Overview

overview

10

Static

static

223749395F...2A.exe

windows7_x64

10

223749395F...2A.exe

windows10_x64

Analysis

  • max time kernel
    11s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    24-06-2021 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    223749395F8AC6A93A6C0E6CCE8A912A.exe

  • Size

    3.1MB

  • MD5

    223749395f8ac6a93a6c0e6cce8a912a

  • SHA1

    9b4cbf4d5e285929b4dfab43e488f4538ab3b1bd

  • SHA256

    277fd76ff56a3a06584c0cc7f2fea9f6c1e6287cc3228cf427a0eb1a10f595ec

  • SHA512

    65144c69f7e1c61a1cea573d5cffaa5cef281aed0838cb5fdd8e10fe5497547ae7befb2120466987d8ff66c06a934f0cf0f3602dc5aacfec5648c42b69484af0

Score
10/10
fickerstealerredlinevidar24_6_r706newaniaspackv2evasioninfostealerstealerthemidatrojanupx

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

NewAni

C2

changidwia.xyz:80

Extracted

Family

redline

Botnet

24_6_r

C2

rdanoriran.xyz:80

Extracted

Family

fickerstealer

C2

bukkva.club:80

Signatures

  • Fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 43 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 5 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
      PID:884
    • C:\Users\Admin\AppData\Local\Temp\223749395F8AC6A93A6C0E6CCE8A912A.exe
      "C:\Users\Admin\AppData\Local\Temp\223749395F8AC6A93A6C0E6CCE8A912A.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS847C1804\setup_install.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_1.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1652
          • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_1.exe
            arnatic_1.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1684
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 988
              5⤵
              • Program crash
              PID:2200
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_2.exe
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1696
          • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_2.exe
            arnatic_2.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            PID:1732
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_3.exe
          3⤵
          • Loads dropped DLL
          PID:316
          • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_3.exe
            arnatic_3.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:556
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_4.exe
          3⤵
          • Loads dropped DLL
          PID:912
          • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_4.exe
            arnatic_4.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            PID:1104
            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1712
            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
              5⤵
                PID:2144
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_5.exe
            3⤵
            • Loads dropped DLL
            PID:544
            • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_5.exe
              arnatic_5.exe
              4⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:1484
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_6.exe
            3⤵
            • Loads dropped DLL
            PID:1060
            • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_6.exe
              arnatic_6.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:324
              • C:\Users\Admin\Documents\NfrXOi4Yir4_i8_rxwhdggtO.exe
                "C:\Users\Admin\Documents\NfrXOi4Yir4_i8_rxwhdggtO.exe"
                5⤵
                  PID:664
                  • C:\Users\Admin\Documents\NfrXOi4Yir4_i8_rxwhdggtO.exe
                    "C:\Users\Admin\Documents\NfrXOi4Yir4_i8_rxwhdggtO.exe"
                    6⤵
                      PID:2372
                  • C:\Users\Admin\Documents\1U2EhU5JY2n5cl2oAJjjufxE.exe
                    "C:\Users\Admin\Documents\1U2EhU5JY2n5cl2oAJjjufxE.exe"
                    5⤵
                      PID:696
                      • C:\Users\Admin\Documents\1U2EhU5JY2n5cl2oAJjjufxE.exe
                        C:\Users\Admin\Documents\1U2EhU5JY2n5cl2oAJjjufxE.exe
                        6⤵
                          PID:2332
                      • C:\Users\Admin\Documents\IG8qF7MWUhiEeoJeI8Fn7Twh.exe
                        "C:\Users\Admin\Documents\IG8qF7MWUhiEeoJeI8Fn7Twh.exe"
                        5⤵
                          PID:2092
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c taskkill /im IG8qF7MWUhiEeoJeI8Fn7Twh.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\IG8qF7MWUhiEeoJeI8Fn7Twh.exe" & del C:\ProgramData\*.dll & exit
                            6⤵
                              PID:3024
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im IG8qF7MWUhiEeoJeI8Fn7Twh.exe /f
                                7⤵
                                • Kills process with taskkill
                                PID:2672
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 6
                                7⤵
                                • Delays execution with timeout.exe
                                PID:2548
                          • C:\Users\Admin\Documents\yadXQqwscAjIkZq8ys0Qs2X9.exe
                            "C:\Users\Admin\Documents\yadXQqwscAjIkZq8ys0Qs2X9.exe"
                            5⤵
                              PID:2124
                            • C:\Users\Admin\Documents\coqaN4XGK5nki7mGz0GWyOQ9.exe
                              "C:\Users\Admin\Documents\coqaN4XGK5nki7mGz0GWyOQ9.exe"
                              5⤵
                                PID:2072
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im coqaN4XGK5nki7mGz0GWyOQ9.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\coqaN4XGK5nki7mGz0GWyOQ9.exe" & del C:\ProgramData\*.dll & exit
                                  6⤵
                                    PID:2544
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im coqaN4XGK5nki7mGz0GWyOQ9.exe /f
                                      7⤵
                                      • Kills process with taskkill
                                      PID:2772
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 6
                                      7⤵
                                      • Delays execution with timeout.exe
                                      PID:664
                                • C:\Users\Admin\Documents\bO6rb0ET73ws3iEnIyYfEFpF.exe
                                  "C:\Users\Admin\Documents\bO6rb0ET73ws3iEnIyYfEFpF.exe"
                                  5⤵
                                    PID:2064
                                  • C:\Users\Admin\Documents\bwgPb2ohS7cDjPAjjvQc4VeG.exe
                                    "C:\Users\Admin\Documents\bwgPb2ohS7cDjPAjjvQc4VeG.exe"
                                    5⤵
                                      PID:1568
                                    • C:\Users\Admin\Documents\MBB7foLQrv5Jco84B2lgYX8h.exe
                                      "C:\Users\Admin\Documents\MBB7foLQrv5Jco84B2lgYX8h.exe"
                                      5⤵
                                        PID:2548
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\50510818542.exe"
                                          6⤵
                                            PID:892
                                            • C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\50510818542.exe
                                              "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\50510818542.exe"
                                              7⤵
                                                PID:2364
                                                • C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\50510818542.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\50510818542.exe"
                                                  8⤵
                                                    PID:832
                                                    • C:\Users\Admin\AppData\Local\Temp\1624576083736.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\1624576083736.exe"
                                                      9⤵
                                                        PID:1036
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\51869204725.exe" /mix
                                                  6⤵
