of FindShellTrayWindow
                                      PID:2704
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\n5ej22wt.imi\setup.exe & exit
                                  5⤵
                                    PID:2204
                                    • C:\Users\Admin\AppData\Local\Temp\n5ej22wt.imi\setup.exe
                                      C:\Users\Admin\AppData\Local\Temp\n5ej22wt.imi\setup.exe
                                      6⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                      PID:2444
                                      • C:\Windows\SysWOW64\cmd.exe
                                        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\n5ej22wt.imi\setup.exe"
                                        7⤵
                                          PID:2732
                                          • C:\Windows\SysWOW64\PING.EXE
                                            ping 1.1.1.1 -n 1 -w 3000
                                            8⤵
                                            • Runs ping.exe
                                            PID:2760
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oktpp2x2.vag\GcleanerWW.exe /mixone & exit
                                      5⤵
                                        PID:2808
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\w2yuj1az.mu4\005.exe & exit
                                        5⤵
                                          PID:3032
                                          • C:\Users\Admin\AppData\Local\Temp\w2yuj1az.mu4\005.exe
                                            C:\Users\Admin\AppData\Local\Temp\w2yuj1az.mu4\005.exe
                                            6⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                            PID:916
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rvslsqba.ad1\toolspab1.exe & exit
                                          5⤵
                                            PID:3036
                                            • C:\Users\Admin\AppData\Local\Temp\rvslsqba.ad1\toolspab1.exe
                                              C:\Users\Admin\AppData\Local\Temp\rvslsqba.ad1\toolspab1.exe
                                              6⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetThreadContext
                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                              PID:2992
                                              • C:\Users\Admin\AppData\Local\Temp\rvslsqba.ad1\toolspab1.exe
                                                C:\Users\Admin\AppData\Local\Temp\rvslsqba.ad1\toolspab1.exe
                                                7⤵
                                                • Executes dropped EXE
                                                • Checks SCSI registry key(s)
                                                • Suspicious behavior: MapViewOfSection
                                                PID:2168
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rnu0zfoz.nf1\installer.exe /qn CAMPAIGN="654" & exit
                                            5⤵
                                              PID:2308
                                              • C:\Users\Admin\AppData\Local\Temp\rnu0zfoz.nf1\installer.exe
                                                C:\Users\Admin\AppData\Local\Temp\rnu0zfoz.nf1\installer.exe /qn CAMPAIGN="654"
                                                6⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Enumerates connected drives
                                                • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                • Suspicious use of FindShellTrayWindow
                                                PID:2796
                                                • C:\Windows\SysWOW64\msiexec.exe
                                                  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\rnu0zfoz.nf1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\rnu0zfoz.nf1\ EXE_CMD_LINE="/forcecleanup /wintime 1621661626 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                  7⤵
                                                    PID:2924
                                      • C:\Windows\system32\msiexec.exe
                                        C:\Windows\system32\msiexec.exe /V
                                        1⤵
                                        • Enumerates connected drives
                                        • Drops file in Program Files directory
                                        • Drops file in Windows directory
                                        • Modifies data under HKEY_USERS
                                        • Modifies registry class
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2448
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding 1586FC542ED0B646225786185E3C4829 C
                                          2⤵
                                          • Loads dropped DLL
                                          PID:2688
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding A589F3F4D4D95E47C7E10329C1ADC0D0
                                          2⤵
                                          • Blocklisted process makes network request
                                          • Loads dropped DLL
                                          PID:2180
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                            3⤵
                                            • Kills process with taskkill
                                            PID:2488
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding 96914DC4961CC351AE63A113DF81BAB1 M Global\MSI0000
                                          2⤵
                                          • Loads dropped DLL
                                          PID:2868
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding DC4E34A7DCB021958114DBCF9DBFE643 C
                                          2⤵
                                          • Loads dropped DLL
                                          PID:2280
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding 6C026BDCBB85F227F5A0240036DBD457
                                          2⤵
                                          • Loads dropped DLL
                                          PID:2060
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                            3⤵
                                            • Kills process with taskkill
                                            PID:2588
                                        • C:\Windows\syswow64\MsiExec.exe
                                          C:\Windows\syswow64\MsiExec.exe -Embedding 5C04DDB629A733B548562471F867FA53 M Global\MSI0000
                                          2⤵
                                          • Loads dropped DLL
                                          PID:2812
                                      • C:\Users\Admin\AppData\Local\Temp\3237.exe
                                        C:\Users\Admin\AppData\Local\Temp\3237.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:560
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 520
                                          2⤵
                                          • Program crash
                                          • Suspicious behavior: GetForegroundWindowSpam
                                          PID:2536
                                      • C:\Windows\SysWOW64\explorer.exe
                                        C:\Windows\SysWOW64\explorer.exe
                                        1⤵
                                          PID:1828
                                        • C:\Windows\explorer.exe
                                          C:\Windows\explorer.exe
                                          1⤵
                                            PID:2060
                                          • C:\Windows\SysWOW64\explorer.exe
                                            C:\Windows\SysWOW64\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:2360
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:2764
                                          • C:\Windows\SysWOW64\explorer.exe
                                            C:\Windows\SysWOW64\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:2856
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:2296
                                          • C:\Windows\SysWOW64\explorer.exe
                                            C:\Windows\SysWOW64\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:1916
                                          • C:\Windows\explorer.exe
                                            C:\Windows\explorer.exe
                                            1⤵
                                            • Suspicious behavior: MapViewOfSection
                                            PID:2576
                                          • C:\Windows\SysWOW64\explorer.exe
                                            C:\Windows\SysWOW64\explorer.exe
                                            1⤵
                                              PID:1944
                                            • C:\Windows\system32\taskeng.exe
                                              taskeng.exe {5906A422-F37C-46B3-B161-270377766ACD} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
                                              1⤵
                                                PID:2928
                                                • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                  C:\Users\Admin\AppData\Roaming\dwatfaf
                                                  2⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  PID:2720
                                                  • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                    C:\Users\Admin\AppData\Roaming\dwatfaf
                                                    3⤵
                                                    • Executes dropped EXE
                                                    • Checks SCSI registry key(s)
                                                    • Suspicious behavior: MapViewOfSection
                                                    PID:2680
                                              • C:\Windows\system32\taskeng.exe
                                                taskeng.exe {B990F924-F79E-4EBB-9119-7B738D5FCBB6} S-1-5-18:NT AUTHORITY\System:Service:
                                                1⤵
                                                  PID:1312
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:2504
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:2376
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:4032
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:4044
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:5624
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:5736
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:7548
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:8088
                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:6000
                                                • C:\Windows\system32\taskeng.exe
                                                  taskeng.exe {4D6B452A-A5A2-461D-82AD-F827A40A6099} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
                                                  1⤵
                                                    PID:1604
                                                    • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                      C:\Users\Admin\AppData\Roaming\dwatfaf
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:1636
                                                      • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                        C:\Users\Admin\AppData\Roaming\dwatfaf
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Checks SCSI registry key(s)
                                                        PID:1520
                                                  • C:\Windows\system32\taskeng.exe
                                                    taskeng.exe {A2DDCDC0-1550-4FB5-9D72-B05BBA2716C6} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
                                                    1⤵
                                                      PID:2928
                                                      • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                        C:\Users\Admin\AppData\Roaming\dwatfaf
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        PID:5944
                                                        • C:\Users\Admin\AppData\Roaming\dwatfaf
                                                          C:\Users\Admin\AppData\Roaming\dwatfaf
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Checks SCSI registry key(s)
                                                          PID:6016

