Overview

overview

10

Static

static

8 (1).exe

windows7_x64

10

8 (1).exe

windows10_x64

10

8 (10).exe

windows7_x64

10

8 (10).exe

windows10_x64

10

8 (11).exe

windows7_x64

10

8 (11).exe

windows10_x64

10

8 (12).exe

windows7_x64

10

8 (12).exe

windows10_x64

10

8 (13).exe

windows7_x64

10

8 (13).exe

windows10_x64

10

8 (14).exe

windows7_x64

10

8 (14).exe

windows10_x64

10

8 (15).exe

windows7_x64

10

8 (15).exe

windows10_x64

10

8 (16).exe

windows7_x64

10

8 (16).exe

windows10_x64

10

8 (17).exe

windows7_x64

10

8 (17).exe

windows10_x64

10

8 (18).exe

windows7_x64

10

8 (18).exe

windows10_x64

10

8 (19).exe

windows7_x64

10

8 (19).exe

windows10_x64

10

8 (2).exe

windows7_x64

10

8 (2).exe

windows10_x64

10

8 (20).exe

windows7_x64

10

8 (20).exe

windows10_x64

10

8 (21).exe

windows7_x64

10

8 (21).exe

windows10_x64

10

8 (22).exe

windows7_x64

10

8 (22).exe

windows10_x64

10

8 (23).exe

windows7_x64

10

8 (23).exe

windows10_x64

10

Resubmissions

13/08/2021, 10:16

210813-wpta271jdx 10

08/08/2021, 23:00

210808-fgs5g9pxfs 10

07/08/2021, 23:12

210807-g2jw1lmd4a 10

07/08/2021, 16:10

210807-51nhct4kfx 10

06/08/2021, 23:43

210806-gc2271nxwj 10

06/08/2021, 06:00

210806-f443x39x8a 10

05/08/2021, 17:08

210805-97y6banvvx 10

04/08/2021, 17:25

210804-hkxx2ntr8x 10

04/08/2021, 12:12

210804-rjbg4b4y7n 10

03/08/2021, 17:12

210803-r2h7ytjwqj 10

Analysis

  • max time kernel
    149s
  • max time network
    1839s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    05/08/2021, 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8 (19).exe

  • Size

    3.0MB

  • MD5

    bb072cad921aa5ce8b97706ce01bc570

  • SHA1

    18bf034906c1341b7817e7361ad27a4425d820bd

  • SHA256

    817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97

  • SHA512

    d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score
10/10
redlinesmokeloadersocelarsvidar933wwaspackv2backdoorevasioninfostealerpersistencestealersuricatatrojanvmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

C2

https://sslamlssa1.tumblr.com/

Attributes
  • profile_id

    933

Extracted

Family

smokeloader

Version

2020

C2

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

WW

C2

193.56.146.60:51431

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata: ET MALWARE GCleaner Downloader Activity M1

    suricata
  • suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata: ET MALWARE Possible Dridex Download URI Struct with no referer