                                                    PID:1540
                                                    • C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\51869204725.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\51869204725.exe" /mix
                                                      7⤵
                                                        PID:2276
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\73401930451.exe" /mix
                                                      6⤵
                                                        PID:3064
                                                        • C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\73401930451.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\{kKG4-d9W4n-3a4B-9qihP}\73401930451.exe" /mix
                                                          7⤵
                                                            PID:2284
                                                            • C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
                                                              edspolishpp.exe
                                                              8⤵
                                                                PID:2288
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c taskkill /im "MBB7foLQrv5Jco84B2lgYX8h.exe" /f & erase "C:\Users\Admin\Documents\MBB7foLQrv5Jco84B2lgYX8h.exe" & exit
                                                            6⤵
                                                              PID:2176
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /im "MBB7foLQrv5Jco84B2lgYX8h.exe" /f
                                                                7⤵
                                                                • Kills process with taskkill
                                                                PID:2692
                                                          • C:\Users\Admin\Documents\qgZQsGDFN_2RYKClLndk3F5a.exe
                                                            "C:\Users\Admin\Documents\qgZQsGDFN_2RYKClLndk3F5a.exe"
                                                            5⤵
                                                              PID:2536
                                                            • C:\Users\Admin\Documents\lrWCUAIb9QEl_L2DVu9_lDuN.exe
                                                              "C:\Users\Admin\Documents\lrWCUAIb9QEl_L2DVu9_lDuN.exe"
                                                              5⤵
                                                                PID:2588
                                                                • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                  "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                  6⤵
                                                                    PID:2776
                                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                      7⤵
                                                                        PID:2412
                                                                    • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                      6⤵
                                                                        PID:2884
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2884 -s 292
                                                                          7⤵
                                                                          • Program crash
                                                                          PID:2188
                                                                      • C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                                        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
                                                                        6⤵
                                                                          PID:2828
                                                                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
                                                                            7⤵
                                                                              PID:1752
                                                                          • C:\Program Files (x86)\Company\NewProduct\file4.exe
                                                                            "C:\Program Files (x86)\Company\NewProduct\file4.exe"
                                                                            6⤵
                                                                              PID:2720
                                                                          • C:\Users\Admin\Documents\nzNzfIsoQwv0ctivpOZbPRJH.exe
                                                                            "C:\Users\Admin\Documents\nzNzfIsoQwv0ctivpOZbPRJH.exe"
                                                                            5⤵
                                                                              PID:2560
                                                                            • C:\Users\Admin\Documents\rY4t4IpTi5Tcn2xjP9hAv2qS.exe
                                                                              "C:\Users\Admin\Documents\rY4t4IpTi5Tcn2xjP9hAv2qS.exe"
                                                                              5⤵
                                                                                PID:2680
                                                                                • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                  6⤵
                                                                                    PID:2544
                                                                                    • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                      "C:\Program Files\Mozilla Firefox\firefox.exe"
                                                                                      7⤵
                                                                                        PID:2656
                                                                                        • C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2656.0.517862686\775162175" -parentBuildID 20200403170909 -prefsHandle 1072 -prefMapHandle 1064 -prefsLen 1 -prefMapSize 219622 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2656 "\\.\pipe\gecko-crash-server-pipe.2656" 1136 gpu
                                                                                          8⤵
                                                                                            PID:1048
                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe"
                                                                                        6⤵
                                                                                          PID:436
                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6ea4f50,0x7fef6ea4f60,0x7fef6ea4f70
                                                                                            7⤵
                                                                                              PID:380
                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1448 /prefetch:8
                                                                                              7⤵
                                                                                                PID:2772
                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1436 /prefetch:8
                                                                                                7⤵
                                                                                                  PID:1344
                                                                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1392 /prefetch:2
                                                                                                  7⤵
                                                                                                    PID:892
                                                                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
