Overview

overview

10

Static

static

16446c6554...9e.exe

windows7_x64

10

16446c6554...9e.exe

windows10_x64

Analysis

  • max time kernel
    52s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    26-06-2021 14:02

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Remote task has failed: Machine shutdown
Report Analysis Logs

General

  • Target

    16446c65547cb9e2b549a64d524fb7eb04b4d79e.exe

  • Size

    3.3MB

  • MD5

    dc86e6b47b6cafd7e3fe119562ecc459

  • SHA1

    16446c65547cb9e2b549a64d524fb7eb04b4d79e

  • SHA256

    97684c32074833dcd6f52e6dcdda9287e62a9b0f240806db4a7cd4c503976f3f

  • SHA512

    741b150585f23aff59159182630f8a7ffb17b704b8d22dc8a0ffeec03abfedef31cfdc9d2f714c35319adc5383a0dbc7059bf1e3547adb2196a247f7397917bf

Score
10/10
fickerstealerplugxredlinesmokeloadervidarcanaaspackv2backdoordiscoveryevasioninfostealerstealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

smokeloader

Version

2020

C2

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/
rc4.i32
rc4.i32

Extracted

Family

fickerstealer

C2

bukkva.space:80

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 9 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • Vidar Stealer 5 IoCs
    stealer
  • ASPack v2.12-2.42 9 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 22 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 10 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:996
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
      1⤵
        PID:340
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
        1⤵
          PID:1084
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
          1⤵
            PID:1340
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Themes
            1⤵
              PID:1200
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1372
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                1⤵
                  PID:1908
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                  1⤵
                    PID:2544
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                    1⤵
                      PID:2740
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                      1⤵
                        PID:2724
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Browser
                        1⤵
                          PID:2604
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                          1⤵
                            PID:2492
                          • C:\Users\Admin\AppData\Local\Temp\16446c65547cb9e2b549a64d524fb7eb04b4d79e.exe
                            "C:\Users\Admin\AppData\Local\Temp\16446c65547cb9e2b549a64d524fb7eb04b4d79e.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3484
                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:1556
                              • C:\Users\Admin\AppData\Local\Temp\7zS41678934\setup_install.exe
                                "C:\Users\Admin\AppData\Local\Temp\7zS41678934\setup_install.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of WriteProcessMemory
                                PID:2676
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sotema_1.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4072
                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_1.exe
                                    sotema_1.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Checks computer location settings
                                    • Modifies registry class
                                    • Suspicious use of WriteProcessMemory
                                    PID:2424
                                    • C:\Windows\SysWOW64\rUNdlL32.eXe
                                      "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                      6⤵
                                      • Loads dropped DLL
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:1216
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sotema_2.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2764
                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_2.exe
                                    sotema_2.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Checks SCSI registry key(s)
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1120
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sotema_5.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3732
                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_5.exe
                                    sotema_5.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3212
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sotema_7.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:3652
                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_7.exe
                                    sotema_7.exe
                                    5⤵
                                    • Executes dropped EXE
                                    PID:2244
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c sotema_8.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2088
                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_8.exe
                                    sotema_8.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1832
                                    • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_8.exe
                                      C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_8.exe
                                      6⤵
                                        PID:3744
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c sotema_6.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4008
                                    • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_6.exe
                                      sotema_6.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:3444
                                      • C:\Users\Admin\Documents\uG4woEFsoNxElTk7GohHkf6s.exe
                                        "C:\Users\Admin\Documents\uG4woEFsoNxElTk7GohHkf6s.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:4628
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im uG4woEFsoNxElTk7GohHkf6s.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\uG4woEFsoNxElTk7GohHkf6s.exe" & del C:\ProgramData\*.dll & exit
                                          7⤵
                                            PID:4288
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im uG4woEFsoNxElTk7GohHkf6s.exe /f
                                              8⤵
                                              • Kills process with taskkill
                                              PID:4408
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 6
                                              8⤵
                                              • Delays execution with timeout.exe
                                              PID:5016
                                        • C:\Users\Admin\Documents\J5Wc1BHyczEy215IMflnsj7r.exe
                                          "C:\Users\Admin\Documents\J5Wc1BHyczEy215IMflnsj7r.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:4612
                                          • C:\Users\Admin\Documents\J5Wc1BHyczEy215IMflnsj7r.exe
                                            "C:\Users\Admin\Documents\J5Wc1BHyczEy215IMflnsj7r.exe"
                                            7⤵
                                              PID:4552
                                          • C:\Users\Admin\Documents\1P6DXHMJP17y5Wk6JefpFC9c.exe
                                            "C:\Users\Admin\Documents\1P6DXHMJP17y5Wk6JefpFC9c.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Drops file in Program Files directory
                                            PID:4600
                                            • C:\Program Files (x86)\Company\NewProduct\file4.exe
                                              "C:\Program Files (x86)\Company\NewProduct\file4.exe"
                                              7⤵
                                                PID:4284
                                              • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                7⤵
                                                  PID:4308
                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    8⤵
                                                      PID:5084
                                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      8⤵
                                                        PID:4460
                                                    • C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                                      "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
                                                      7⤵
                                                        PID:4396
                                                        • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                          "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
                                                          8⤵
                                                            PID:4792
                                                        • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                          "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                          7⤵
                                                            PID:4324
                                                        • C:\Users\Admin\Documents\wnJmqh4AV1EbArh2OZnMEsYR.exe
                                                          "C:\Users\Admin\Documents\wnJmqh4AV1EbArh2OZnMEsYR.exe"
                                                          6⤵
                                                          • Executes dropped EXE
                                                          PID:4588
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\84230688998.exe"
                                                            7⤵
                                                              PID:2344
                                                              • C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\84230688998.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\84230688998.exe"
                                                                8⤵
                                                                  PID:4892
                                                                  • C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\84230688998.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\84230688998.exe"
                                                                    9⤵
                                                                      PID:3404
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\67555743859.exe" /mix
                                                                  7⤵
                                                                    PID:4604
                                                                    • C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\67555743859.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\67555743859.exe" /mix