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 17 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 27 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 15 IoCs
    evasionspywaretrojan
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:872
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {4B82E67F-8A6F-4E3B-9BE8-C8A9B1F3D70B} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
          3⤵
            PID:2628
            • C:\Users\Admin\AppData\Roaming\uwuruwa
              C:\Users\Admin\AppData\Roaming\uwuruwa
              4⤵
                PID:2680
              • C:\Users\Admin\AppData\Roaming\uwuruwa
                C:\Users\Admin\AppData\Roaming\uwuruwa
                4⤵
                  PID:1512
              • C:\Windows\system32\taskeng.exe
                taskeng.exe {E16EC05E-3F4C-465E-B819-986605ED1DB0} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
                3⤵
                  PID:2944
                  • C:\Users\Admin\AppData\Roaming\uwuruwa
                    C:\Users\Admin\AppData\Roaming\uwuruwa
                    4⤵
                      PID:1944
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                  • Checks processor information in registry
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  PID:1620
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                  • Drops file in System32 directory
                  • Checks processor information in registry
                  • Modifies data under HKEY_USERS
                  • Modifies registry class
                  PID:2744
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                  2⤵
                    PID:2888
                • C:\Users\Admin\AppData\Local\Temp\8 (19).exe
                  "C:\Users\Admin\AppData\Local\Temp\8 (19).exe"
                  1⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1072
                  • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                    "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1216
                    • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\setup_install.exe
                      "C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\setup_install.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:1680
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c sonia_1.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1092
                        • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_1.exe
                          sonia_1.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1144
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c sonia_2.exe
                        4⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:1768
                        • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_2.exe
                          sonia_2.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:1012
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c sonia_3.exe
                        4⤵
                        • Loads dropped DLL
                        PID:432
                        • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_3.exe
                          sonia_3.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Modifies system certificate store
                          PID:2016
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 952
                            6⤵
                            • Loads dropped DLL
                            • Program crash
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2104
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c sonia_4.exe
                        4⤵
                        • Loads dropped DLL
                        PID:300
                        • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_4.exe
                          sonia_4.exe
                          5⤵
                          • Executes dropped EXE
                          • Modifies system certificate store
                          • Suspicious use of AdjustPrivilegeToken
                          PID:972
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c sonia_5.exe
                        4⤵
                        • Loads dropped DLL
                        PID:864
                        • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_5.exe
                          sonia_5.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Modifies system certificate store
                          PID:1644
                          • C:\Users\Admin\Documents\HdHTxe3eWnZ4VzVH8tp7WdAX.exe
                            "C:\Users\Admin\Documents\HdHTxe3eWnZ4VzVH8tp7WdAX.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:2188
                          • C:\Users\Admin\Documents\_D9GKenwk1I0rTxwY2_Ys4p_.exe
                            "C:\Users\Admin\Documents\_D9GKenwk1I0rTxwY2_Ys4p_.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:2212
                          • C:\Users\Admin\Documents\MYUbZ2_X47dGJk2SfNvPuQBb.exe
                            "C:\Users\Admin\Documents\MYUbZ2_X47dGJk2SfNvPuQBb.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:2276
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              7⤵
                                PID:2500
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  8⤵
                                  • Kills process with taskkill
                                  PID:3060
                            • C:\Users\Admin\Documents\EQFYruf1f7SCE5_MNaVf24hg.exe
                              "C:\Users\Admin\Documents\EQFYruf1f7SCE5_MNaVf24hg.exe"
                              6⤵
                              • Executes dropped EXE
                              • Modifies system certificate store
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2268
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                7⤵
                                  PID:2208
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im chrome.exe
                                    8⤵
                                    • Kills process with taskkill
                                    PID:828
                              • C:\Users\Admin\Documents\lfmk403QJW1yRVHNWJdLZmWh.exe
                                "C:\Users\Admin\Documents\lfmk403QJW1yRVHNWJdLZmWh.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:2252
                              • C:\Users\Admin\Documents\TwJ2KZbL6ClGRnmUmEelmXWo.exe
                                "C:\Users\Admin\Documents\TwJ2KZbL6ClGRnmUmEelmXWo.exe"
                                6⤵
                                • Executes dropped EXE
                                PID:2232
                              • C:\Users\Admin\Documents\RtKu4q9MMWmsvMR5KShzzkX9.exe
                                "C:\Users\Admin\Documents\RtKu4q9MMWmsvMR5KShzzkX9.exe"
                                6⤵
                                  PID:2292
                                • C:\Users\Admin\Documents\4_CeNrJQKTG1o6gMlcGOKfHF.exe
                                  "C:\Users\Admin\Documents\4_CeNrJQKTG1o6gMlcGOKfHF.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2336
                                • C:\Users\Admin\Documents\gnF9WsDCJLobCqNHxeYNGWA0.exe
