redline | 8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d

Target

setup_x86_x64_install.exe
Size

4.3MB
MD5

6d18c8e8ab9051f7a70b89ff7bb0ec35
SHA1

265311e2afd9f59e824f4b77162cf3dfa278eb7e
SHA256

8fe6c86b038ce91a991fe6eb8a9b323bb37b554ff6b4e5c18de3fe52d4aedf6d
SHA512

249bf79dc90d4662b942c7eed2a7b7816b749f6d5f7bc190bba05f826fa143d0b44f58054d8649b8626884c5fcbd1cea8abd625dc701d44b7aaac84fc74e47ff

Score

10^/10

redline smokeloader socelars vidar 706 pab123 aspackv2 backdoor discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

40.5

Botnet

706

https://gheorghip.tumblr.com/

Attributes

profile_id
706

Extracted

Family

redline

Botnet

pab123

45.14.49.169:22411

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral5/memory/3324-248-0x0000000004890000-0x00000000048AF000-memory.dmp	family_redline
behavioral5/memory/3324-271-0x00000000070C0000-0x00000000070DE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000700000001abcd-150.dat	family_socelars
behavioral5/files/0x000700000001abcd-186.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral5/memory/3160-242-0x0000000000400000-0x0000000002BC5000-memory.dmp	family_vidar
behavioral5/memory/3160-268-0x00000000048A0000-0x0000000004971000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral5/files/0x000400000001abbe-123.dat	aspack_v212_v242
behavioral5/files/0x000400000001abbe-124.dat	aspack_v212_v242
behavioral5/files/0x000400000001abbf-122.dat	aspack_v212_v242
behavioral5/files/0x000400000001abbf-126.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc1-128.dat	aspack_v212_v242
behavioral5/files/0x000400000001abc1-131.dat	aspack_v212_v242

Executes dropped EXE 17 IoCs

pid	Process
3816	setup_installer.exe
3536	setup_install.exe
3048	Thu2164f292a11ce.exe
3160	Thu214ce31cede21.exe
3080	Thu219d5fe8cf316.exe
3324	Thu21624565bb917a.exe
3036	Thu21a1ef054cac78a.exe
3124	Thu21df5caa1b78de6.exe
3032	Thu21568b0ab8.exe
1436	Thu2156de5489c19.exe
3692	Thu214aaca5625.exe
3856	Thu21b9847cb6727.exe
816	Thu2102ff6cfe07c.exe
1468	Thu21b93295136197.exe
2040	Thu21b93295136197.tmp
1088	Thu214aaca5625.tmp
4412	aefwrfi

Loads dropped DLL 9 IoCs

pid	Process
3536	setup_install.exe
3536	setup_install.exe
3536	setup_install.exe
3536	setup_install.exe
3536	setup_install.exe
3536	setup_install.exe
1088	Thu214aaca5625.tmp
2040	Thu21b93295136197.tmp
2040	Thu21b93295136197.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu21b93295136197.tmp
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Thu2156de5489c19.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com
43	ipinfo.io
45	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
1224	3536	WerFault.exe	78
4168	3124	WerFault.exe	96
4244	3124	WerFault.exe	96
4348	3124	WerFault.exe	96
4400	3124	WerFault.exe	96
4440	3124	WerFault.exe	96
4860	3124	WerFault.exe	96
4896	3124	WerFault.exe	96
4948	3124	WerFault.exe	96
4988	3124	WerFault.exe	96
1864	3124	WerFault.exe	96