                                                                      8⤵
                                                                        PID:4260
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\91907482812.exe" /mix
                                                                      7⤵
                                                                        PID:1284
                                                                        • C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\91907482812.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\{U7Ar-M1RWa-1G9s-8TItk}\91907482812.exe" /mix
                                                                          8⤵
                                                                            PID:2332
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "wnJmqh4AV1EbArh2OZnMEsYR.exe" /f & erase "C:\Users\Admin\Documents\wnJmqh4AV1EbArh2OZnMEsYR.exe" & exit
                                                                          7⤵
                                                                            PID:2268
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /im "wnJmqh4AV1EbArh2OZnMEsYR.exe" /f
                                                                              8⤵
                                                                              • Kills process with taskkill
                                                                              PID:3460
                                                                        • C:\Users\Admin\Documents\Dgzia_UdtydeFU1m3kPaH4M_.exe
                                                                          "C:\Users\Admin\Documents\Dgzia_UdtydeFU1m3kPaH4M_.exe"
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          PID:4576
                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                            7⤵
                                                                              PID:2156
                                                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                              7⤵
                                                                                PID:3360
                                                                            • C:\Users\Admin\Documents\nqHRmhXVcWYsPhrcKrcR3zPc.exe
                                                                              "C:\Users\Admin\Documents\nqHRmhXVcWYsPhrcKrcR3zPc.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4780
                                                                            • C:\Users\Admin\Documents\WeXpdNugwBSPvA3rQ5kXGA0k.exe
                                                                              "C:\Users\Admin\Documents\WeXpdNugwBSPvA3rQ5kXGA0k.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              PID:4768
                                                                            • C:\Users\Admin\Documents\7X0MkWYyuFwDfeAHbDCZiq4M.exe
                                                                              "C:\Users\Admin\Documents\7X0MkWYyuFwDfeAHbDCZiq4M.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              PID:4756
                                                                            • C:\Users\Admin\Documents\mdo3o4rVH1GZDBgYNTiitkEE.exe
                                                                              "C:\Users\Admin\Documents\mdo3o4rVH1GZDBgYNTiitkEE.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4728
                                                                            • C:\Users\Admin\Documents\bubWXty3dxjSPbN0Ns8IekZl.exe
                                                                              "C:\Users\Admin\Documents\bubWXty3dxjSPbN0Ns8IekZl.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:4716
                                                                            • C:\Users\Admin\Documents\h1cxuwOCrq7awqVyENUZqxXe.exe
                                                                              "C:\Users\Admin\Documents\h1cxuwOCrq7awqVyENUZqxXe.exe"
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              PID:4708
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /c taskkill /im h1cxuwOCrq7awqVyENUZqxXe.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\h1cxuwOCrq7awqVyENUZqxXe.exe" & del C:\ProgramData\*.dll & exit
                                                                                7⤵
                                                                                  PID:2056
                                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                                    taskkill /im h1cxuwOCrq7awqVyENUZqxXe.exe /f
                                                                                    8⤵
                                                                                    • Kills process with taskkill
                                                                                    PID:2684
                                                                                  • C:\Windows\SysWOW64\timeout.exe
                                                                                    timeout /t 6
                                                                                    8⤵
                                                                                    • Delays execution with timeout.exe
                                                                                    PID:4352
                                                                              • C:\Users\Admin\Documents\_bI3rfCzLjhXrJc7ycKaVbbS.exe
                                                                                "C:\Users\Admin\Documents\_bI3rfCzLjhXrJc7ycKaVbbS.exe"
                                                                                6⤵
                                                                                  PID:1900
                                                                                  • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                                                    "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                                                    7⤵
                                                                                      PID:5016
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c sotema_4.exe
                                                                                4⤵
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:3352
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_4.exe
                                                                                  sotema_4.exe
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:1100
                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                    6⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3904
                                                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                    6⤵
                                                                                      PID:4776
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c sotema_3.exe
                                                                                  4⤵
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:3548
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_3.exe
                                                                                    sotema_3.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3728
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im sotema_3.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS41678934\sotema_3.exe" & del C:\ProgramData\*.dll & exit
                                                                                      6⤵
                                                                                        PID:4724
                                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                                          taskkill /im sotema_3.exe /f
                                                                                          7⤵
                                                                                          • Kills process with taskkill
                                                                                          PID:4528
                                                                                        • C:\Windows\SysWOW64\timeout.exe
                                                                                          timeout /t 6
                                                                                          7⤵
                                                                                          • Delays execution with timeout.exe
                                                                                          PID:4148
                                                                            • \??\c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                              1⤵
                                                                              • Suspicious use of SetThreadContext
                                                                              • Modifies data under HKEY_USERS
                                                                              • Modifies registry class
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              • Suspicious use of WriteProcessMemory
                                                                              PID:3836
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                2⤵
                                                                                • Checks processor information in registry
                                                                                • Modifies data under HKEY_USERS
                                                                                • Modifies registry class
                                                                                PID:3976
                                                                            • \??\c:\windows\system32\svchost.exe
                                                                              c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                              1⤵
                                                                                PID:4192
                                                                              • C:\Users\Admin\AppData\Local\Temp\89D2.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\89D2.exe
                                                                                1⤵
                                                                                  PID:4720
                                                                                • C:\Users\Admin\AppData\Local\Temp\9FCC.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\9FCC.exe
                                                                                  1⤵
                                                                                    PID:5084