                                                    Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/484-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/484-61-0x0000000000400000-0x000000000042B000-memory.dmp

                                                      Filesize

                                                      172KB

                                                      Download

                                                    • memory/560-281-0x0000000000400000-0x000000000049C000-memory.dmp

                                                      Filesize

                                                      624KB

                                                      Download

                                                    • memory/560-280-0x0000000000510000-0x00000000005A1000-memory.dmp

                                                      Filesize

                                                      580KB

                                                      Download

                                                    • memory/916-214-0x0000000000430000-0x0000000000442000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/916-213-0x0000000000250000-0x0000000000260000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/992-88-0x00000000749D1000-0x00000000749D3000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/992-104-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1080-274-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1080-264-0x0000000002D80000-0x0000000002D81000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1080-254-0x0000000002D40000-0x0000000002D41000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1184-79-0x0000000000400000-0x0000000000416000-memory.dmp

                                                      Filesize

                                                      88KB

                                                      Download

                                                    • memory/1216-75-0x0000000000B50000-0x0000000000B52000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/1244-106-0x0000000002020000-0x0000000002022000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/1288-236-0x0000000003AA0000-0x0000000003B25000-memory.dmp

                                                      Filesize

                                                      532KB

                                                      Download

                                                    • memory/1572-105-0x000007FEF2430000-0x000007FEF34C6000-memory.dmp

                                                      Filesize

                                                      16.6MB

                                                      Download

                                                    • memory/1572-122-0x0000000000A65000-0x0000000000A66000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/1572-107-0x0000000000A40000-0x0000000000A42000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/1572-121-0x0000000000A46000-0x0000000000A65000-memory.dmp