                                                                                                    7⤵
                                                                                                      PID:2672
                                                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:1
                                                                                                      7⤵
                                                                                                        PID:2408
                                                                                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
                                                                                                        7⤵
                                                                                                          PID:2272
                                                                                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
                                                                                                          7⤵
                                                                                                            PID:2512
                                                                                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
                                                                                                            7⤵
                                                                                                              PID:2032
                                                                                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
                                                                                                              7⤵
                                                                                                                PID:412
                                                                                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1384,9470028173058186145,9061244046831360435,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3660 /prefetch:2
                                                                                                                7⤵
                                                                                                                  PID:3320
                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                "cmd.exe" /C taskkill /F /PID 2680 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\rY4t4IpTi5Tcn2xjP9hAv2qS.exe"
                                                                                                                6⤵
                                                                                                                  PID:2980
                                                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                    taskkill /F /PID 2680
                                                                                                                    7⤵
                                                                                                                    • Kills process with taskkill
                                                                                                                    PID:2084
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  "cmd.exe" /C taskkill /F /PID 2680 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\rY4t4IpTi5Tcn2xjP9hAv2qS.exe"
                                                                                                                  6⤵
                                                                                                                    PID:3024
                                                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                      taskkill /F /PID 2680
                                                                                                                      7⤵
                                                                                                                      • Kills process with taskkill
                                                                                                                      PID:2116
                                                                                                                • C:\Users\Admin\Documents\pXdutbz8yl6HrToLtA1PhydM.exe
                                                                                                                  "C:\Users\Admin\Documents\pXdutbz8yl6HrToLtA1PhydM.exe"
                                                                                                                  5⤵
                                                                                                                    PID:2672
                                                                                                                    • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                      "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                                                                                      6⤵
                                                                                                                        PID:1540
                                                                                                                    • C:\Users\Admin\Documents\NeJJQY2ItN_w5x6lCRL6NgKa.exe
                                                                                                                      "C:\Users\Admin\Documents\NeJJQY2ItN_w5x6lCRL6NgKa.exe"
                                                                                                                      5⤵
                                                                                                                        PID:2624
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                          6⤵
                                                                                                                            PID:3472
                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                      C:\Windows\system32\cmd.exe /c arnatic_7.exe
                                                                                                                      3⤵
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:1488
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_7.exe
                                                                                                                        arnatic_7.exe
                                                                                                                        4⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Loads dropped DLL
                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                        PID:972
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_7.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7zS847C1804\arnatic_7.exe
                                                                                                                          5⤵
                                                                                                                            PID:996
                                                                                                                  • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                                                    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                                                                                    1⤵
                                                                                                                    • Loads dropped DLL
                                                                                                                    • Modifies registry class
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                    PID:1724
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                    1⤵
                                                                                                                      PID:1572