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v6

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • memory/340-323-0x00000247D6C40000-0x00000247D6CB1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/996-208-0x00000225612A0000-0x0000022561311000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/996-204-0x0000022560CC0000-0x0000022560D0C000-memory.dmp

                                                                                    Filesize

                                                                                    304KB

                                                                                    Download

                                                                                  • memory/1084-240-0x0000020DE2030000-0x0000020DE20A1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/1120-322-0x0000000000400000-0x000000000045F000-memory.dmp

                                                                                    Filesize

                                                                                    380KB

                                                                                    Download

                                                                                  • memory/1120-321-0x00000000004B0000-0x00000000004B9000-memory.dmp

                                                                                    Filesize

                                                                                    36KB

                                                                                    Download

                                                                                  • memory/1200-239-0x000001F9C71D0000-0x000001F9C7241000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/1216-202-0x0000000000B80000-0x0000000000BDD000-memory.dmp

                                                                                    Filesize

                                                                                    372KB

                                                                                    Download

                                                                                  • memory/1216-200-0x0000000004218000-0x0000000004319000-memory.dmp

                                                                                    Filesize

                                                                                    1.0MB

                                                                                    Download

                                                                                  • memory/1340-282-0x000001F60A470000-0x000001F60A4E1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/1372-325-0x000001C2AF7B0000-0x000001C2AF821000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/1832-178-0x0000000005690000-0x0000000005691000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1832-176-0x00000000009A0000-0x00000000009A1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1832-181-0x0000000005230000-0x0000000005231000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1832-184-0x00000000054D0000-0x00000000054D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1832-269-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1832-287-0x0000000005E50000-0x0000000005E6F000-memory.dmp

                                                                                    Filesize

                                                                                    124KB

                                                                                    Download

                                                                                  • memory/1832-189-0x0000000005190000-0x000000000568E000-memory.dmp

                                                                                    Filesize

                                                                                    5.0MB

                                                                                    Download

                                                                                  • memory/1832-182-0x0000000005390000-0x0000000005391000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/1908-231-0x000002014FC30000-0x000002014FCA1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2244-330-0x0000000000400000-0x0000000000478000-memory.dmp

                                                                                    Filesize

                                                                                    480KB

                                                                                    Download

                                                                                  • memory/2244-243-0x0000000004AA4000-0x0000000004AA6000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                    Download

                                                                                  • memory/2244-233-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2244-328-0x0000000000480000-0x00000000005CA000-memory.dmp