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu2164f292a11ce.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Thu214ce31cede21.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Thu214ce31cede21.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4120	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu214ce31cede21.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu214ce31cede21.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	44	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	45	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	52	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
1224	WerFault.exe
3048	Thu2164f292a11ce.exe
3048	Thu2164f292a11ce.exe
1224	WerFault.exe
1224	WerFault.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
3040	Process not Found
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe
4244	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3124	Thu21df5caa1b78de6.exe
3040	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3048	Thu2164f292a11ce.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeAssignPrimaryTokenPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeLockMemoryPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeIncreaseQuotaPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeMachineAccountPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeTcbPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeSecurityPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeTakeOwnershipPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeLoadDriverPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeSystemProfilePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeSystemtimePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeProfSingleProcessPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeIncBasePriorityPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeCreatePagefilePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeCreatePermanentPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeBackupPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeRestorePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeShutdownPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeAuditPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeSystemEnvironmentPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeChangeNotifyPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeRemoteShutdownPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeUndockPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeSyncAgentPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeEnableDelegationPrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeManageVolumePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeImpersonatePrivilege	3036	Thu21a1ef054cac78a.exe
Token: SeCreateGlobalPrivilege	3036	Thu21a1ef054cac78a.exe
Token: 31	3036	Thu21a1ef054cac78a.exe
Token: 32	3036	Thu21a1ef054cac78a.exe
Token: 33	3036	Thu21a1ef054cac78a.exe
Token: 34	3036	Thu21a1ef054cac78a.exe
Token: 35	3036	Thu21a1ef054cac78a.exe
Token: SeDebugPrivilege	3032	Thu21568b0ab8.exe
Token: SeRestorePrivilege	1224	WerFault.exe
Token: SeBackupPrivilege	1224	WerFault.exe
Token: SeDebugPrivilege	3080	Thu219d5fe8cf316.exe
Token: SeDebugPrivilege	1224	WerFault.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	1436	Thu2156de5489c19.exe
Token: SeDebugPrivilege	4168	WerFault.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4244	WerFault.exe
Token: SeDebugPrivilege	4348	WerFault.exe
Token: SeShutdownPrivilege	3040	Process not Found
Token: SeCreatePagefilePrivilege	3040	Process not Found
Token: SeDebugPrivilege	4400	WerFault.exe
Token: SeDebugPrivilege	4440	WerFault.exe
Token: SeDebugPrivilege	4860	WerFault.exe
Token: SeDebugPrivilege	4896	WerFault.exe
Token: SeDebugPrivilege	4948	WerFault.exe
Token: SeDebugPrivilege	4988	WerFault.exe
Token: SeShutdownPrivilege	3040	Process not Found
Token: SeCreatePagefilePrivilege	3040	Process not Found
Token: SeShutdownPrivilege	3040	Process not Found
Token: SeCreatePagefilePrivilege	3040	Process not Found
