redline | 26483f30ef585dd1a6b988d2cbfb474adf6d45f91d6ed22dfd8474c1a374c1cc

Analysis

max time kernel
3s
max time network
196s
platform
windows7_x64
resource
win7v20210410
submitted
07-06-2021 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6C08704E0B03E372B125408347BE01AD.exe
Size

3.3MB
MD5

6c08704e0b03e372b125408347be01ad
SHA1

1cc2c9f676e111dc85c9b9a8daad2e9fed14bce3
SHA256

26483f30ef585dd1a6b988d2cbfb474adf6d45f91d6ed22dfd8474c1a374c1cc
SHA512

f9d302263c0a7cd5ba9f6359f571cf61e03b936535fb37fe4628cef967224b992232bed0ebcfd056f0d076941ac8ae40c72f254409cb73629645afbe6046d46f

Score

10^/10

redline aspackv2 infostealer

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3040-254-0x0000000000417D9A-mapping.dmp	family_redline
behavioral1/memory/1988-255-0x0000000000417D76-mapping.dmp	family_redline

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0003000000013162-60.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-61.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-62.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-64.dat	aspack_v212_v242
behavioral1/files/0x0005000000013154-67.dat	aspack_v212_v242
behavioral1/files/0x0005000000013154-68.dat	aspack_v212_v242
behavioral1/files/0x0004000000013145-69.dat	aspack_v212_v242
behavioral1/files/0x0003000000013156-73.dat	aspack_v212_v242
behavioral1/files/0x0004000000013145-70.dat	aspack_v212_v242
behavioral1/files/0x0003000000013156-74.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-77.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-79.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-78.dat	aspack_v212_v242
behavioral1/files/0x0003000000013162-76.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1740	setup_install.exe
1796	metina_2.exe
1168	metina_1.exe
968	svchost.exe

Loads dropped DLL 24 IoCs

pid	Process
1664	6C08704E0B03E372B125408347BE01AD.exe
1664	6C08704E0B03E372B125408347BE01AD.exe
1664	6C08704E0B03E372B125408347BE01AD.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
1740	setup_install.exe
568	cmd.exe
568	cmd.exe
856	jfiag3g_gg.exe
856	jfiag3g_gg.exe
1116	cmd.exe
1116	cmd.exe
1796	metina_2.exe
1796	metina_2.exe
1952	cmd.exe
1168	metina_1.exe
1168	metina_1.exe
968	svchost.exe
968	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2196	2020	WerFault.exe	71
2796	1168	WerFault.exe	53

Kills process with taskkill 2 IoCs

evasion

pid	Process
1300	taskkill.exe
2576	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1664 wrote to memory of 1740	1664	6C08704E0B03E372B125408347BE01AD.exe	26
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 1116	1740	setup_install.exe	30
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 568	1740	setup_install.exe	32
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 856	1740	setup_install.exe	52
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 1740 wrote to memory of 1952	1740	setup_install.exe	34
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 568 wrote to memory of 1796	568	cmd.exe	35
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 856 wrote to memory of 968	856	jfiag3g_gg.exe	47
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1116 wrote to memory of 1168	1116	cmd.exe	53
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1732	1740	setup_install.exe	37
PID 1740 wrote to memory of 1488	1740	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\6C08704E0B03E372B125408347BE01AD.exe
"C:\Users\Admin\AppData\Local\Temp\6C08704E0B03E372B125408347BE01AD.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_1.exe
      metina_1.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1428
        5⤵
        Program crash
        
        PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_2.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_2.exe
      metina_2.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_3.exe
    3⤵
    PID:856
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_3.exe
      metina_3.exe
      4⤵
      PID:968
    - - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        5⤵
        
        PID:292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_4.exe
    3⤵
    - Loads dropped DLL
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_4.exe
      metina_4.exe
      4⤵
      PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\is-00A7E.tmp\metina_4.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-00A7E.tmp\metina_4.tmp" /SL5="$60128,176358,92672,C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_4.exe"
        5⤵
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\is-AJDAD.tmp\67________F.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AJDAD.tmp\67________F.exe" /S /UID=burnerch1
        6⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\1f-84e05-8cf-efc98-2a8b0d8d84fdc\Walokabyva.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1f-84e05-8cf-efc98-2a8b0d8d84fdc\Walokabyva.exe"
        7⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        8⤵
        