                                                      Filesize

                                                      124KB

                                                      Download

                                                    • memory/1572-123-0x0000000001030000-0x0000000001049000-memory.dmp

                                                      Filesize

                                                      100KB

                                                      Download

                                                    • memory/1828-242-0x0000000000140000-0x00000000001B4000-memory.dmp

                                                      Filesize

                                                      464KB

                                                      Download

                                                    • memory/1828-243-0x00000000000D0000-0x000000000013B000-memory.dmp

                                                      Filesize

                                                      428KB

                                                      Download

                                                    • memory/1916-270-0x0000000000080000-0x0000000000089000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/1916-269-0x0000000000090000-0x0000000000094000-memory.dmp

                                                      Filesize

                                                      16KB

                                                      Download

                                                    • memory/1948-70-0x0000000000240000-0x0000000000241000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2016-109-0x0000000000A30000-0x0000000000A32000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2016-112-0x000007FEF2430000-0x000007FEF34C6000-memory.dmp

                                                      Filesize

                                                      16.6MB

                                                      Download

                                                    • memory/2016-117-0x0000000000A36000-0x0000000000A55000-memory.dmp

                                                      Filesize

                                                      124KB

                                                      Download

                                                    • memory/2060-245-0x0000000000060000-0x000000000006C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/2060-244-0x0000000000070000-0x0000000000077000-memory.dmp

                                                      Filesize

                                                      28KB

                                                      Download

                                                    • memory/2168-231-0x0000000000400000-0x000000000040C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/2296-262-0x0000000000070000-0x0000000000076000-memory.dmp

                                                      Filesize

                                                      24KB

                                                      Download

                                                    • memory/2296-263-0x0000000000060000-0x000000000006C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/2360-250-0x0000000000080000-0x000000000008B000-memory.dmp

                                                      Filesize

                                                      44KB

                                                      Download

                                                    • memory/2360-249-0x0000000000090000-0x0000000000097000-memory.dmp

                                                      Filesize

                                                      28KB

                                                      Download

                                                    • memory/2368-135-0x0000000000240000-0x0000000000250000-memory.dmp

                                                      Filesize

                                                      64KB

                                                      Download

                                                    • memory/2368-136-0x0000000000270000-0x0000000000282000-memory.dmp

                                                      Filesize

                                                      72KB

                                                      Download

                                                    • memory/2448-155-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/2576-273-0x0000000000060000-0x0000000000069000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/2576-272-0x0000000000070000-0x0000000000075000-memory.dmp

                                                      Filesize

                                                      20KB

                                                      Download

                                                    • memory/2596-162-0x0000000000400000-0x0000000000414000-memory.dmp

                                                      Filesize

                                                      80KB

                                                      Download

                                                    • memory/2704-184-0x0000000003930000-0x0000000003931000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-177-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-185-0x0000000003940000-0x0000000003941000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-183-0x0000000003810000-0x0000000003811000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-187-0x0000000003960000-0x00000000045AA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2704-181-0x0000000003710000-0x0000000003711000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-182-0x0000000003720000-0x0000000003721000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-196-0x0000000003960000-0x00000000045AA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2704-188-0x0000000003960000-0x00000000045AA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2704-179-0x0000000002070000-0x0000000002071000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-178-0x0000000000650000-0x0000000000651000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-180-0x0000000003700000-0x0000000003701000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2704-171-0x0000000001FF0000-0x000000000202C000-memory.dmp

                                                      Filesize

                                                      240KB

                                                      Download

                                                    • memory/2704-186-0x0000000003960000-0x00000000045AA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                      Download

                                                    • memory/2764-253-0x0000000000060000-0x000000000006F000-memory.dmp

                                                      Filesize

                                                      60KB

                                                      Download

                                                    • memory/2764-252-0x0000000000070000-0x0000000000079000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/2796-221-0x0000000000560000-0x0000000000561000-memory.dmp

                                                      Filesize

                                                      4KB

                                                      Download

                                                    • memory/2856-260-0x0000000000080000-0x0000000000089000-memory.dmp

                                                      Filesize

                                                      36KB

                                                      Download

                                                    • memory/2856-259-0x0000000000090000-0x0000000000095000-memory.dmp

                                                      Filesize

                                                      20KB

                                                      Download

                                                    • memory/2980-152-0x0000000000370000-0x0000000000400000-memory.dmp

                                                      Filesize

                                                      576KB

                                                      Download

                                                    • memory/2992-234-0x0000000000220000-0x000000000022C000-memory.dmp

                                                      Filesize

                                                      48KB

                                                      Download

                                                    • memory/5840-302-0x0000000002080000-0x0000000002082000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download

                                                    • memory/6156-304-0x0000000002310000-0x0000000002312000-memory.dmp

                                                      Filesize

                                                      8KB

                                                      Download