Token: SeShutdownPrivilege	3040	Process not Found
Token: SeCreatePagefilePrivilege	3040	Process not Found
Token: SeDebugPrivilege	1864	WerFault.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2040	Thu21b93295136197.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 3816	1008	setup_x86_x64_install.exe	77
PID 1008 wrote to memory of 3816	1008	setup_x86_x64_install.exe	77
PID 1008 wrote to memory of 3816	1008	setup_x86_x64_install.exe	77
PID 3816 wrote to memory of 3536	3816	setup_installer.exe	78
PID 3816 wrote to memory of 3536	3816	setup_installer.exe	78
PID 3816 wrote to memory of 3536	3816	setup_installer.exe	78
PID 3536 wrote to memory of 3680	3536	setup_install.exe	81
PID 3536 wrote to memory of 3680	3536	setup_install.exe	81
PID 3536 wrote to memory of 3680	3536	setup_install.exe	81
PID 3536 wrote to memory of 912	3536	setup_install.exe	82
PID 3536 wrote to memory of 912	3536	setup_install.exe	82
PID 3536 wrote to memory of 912	3536	setup_install.exe	82
PID 3536 wrote to memory of 3556	3536	setup_install.exe	83
PID 3536 wrote to memory of 3556	3536	setup_install.exe	83
PID 3536 wrote to memory of 3556	3536	setup_install.exe	83
PID 3536 wrote to memory of 1580	3536	setup_install.exe	87
PID 3536 wrote to memory of 1580	3536	setup_install.exe	87
PID 3536 wrote to memory of 1580	3536	setup_install.exe	87
PID 3536 wrote to memory of 1856	3536	setup_install.exe	84
PID 3536 wrote to memory of 1856	3536	setup_install.exe	84
PID 3536 wrote to memory of 1856	3536	setup_install.exe	84
PID 3536 wrote to memory of 2228	3536	setup_install.exe	85
PID 3536 wrote to memory of 2228	3536	setup_install.exe	85
PID 3536 wrote to memory of 2228	3536	setup_install.exe	85
PID 3536 wrote to memory of 1584	3536	setup_install.exe	86
PID 3536 wrote to memory of 1584	3536	setup_install.exe	86
PID 3536 wrote to memory of 1584	3536	setup_install.exe	86
PID 3536 wrote to memory of 1464	3536	setup_install.exe	88
PID 3536 wrote to memory of 1464	3536	setup_install.exe	88
PID 3536 wrote to memory of 1464	3536	setup_install.exe	88
PID 3536 wrote to memory of 1796	3536	setup_install.exe	93
PID 3536 wrote to memory of 1796	3536	setup_install.exe	93
PID 3536 wrote to memory of 1796	3536	setup_install.exe	93
PID 3536 wrote to memory of 1836	3536	setup_install.exe	89
PID 3536 wrote to memory of 1836	3536	setup_install.exe	89
PID 3536 wrote to memory of 1836	3536	setup_install.exe	89
PID 3536 wrote to memory of 1932	3536	setup_install.exe	90
PID 3536 wrote to memory of 1932	3536	setup_install.exe	90
PID 3536 wrote to memory of 1932	3536	setup_install.exe	90
PID 3536 wrote to memory of 2016	3536	setup_install.exe	92
PID 3536 wrote to memory of 2016	3536	setup_install.exe	92
PID 3536 wrote to memory of 2016	3536	setup_install.exe	92
PID 3536 wrote to memory of 2160	3536	setup_install.exe	91
PID 3536 wrote to memory of 2160	3536	setup_install.exe	91
PID 3536 wrote to memory of 2160	3536	setup_install.exe	91
PID 1856 wrote to memory of 3048	1856	cmd.exe	94
PID 1856 wrote to memory of 3048	1856	cmd.exe	94
PID 1856 wrote to memory of 3048	1856	cmd.exe	94
PID 912 wrote to memory of 3080	912	cmd.exe	95
PID 912 wrote to memory of 3080	912	cmd.exe	95
PID 1464 wrote to memory of 3160	1464	cmd.exe	101
PID 1464 wrote to memory of 3160	1464	cmd.exe	101
PID 1464 wrote to memory of 3160	1464	cmd.exe	101
PID 3556 wrote to memory of 3324	3556	cmd.exe	100
PID 3556 wrote to memory of 3324	3556	cmd.exe	100
PID 3556 wrote to memory of 3324	3556	cmd.exe	100
PID 2016 wrote to memory of 3032	2016	cmd.exe	98
PID 2016 wrote to memory of 3032	2016	cmd.exe	98
PID 1580 wrote to memory of 3036	1580	cmd.exe	97
PID 1580 wrote to memory of 3036	1580	cmd.exe	97
PID 1580 wrote to memory of 3036	1580	cmd.exe	97
PID 1836 wrote to memory of 3124	1836	cmd.exe	96
PID 1836 wrote to memory of 3124	1836	cmd.exe	96
PID 1836 wrote to memory of 3124	1836	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:3680
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu219d5fe8cf316.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu219d5fe8cf316.exe
        