        PID:596
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:596 CREDAT:275457 /prefetch:2
        9⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\b2-3f5cb-164-81fa7-05008437ef6a3\Rabelashuqa.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b2-3f5cb-164-81fa7-05008437ef6a3\Rabelashuqa.exe"
        7⤵
        
        PID:2000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_5.exe
    3⤵
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_5.exe
      metina_5.exe
      4⤵
      PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:856
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_6.exe
    3⤵
    PID:1488
  - - C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_6.exe
      metina_6.exe
      4⤵
      PID:1300
    - - C:\Users\Admin\AppData\Roaming\6659413.exe
        
        "C:\Users\Admin\AppData\Roaming\6659413.exe"
        5⤵
        
        PID:2120
    - - C:\Users\Admin\AppData\Roaming\4154852.exe
        
        "C:\Users\Admin\AppData\Roaming\4154852.exe"
        5⤵
        
        PID:2200
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        
        PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_9.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_10.exe
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_8.exe
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_7.exe
    3⤵
    PID:1192

C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_7.exe
metina_7.exe
1⤵
PID:1188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\L15DHTZW7PVOTVN542W41G0Q.exe"
  2⤵
  PID:2156
- - C:\Users\Admin\AppData\Roaming\L15DHTZW7PVOTVN542W41G0Q.exe
    "C:\Users\Admin\AppData\Roaming\L15DHTZW7PVOTVN542W41G0Q.exe"
    3⤵
    PID:2488
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe"
  2⤵
  PID:2148
- - C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe
    "C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe"
    3⤵
    PID:2516
  - - C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe
      C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe
      4⤵
      PID:3028
  - - C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe
      C:\Users\Admin\AppData\Roaming\DNA06EOKGHH33D9S1UU3CMTM.exe
      4⤵
      PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\XAZTUZHGCRHRIX0C8C5XGM3S.exe"
  2⤵
  PID:2244
- - C:\Users\Admin\AppData\Roaming\XAZTUZHGCRHRIX0C8C5XGM3S.exe
    "C:\Users\Admin\AppData\Roaming\XAZTUZHGCRHRIX0C8C5XGM3S.exe"
    3⤵
    PID:2588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\VNFB6GW3193AK2S9QLUNTVLD.exe"
  2⤵
  PID:2296
- - C:\Users\Admin\AppData\Roaming\VNFB6GW3193AK2S9QLUNTVLD.exe
    "C:\Users\Admin\AppData\Roaming\VNFB6GW3193AK2S9QLUNTVLD.exe"
    3⤵
    PID:2596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
      4⤵
      PID:3040
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\YA2O090FAPA4T903AKIMOUB0.exe"
  2⤵
  PID:2400
- - C:\Users\Admin\AppData\Roaming\YA2O090FAPA4T903AKIMOUB0.exe
    "C:\Users\Admin\AppData\Roaming\YA2O090FAPA4T903AKIMOUB0.exe"
    3⤵
    PID:2684
  - - C:\Users\Admin\AppData\Roaming\YA2O090FAPA4T903AKIMOUB0.exe
      C:\Users\Admin\AppData\Roaming\YA2O090FAPA4T903AKIMOUB0.exe
      4⤵
      PID:2616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\S0N4FE3AK1CCKVNLO8TXHY7P.exe"
  2⤵
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\3FC2FXB0TSZWKWZB0MYAIXZQ.exe"
  2⤵
  PID:2660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "metina_7.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS086DCAF4\metina_7.exe" & exit
  2⤵
  PID:1460
- - C:\Windows\system32\taskkill.exe
    taskkill /im "metina_7.exe" /f
    3⤵
    - Kills process with taskkill
    PID:1300
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\0B5M1XXXDKM5FVXWZ67KO6J6.exe"
  2⤵
  PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\4122DG8E8BVX7TTCBJA584QA.exe"
  2⤵
  PID:2324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\3UBWHJ6FLCBQYFBFR9097XST.exe"
  2⤵
  PID:2236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\TW5PNWZ437I182EEEJKL2NBV.exe"
  2⤵
  PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Roaming\00058NW5IAA1B4IQ1ZFGSKZE.exe"
  2⤵
  PID:2188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968