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • memory/696-209-0x0000000001270000-0x0000000001271000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/884-188-0x0000000000BC0000-0x0000000000C0C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      304KB

                                                                                                                      Download

                                                                                                                    • memory/972-160-0x0000000001310000-0x0000000001311000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/972-176-0x0000000000820000-0x0000000000821000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/996-199-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      120KB

                                                                                                                      Download

                                                                                                                    • memory/996-189-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      120KB

                                                                                                                      Download

                                                                                                                    • memory/1484-157-0x0000000000150000-0x0000000000151000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1484-158-0x00000000005E0000-0x00000000005FB000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      108KB

                                                                                                                      Download

                                                                                                                    • memory/1484-162-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1484-155-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1484-159-0x0000000000160000-0x0000000000161000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1544-125-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                      Download

                                                                                                                    • memory/1544-121-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                      Download

                                                                                                                    • memory/1544-149-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      152KB

                                                                                                                      Download

                                                                                                                    • memory/1544-152-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.1MB

                                                                                                                      Download

                                                                                                                    • memory/1544-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.5MB

                                                                                                                      Download

                                                                                                                    • memory/1544-118-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                      Download

                                                                                                                    • memory/1544-126-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      100KB

                                                                                                                      Download

                                                                                                                    • memory/1544-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      572KB

                                                                                                                      Download

                                                                                                                    • memory/1544-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      572KB

                                                                                                                      Download

                                                                                                                    • memory/1544-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.5MB

                                                                                                                      Download

                                                                                                                    • memory/1544-83-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.1MB

                                                                                                                      Download

                                                                                                                    • memory/1544-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      152KB

                                                                                                                      Download

                                                                                                                    • memory/1568-213-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1684-184-0x0000000000310000-0x00000000003AD000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      628KB

                                                                                                                      Download

                                                                                                                    • memory/1684-185-0x0000000000400000-0x000000000094B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.3MB

                                                                                                                      Download

                                                                                                                    • memory/1724-172-0x0000000000260000-0x00000000002BD000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      372KB

                                                                                                                      Download

                                                                                                                    • memory/1724-171-0x00000000022C0000-0x00000000023C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      1.0MB

                                                                                                                      Download

                                                                                                                    • memory/1732-182-0x0000000000240000-0x0000000000249000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      36KB

                                                                                                                      Download

                                                                                                                    • memory/1732-183-0x0000000000400000-0x00000000008F6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      5.0MB

                                                                                                                      Download

                                                                                                                    • memory/1864-59-0x0000000076A81000-0x0000000076A83000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2064-202-0x00000000008D0000-0x00000000008D1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2124-208-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2332-218-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      120KB

                                                                                                                      Download

                                                                                                                    • memory/2372-215-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      48KB

                                                                                                                      Download