                                  "C:\Users\Admin\Documents\gnF9WsDCJLobCqNHxeYNGWA0.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2648
                                • C:\Users\Admin\Documents\x9HT1LxhVPp5bAUItsaiJyD3.exe
                                  "C:\Users\Admin\Documents\x9HT1LxhVPp5bAUItsaiJyD3.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2620
                                • C:\Users\Admin\Documents\sAZ1RxuBxX8cg_BUsUJmF1Op.exe
                                  "C:\Users\Admin\Documents\sAZ1RxuBxX8cg_BUsUJmF1Op.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2608
                                • C:\Users\Admin\Documents\IVDGHVPvkytCyqkyioE0HnX2.exe
                                  "C:\Users\Admin\Documents\IVDGHVPvkytCyqkyioE0HnX2.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2596
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "IVDGHVPvkytCyqkyioE0HnX2.exe" /f & erase "C:\Users\Admin\Documents\IVDGHVPvkytCyqkyioE0HnX2.exe" & exit
                                    7⤵
                                      PID:2316
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im "IVDGHVPvkytCyqkyioE0HnX2.exe" /f
                                        8⤵
                                        • Kills process with taskkill
                                        PID:1432
                                  • C:\Users\Admin\Documents\Y9TsKF4uR4Be63Xgc937MwrG.exe
                                    "C:\Users\Admin\Documents\Y9TsKF4uR4Be63Xgc937MwrG.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2584
                                    • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                      7⤵
                                        PID:2452
                                      • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                        7⤵
                                          PID:2000
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 276
                                            8⤵
                                            • Program crash
                                            PID:1552
                                        • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                          "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                          7⤵
                                            PID:2816
                                        • C:\Users\Admin\Documents\9Y32m4w_V1P4vuLxB85BNNml.exe
                                          "C:\Users\Admin\Documents\9Y32m4w_V1P4vuLxB85BNNml.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2572
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            7⤵
                                              PID:1556
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              7⤵
                                                PID:1436
                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                7⤵
                                                  PID:1068
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  7⤵
                                                    PID:1248
                                                • C:\Users\Admin\Documents\r23VvjKGDk7ZPR1kOStystyK.exe
                                                  "C:\Users\Admin\Documents\r23VvjKGDk7ZPR1kOStystyK.exe"
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:2560
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 1344
                                                    7⤵
                                                    • Program crash
                                                    PID:2144
                                                • C:\Users\Admin\Documents\1WhqStYBstvaWjLyX3rzuaKc.exe
                                                  "C:\Users\Admin\Documents\1WhqStYBstvaWjLyX3rzuaKc.exe"
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:2548
                                                • C:\Users\Admin\Documents\Tzhe2myhe8qqpGsTGSD5mdBN.exe
                                                  "C:\Users\Admin\Documents\Tzhe2myhe8qqpGsTGSD5mdBN.exe"
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:2928
                                                  • C:\Users\Admin\AppData\Local\Temp\is-Q8J01.tmp\Tzhe2myhe8qqpGsTGSD5mdBN.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-Q8J01.tmp\Tzhe2myhe8qqpGsTGSD5mdBN.tmp" /SL5="$20204,138429,56832,C:\Users\Admin\Documents\Tzhe2myhe8qqpGsTGSD5mdBN.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:3048
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c sonia_6.exe
                                              4⤵
                                              • Loads dropped DLL
                                              PID:1176
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_6.exe
                                                sonia_6.exe
                                                5⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Adds Run key to start application
                                                PID:852
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  6⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:1184
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  6⤵
                                                    PID:2156
                                                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    6⤵
                                                      PID:2316
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 412
                                                  4⤵
                                                  • Loads dropped DLL
                                                  • Program crash
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1348
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                  4⤵
                                                    PID:1368
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_1.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zS0C4394B4\sonia_1.exe" -a
                                              1⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1532
                                            • C:\Windows\system32\rUNdlL32.eXe
                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                              1⤵
                                              • Process spawned unexpected child process
                                              PID:932
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                2⤵
                                                • Loads dropped DLL
                                                • Modifies registry class
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1432
                                            • C:\Windows\system32\DllHost.exe
                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                              1⤵
                                                PID:2888
                                              • C:\Users\Admin\AppData\Local\Temp\2BE1.exe
                                                C:\Users\Admin\AppData\Local\Temp\2BE1.exe
                                                1⤵
                                                  PID:2764