C:\Users\Admin\AppData\Roaming\3UBWHJ6FLCBQYFBFR9097XST.exe
"C:\Users\Admin\AppData\Roaming\3UBWHJ6FLCBQYFBFR9097XST.exe"
1⤵
PID:2536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
  2⤵
  PID:1988

C:\Users\Admin\AppData\Roaming\3FC2FXB0TSZWKWZB0MYAIXZQ.exe
"C:\Users\Admin\AppData\Roaming\3FC2FXB0TSZWKWZB0MYAIXZQ.exe"
1⤵
PID:2776
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Roaming\3FC2FX~1.DLL,Z C:\Users\Admin\AppData\Roaming\3FC2FX~1.EXE
  2⤵
  PID:1648
- - C:\Windows\SysWOW64\RUNDLL32.EXE
    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Roaming\3FC2FX~1.DLL,XBNJ
    3⤵
    PID:1688
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5486.tmp.ps1"
      4⤵
      PID:844

C:\Program Files (x86)\Company\NewProduct\file4.exe
"C:\Program Files (x86)\Company\NewProduct\file4.exe"
1⤵
PID:2880

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
1⤵
PID:2936
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:1720

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
1⤵
PID:2020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 292
  2⤵
  - Program crash
  PID:2196

C:\Users\Admin\AppData\Roaming\L15DHTZW7PVOTVN542W41G0Q.exe
"C:\Users\Admin\AppData\Roaming\L15DHTZW7PVOTVN542W41G0Q.exe"
1⤵
PID:2392

C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
1⤵
PID:3020

C:\Program Files (x86)\Browzar\Browzar.exe
"C:\Program Files (x86)\Browzar\Browzar.exe"
1⤵
PID:2956

C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe
"C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe"
1⤵
PID:2904
- C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe
  "C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe"
  2⤵
  PID:2340
- C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe
  "C:\Program Files (x86)\Browzar\DDqjn8gbt7vt.exe"
  2⤵
  PID:2872

C:\Users\Admin\AppData\Roaming\S0N4FE3AK1CCKVNLO8TXHY7P.exe
"C:\Users\Admin\AppData\Roaming\S0N4FE3AK1CCKVNLO8TXHY7P.exe"
1⤵
PID:2892

C:\Users\Admin\AppData\Roaming\0B5M1XXXDKM5FVXWZ67KO6J6.exe
"C:\Users\Admin\AppData\Roaming\0B5M1XXXDKM5FVXWZ67KO6J6.exe"
1⤵
PID:2648

C:\Users\Admin\AppData\Roaming\4122DG8E8BVX7TTCBJA584QA.exe
"C:\Users\Admin\AppData\Roaming\4122DG8E8BVX7TTCBJA584QA.exe"
1⤵
PID:2636

C:\Users\Admin\AppData\Roaming\TW5PNWZ437I182EEEJKL2NBV.exe
"C:\Users\Admin\AppData\Roaming\TW5PNWZ437I182EEEJKL2NBV.exe"
1⤵
PID:2528

C:\Users\Admin\AppData\Roaming\00058NW5IAA1B4IQ1ZFGSKZE.exe
"C:\Users\Admin\AppData\Roaming\00058NW5IAA1B4IQ1ZFGSKZE.exe"
1⤵
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "00058NW5IAA1B4IQ1ZFGSKZE.exe" /f & erase "C:\Users\Admin\AppData\Roaming\00058NW5IAA1B4IQ1ZFGSKZE.exe" & exit
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "00058NW5IAA1B4IQ1ZFGSKZE.exe" /f
    3⤵
    - Kills process with taskkill
    PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1188-161-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1300-168-0x0000000000620000-0x000000000063B000-memory.dmp

Filesize
108KB

Download
memory/1300-163-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1396-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1664-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1740-138-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1740-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1740-125-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1740-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1740-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1740-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1740-121-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1740-115-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1740-109-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1740-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1740-83-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2120-249-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2120-228-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2200-227-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2516-229-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2536-231-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/2596-232-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2684-230-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/2904-235-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download