                                                                                    Filesize

                                                                                    1.3MB

                                                                                    Download

                                                                                  • memory/2244-232-0x00000000023C0000-0x00000000023DB000-memory.dmp

                                                                                    Filesize

                                                                                    108KB

                                                                                    Download

                                                                                  • memory/2244-260-0x00000000055C0000-0x00000000055C1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2244-238-0x0000000002550000-0x0000000002569000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                    Download

                                                                                  • memory/2244-241-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2244-332-0x0000000004AA3000-0x0000000004AA4000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2244-248-0x0000000004A60000-0x0000000004A61000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2244-331-0x0000000004AA2000-0x0000000004AA3000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/2492-220-0x000002C8FAF20000-0x000002C8FAF91000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2544-214-0x000001C1C5520000-0x000001C1C5591000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2604-219-0x000001AE946D0000-0x000001AE94741000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2676-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                    Filesize

                                                                                    152KB

                                                                                    Download

                                                                                  • memory/2676-155-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                    Download

                                                                                  • memory/2676-136-0x0000000000400000-0x000000000051E000-memory.dmp

                                                                                    Filesize

                                                                                    1.1MB

                                                                                    Download

                                                                                  • memory/2676-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                    Download

                                                                                  • memory/2676-150-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                    Download

                                                                                  • memory/2676-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                    Filesize

                                                                                    1.5MB

                                                                                    Download

                                                                                  • memory/2676-152-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                    Download

                                                                                  • memory/2676-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                    Filesize

                                                                                    572KB

                                                                                    Download

                                                                                  • memory/2724-296-0x00000203D8980000-0x00000203D89F1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2740-306-0x000002313EF60000-0x000002313EFD1000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/2824-294-0x0000000000F80000-0x0000000000F96000-memory.dmp

                                                                                    Filesize

                                                                                    88KB

                                                                                    Download

                                                                                  • memory/3212-175-0x0000000000790000-0x0000000000791000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/3212-179-0x00000000007B0000-0x00000000007CB000-memory.dmp

                                                                                    Filesize

                                                                                    108KB

                                                                                    Download

                                                                                  • memory/3212-180-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/3212-169-0x0000000000070000-0x0000000000071000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/3212-188-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                    Download

                                                                                  • memory/3728-326-0x0000000001FF0000-0x000000000208D000-memory.dmp

                                                                                    Filesize

                                                                                    628KB

                                                                                    Download

                                                                                  • memory/3728-329-0x0000000000400000-0x00000000004BB000-memory.dmp

                                                                                    Filesize

                                                                                    748KB

                                                                                    Download

                                                                                  • memory/3744-320-0x0000000005290000-0x0000000005291000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/3836-209-0x000001A6128F0000-0x000001A612961000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/3976-338-0x0000023975DD0000-0x0000023975DEB000-memory.dmp

                                                                                    Filesize

                                                                                    108KB

                                                                                    Download

                                                                                  • memory/3976-339-0x0000023978700000-0x0000023978806000-memory.dmp

                                                                                    Filesize

                                                                                    1.0MB

                                                                                    Download

                                                                                  • memory/3976-201-0x0000023975F00000-0x0000023975F71000-memory.dmp

                                                                                    Filesize

                                                                                    452KB

                                                                                    Download

                                                                                  • memory/4284-319-0x0000000000430000-0x00000000004DE000-memory.dmp

                                                                                    Filesize

                                                                                    696KB

                                                                                    Download

                                                                                  • memory/4284-317-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                    Filesize

                                                                                    64KB

                                                                                    Download

                                                                                  • memory/4588-342-0x0000000000960000-0x000000000098F000-memory.dmp

                                                                                    Filesize

                                                                                    188KB

                                                                                    Download

                                                                                  • memory/4708-343-0x0000000002630000-0x00000000026CD000-memory.dmp

                                                                                    Filesize

                                                                                    628KB

                                                                                    Download

                                                                                  • memory/4708-345-0x0000000000400000-0x000000000094A000-memory.dmp

                                                                                    Filesize

                                                                                    5.3MB

                                                                                    Download

                                                                                  • memory/4716-335-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4716-284-0x00000000000C0000-0x00000000000C1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4716-336-0x0000000002380000-0x0000000002381000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4728-285-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4728-299-0x0000000003370000-0x0000000003371000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4728-309-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4756-307-0x0000000002A70000-0x0000000002A71000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4756-290-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4756-297-0x0000000005180000-0x0000000005181000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4768-346-0x0000000000910000-0x0000000000A5A000-memory.dmp

                                                                                    Filesize

                                                                                    1.3MB

                                                                                    Download

                                                                                  • memory/4768-344-0x0000000005024000-0x0000000005026000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                    Download

                                                                                  • memory/4780-283-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4780-333-0x0000000004F50000-0x0000000004F51000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download

                                                                                  • memory/4780-334-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                    Download