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • memory/872-182-0x0000000000A20000-0x0000000000A6C000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/872-183-0x0000000001020000-0x0000000001091000-memory.dmp

                                                  Filesize

                                                  452KB

                                                  Download

                                                • memory/972-164-0x000000001B1A0000-0x000000001B1A2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/972-146-0x0000000000C10000-0x0000000000C11000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/1012-178-0x0000000000400000-0x0000000000896000-memory.dmp

                                                  Filesize

                                                  4.6MB

                                                  Download

                                                • memory/1012-172-0x0000000000240000-0x0000000000249000-memory.dmp

                                                  Filesize

                                                  36KB

                                                  Download

                                                • memory/1072-59-0x00000000752F1000-0x00000000752F3000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/1288-207-0x0000000002CA0000-0x0000000002CB5000-memory.dmp

                                                  Filesize

                                                  84KB

                                                  Download

                                                • memory/1288-187-0x0000000002B50000-0x0000000002B65000-memory.dmp

                                                  Filesize

                                                  84KB

                                                  Download

                                                • memory/1348-179-0x0000000000490000-0x0000000000510000-memory.dmp

                                                  Filesize

                                                  512KB

                                                  Download

                                                • memory/1432-180-0x0000000000900000-0x0000000000A01000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/1432-181-0x0000000000880000-0x00000000008DD000-memory.dmp

                                                  Filesize

                                                  372KB

                                                  Download

                                                • memory/1620-184-0x0000000000390000-0x0000000000401000-memory.dmp

                                                  Filesize

                                                  452KB

                                                  Download

                                                • memory/1680-102-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1680-138-0x0000000000400000-0x000000000051D000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                  Download

                                                • memory/1680-107-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1680-115-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1680-117-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                  Filesize

                                                  572KB

                                                  Download

                                                • memory/1680-126-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                  Filesize

                                                  152KB

                                                  Download

                                                • memory/1680-125-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1680-101-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1680-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                  Filesize

                                                  572KB

                                                  Download

                                                • memory/1680-91-0x0000000000400000-0x000000000051D000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                  Download

                                                • memory/1680-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                  Filesize

                                                  152KB

                                                  Download

                                                • memory/1680-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/2000-260-0x0000000000400000-0x000000000067D000-memory.dmp

                                                  Filesize

                                                  2.5MB

                                                  Download

                                                • memory/2016-170-0x0000000002270000-0x000000000230D000-memory.dmp

                                                  Filesize

                                                  628KB

                                                  Download

                                                • memory/2016-171-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                  Filesize

                                                  4.9MB

                                                  Download

                                                • memory/2104-190-0x0000000000330000-0x0000000000331000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2212-222-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2232-223-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2252-247-0x0000000004890000-0x00000000048AA000-memory.dmp

                                                  Filesize

                                                  104KB

                                                  Download

                                                • memory/2252-241-0x0000000004820000-0x000000000483B000-memory.dmp

                                                  Filesize

                                                  108KB

                                                  Download

                                                • memory/2336-202-0x0000000000240000-0x0000000000249000-memory.dmp

                                                  Filesize

                                                  36KB

                                                  Download

                                                • memory/2336-203-0x0000000000400000-0x0000000002C6D000-memory.dmp

                                                  Filesize

                                                  40.4MB

                                                  Download

                                                • memory/2608-229-0x00000000003F0000-0x0000000000400000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/2620-228-0x0000000000E70000-0x0000000000E71000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2744-230-0x00000000000F0000-0x000000000013E000-memory.dmp

                                                  Filesize

                                                  312KB

                                                  Download

                                                • memory/2744-240-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/3048-242-0x0000000071AC1000-0x0000000071AC3000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/3048-238-0x00000000003C0000-0x00000000003FC000-memory.dmp

                                                  Filesize

                                                  240KB

                                                  Download