        Thu219d5fe8cf316.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21624565bb917a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21624565bb917a.exe
        
        Thu21624565bb917a.exe
        5⤵
        Executes dropped EXE
        
        PID:3324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2164f292a11ce.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu2164f292a11ce.exe
        
        Thu2164f292a11ce.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:3048
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21b93295136197.exe
      4⤵
      PID:2228
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21b93295136197.exe
        
        Thu21b93295136197.exe
        5⤵
        Executes dropped EXE
        
        PID:1468
      - C:\Users\Admin\AppData\Local\Temp\is-94G9M.tmp\Thu21b93295136197.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-94G9M.tmp\Thu21b93295136197.tmp" /SL5="$6006A,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21b93295136197.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of FindShellTrayWindow
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21b9847cb6727.exe
      4⤵
      PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21b9847cb6727.exe
        
        Thu21b9847cb6727.exe
        5⤵
        Executes dropped EXE
        
        PID:3856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21a1ef054cac78a.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21a1ef054cac78a.exe
        
        Thu21a1ef054cac78a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu214ce31cede21.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu214ce31cede21.exe
        
        Thu214ce31cede21.exe
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Modifies system certificate store
        
        PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21df5caa1b78de6.exe /mixone
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21df5caa1b78de6.exe
        
        Thu21df5caa1b78de6.exe /mixone
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3124
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 656
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 672
        6⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 676
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 820
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 832
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 888
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1160
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1284
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1304
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 696
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu214aaca5625.exe
      4⤵
      PID:1932
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu214aaca5625.exe
        
        Thu214aaca5625.exe
        5⤵
        Executes dropped EXE
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\is-LRCKT.tmp\Thu214aaca5625.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LRCKT.tmp\Thu214aaca5625.tmp" /SL5="$60054,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu214aaca5625.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2102ff6cfe07c.exe
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu2102ff6cfe07c.exe
        
        Thu2102ff6cfe07c.exe
        5⤵
        Executes dropped EXE
        
        PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu21568b0ab8.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu21568b0ab8.exe
        
        Thu21568b0ab8.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2156de5489c19.exe
      4⤵
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\7zS8EED3216\Thu2156de5489c19.exe
        
        Thu2156de5489c19.exe
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 468
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1224

C:\Users\Admin\AppData\Roaming\aefwrfi
C:\Users\Admin\AppData\Roaming\aefwrfi
1⤵
- Executes dropped EXE
PID:4412

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe
"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-226-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1436-216-0x000001923EFE0000-0x000001923EFE2000-memory.dmp

Filesize
8KB

Download
memory/1436-274-0x000001923EFE5000-0x000001923EFE7000-memory.dmp

Filesize
8KB

Download
memory/1436-273-0x000001923EFE2000-0x000001923EFE4000-memory.dmp

Filesize
8KB

Download
memory/1436-247-0x0000019240A00000-0x0000019240A7E000-memory.dmp

Filesize
504KB

Download
memory/1436-217-0x000001923ED80000-0x000001923ED8B000-memory.dmp

Filesize
44KB

Download
memory/1436-275-0x000001923EFE4000-0x000001923EFE5000-memory.dmp

Filesize
4KB

Download
memory/1436-200-0x000001923E9C0000-0x000001923E9C1000-memory.dmp

Filesize
4KB

Download
memory/1468-207-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2040-261-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2040-237-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2040-227-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2040-239-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2040-262-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/2040-236-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2040-241-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2040-260-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2040-259-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2040-258-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2040-257-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2040-225-0x00000000039E0000-0x0000000003A1C000-memory.dmp

Filesize
240KB

Download
memory/2040-243-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2040-256-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2040-255-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2040-244-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/2040-250-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2040-254-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2040-245-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/2040-253-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3032-246-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/3032-218-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/3032-189-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/3040-292-0x00000000015C0000-0x00000000015D5000-memory.dmp

Filesize
84KB

Download
memory/3040-550-0x00000000014D0000-0x00000000014E5000-memory.dmp

Filesize
84KB

Download
memory/3048-238-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download
memory/3048-267-0x0000000002C40000-0x0000000002C49000-memory.dmp

Filesize
36KB

Download
memory/3080-199-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3080-219-0x0000000000840000-0x000000000085C000-memory.dmp

Filesize
112KB

Download
memory/3080-211-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3080-229-0x00000000009E0000-0x00000000009E2000-memory.dmp

Filesize
8KB

Download
memory/3080-222-0x000000001B330000-0x000000001B331000-memory.dmp

Filesize
4KB

Download
memory/3080-220-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/3124-233-0x0000000004650000-0x0000000004698000-memory.dmp

Filesize
288KB

Download
memory/3124-263-0x0000000000400000-0x0000000002B6B000-memory.dmp

Filesize
39.4MB

Download
memory/3160-194-0x0000000002CA8000-0x0000000002D23000-memory.dmp

Filesize
492KB

Download
memory/3160-242-0x0000000000400000-0x0000000002BC5000-memory.dmp

Filesize
39.8MB

Download
memory/3160-268-0x00000000048A0000-0x0000000004971000-memory.dmp

Filesize
836KB

Download
memory/3252-210-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3252-317-0x0000000006B43000-0x0000000006B44000-memory.dmp

Filesize
4KB

Download
memory/3252-290-0x0000000007ED0000-0x0000000007ED1000-memory.dmp

Filesize
4KB

Download
memory/3252-294-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3252-301-0x00000000093E0000-0x0000000009413000-memory.dmp

Filesize
204KB

Download
memory/3252-286-0x0000000008060000-0x0000000008061000-memory.dmp

Filesize
4KB

Download
memory/3252-303-0x000000007F5A0000-0x000000007F5A1000-memory.dmp

Filesize
4KB

Download
memory/3252-282-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/3252-281-0x0000000007B80000-0x0000000007B81000-memory.dmp

Filesize
4KB

Download
memory/3252-293-0x0000000008430000-0x0000000008431000-memory.dmp

Filesize
4KB

Download
memory/3252-278-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/3252-277-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/3252-213-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/3252-234-0x0000000006B42000-0x0000000006B43000-memory.dmp

Filesize
4KB

Download
memory/3252-232-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/3252-231-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/3252-276-0x0000000007860000-0x0000000007861000-memory.dmp

Filesize
4KB

Download
memory/3252-270-0x0000000006F80000-0x0000000006F81000-memory.dmp

Filesize
4KB

Download
memory/3252-230-0x0000000006B40000-0x0000000006B41000-memory.dmp

Filesize
4KB

Download
memory/3324-249-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/3324-279-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/3324-266-0x0000000002CC0000-0x0000000002E0A000-memory.dmp

Filesize
1.3MB

Download
memory/3324-240-0x0000000000400000-0x0000000002B6E000-memory.dmp

Filesize
39.4MB

Download
memory/3324-264-0x0000000007222000-0x0000000007223000-memory.dmp

Filesize
4KB

Download
memory/3324-269-0x0000000007230000-0x0000000007231000-memory.dmp

Filesize
4KB

Download
memory/3324-289-0x0000000007E50000-0x0000000007E51000-memory.dmp

Filesize
4KB

Download
memory/3324-271-0x00000000070C0000-0x00000000070DE000-memory.dmp

Filesize
120KB

Download
memory/3324-272-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/3324-288-0x0000000007224000-0x0000000007226000-memory.dmp

Filesize
8KB

Download
memory/3324-285-0x0000000007190000-0x0000000007191000-memory.dmp

Filesize
4KB

Download
memory/3324-248-0x0000000004890000-0x00000000048AF000-memory.dmp

Filesize
124KB

Download
memory/3324-265-0x0000000007223000-0x0000000007224000-memory.dmp

Filesize
4KB

Download
memory/3324-280-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/3536-140-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3536-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3536-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3536-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/3536-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3536-143-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3536-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/3536-141-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3536-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3536-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3536-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3536-142-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3692-212-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4412-549-0x0000000000400000-0x0000000002B5B000-memory.dmp

Filesize
39.4MB

Download