Analysis

  • max time kernel
    62s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:02

General

  • Target

    51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe

  • Size

    7.2MB

  • MD5

    dae2316b551b4502015dee0773decd38

  • SHA1

    129446f53bd0ec2f336235dfa9ab7505e326354e

  • SHA256

    51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10

  • SHA512

    c52a5cc90d6e53d9968a585910d472af3188d0c509b51ecd9aa0e3e6a44fe866a9bdd5e473beccdb7dfe0fab7df95b0e6532b75a4535be91737932bb48353736

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

raccoon

Botnet

b2a6680a55967ecaa6997d8e44705c8be49a632c

Attributes
  • url4cnc

    http://194.180.174.53/masseffectus2

    http://91.219.236.18/masseffectus2

    http://194.180.174.41/masseffectus2

    http://91.219.236.148/masseffectus2

    https://t.me/masseffectus2

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 37 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies registry class 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe
    "C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1588
      • C:\Users\Admin\AppData\Local\Temp\7zS43642456\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS43642456\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3460
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2976
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3700
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sun020372b94495.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3956
          • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020372b94495.exe
            Sun020372b94495.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3980
            • C:\Users\Admin\AppData\Local\8b6bf3ae-856c-4670-b123-0229cafed51b.exe
              "C:\Users\Admin\AppData\Local\8b6bf3ae-856c-4670-b123-0229cafed51b.exe"
              6⤵
              • Executes dropped EXE
              PID:3856
            • C:\Users\Admin\AppData\Local\ff6eab52-f77f-4d94-aacd-58adf2c158be.exe
              "C:\Users\Admin\AppData\Local\ff6eab52-f77f-4d94-aacd-58adf2c158be.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              PID:1392
              • C:\Users\Admin\AppData\Roaming\19478679\9995931099959310.exe
                "C:\Users\Admin\AppData\Roaming\19478679\9995931099959310.exe"
                7⤵
                • Executes dropped EXE
                PID:4856
            • C:\Users\Admin\AppData\Local\de85904c-da0d-431e-8ae4-8570bd45678c.exe
              "C:\Users\Admin\AppData\Local\de85904c-da0d-431e-8ae4-8570bd45678c.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              PID:1016
            • C:\Users\Admin\AppData\Local\133949fe-3dd5-4a64-9b67-d7b770af45b5.exe
              "C:\Users\Admin\AppData\Local\133949fe-3dd5-4a64-9b67-d7b770af45b5.exe"
              6⤵
              • Executes dropped EXE
              PID:4024
              • C:\Users\Admin\AppData\Roaming\5703862.exe
                "C:\Users\Admin\AppData\Roaming\5703862.exe"
                7⤵
                  PID:4416
                  • C:\Windows\SysWOW64\control.exe
                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                    8⤵
                      PID:4216
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                        9⤵
                          PID:4884
                  • C:\Users\Admin\AppData\Local\337be442-ca72-43f0-b5e6-6810727f8528.exe
                    "C:\Users\Admin\AppData\Local\337be442-ca72-43f0-b5e6-6810727f8528.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:3824
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sun02687ff429634d30b.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1012
                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exe
                  Sun02687ff429634d30b.exe
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of AdjustPrivilegeToken
                  PID:400
                  • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exe
                    C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02687ff429634d30b.exe
                    6⤵
                    • Executes dropped EXE
                    PID:2960
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sun02d50deb5f.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3952
                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02d50deb5f.exe
                  Sun02d50deb5f.exe
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1872
                  • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                    "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                    6⤵
                    • Executes dropped EXE
                    PID:1048
                    • C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe
                      "C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:1180
                    • C:\Users\Admin\AppData\Local\Temp\Ebook10.exe
                      "C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:2096
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sun02158c4429642.exe
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:3740
                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02158c4429642.exe
                  Sun02158c4429642.exe
                  5⤵
                  • Executes dropped EXE
                  PID:4080
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Sun02466441087bfc9.exe
                4⤵
                  PID:4032
                  • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02466441087bfc9.exe
                    Sun02466441087bfc9.exe
                    5⤵
                    • Executes dropped EXE
                    PID:4072
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Sun02b9c2ca0dbf.exe /mixtwo
                  4⤵
                    PID:2908
                    • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exe
                      Sun02b9c2ca0dbf.exe /mixtwo
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:3004
                      • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exe
                        Sun02b9c2ca0dbf.exe /mixtwo
                        6⤵
                        • Executes dropped EXE
                        PID:2704
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun02b9c2ca0dbf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b9c2ca0dbf.exe" & exit
                          7⤵
                            PID:4864
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im "Sun02b9c2ca0dbf.exe" /f
                              8⤵
                              • Kills process with taskkill
                              PID:1704
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sun020a58adf7e2118f.exe
                      4⤵
                        PID:3752
                        • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020a58adf7e2118f.exe
                          Sun020a58adf7e2118f.exe
                          5⤵
                          • Executes dropped EXE
                          • Modifies registry class
                          PID:1572
                          • C:\Windows\SysWOW64\control.exe
                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                            6⤵
                              PID:4840
                              • C:\Windows\SysWOW64\rundll32.exe
                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                                7⤵
                                  PID:4388
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Sun0289a4802fe9c10.exe
                            4⤵
                              PID:1376
                              • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exe
                                Sun0289a4802fe9c10.exe
                                5⤵
                                • Executes dropped EXE
                                PID:1848
                                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exe
                                  "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0289a4802fe9c10.exe" -u
                                  6⤵
                                  • Executes dropped EXE
                                  PID:1584
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sun02bca234bb37c.exe
                              4⤵
                                PID:2428
                                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02bca234bb37c.exe
                                  Sun02bca234bb37c.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks SCSI registry key(s)
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2616
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun0258a3bfb9448.exe
                                4⤵
                                  PID:1444
                                  • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0258a3bfb9448.exe
                                    Sun0258a3bfb9448.exe
                                    5⤵
                                    • Executes dropped EXE
                                    PID:1788
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c taskkill /im Sun0258a3bfb9448.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun0258a3bfb9448.exe" & del C:\ProgramData\*.dll & exit
                                      6⤵
                                        PID:4064
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /im Sun0258a3bfb9448.exe /f
                                          7⤵
                                          • Kills process with taskkill
                                          PID:4928
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout /t 6
                                          7⤵
                                          • Delays execution with timeout.exe
                                          PID:3068
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun02b54c9f5924cbd3f.exe
                                    4⤵
                                      PID:1476
                                      • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02b54c9f5924cbd3f.exe
                                        Sun02b54c9f5924cbd3f.exe
                                        5⤵
                                        • Executes dropped EXE
                                        PID:956
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Sun02dc04e4fb5564a.exe
                                      4⤵
                                        PID:2564
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Sun02989ef95cb95.exe
                                        4⤵
                                          PID:604
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sun02a326084de0.exe
                                          4⤵
                                            PID:1844
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun025e2074db2bd693.exe
                                            4⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:3136
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun020570a5cfa553fb.exe
                                            4⤵
                                              PID:1016
                                      • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02dc04e4fb5564a.exe
                                        Sun02dc04e4fb5564a.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:3728
                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          2⤵
                                          • Executes dropped EXE
                                          PID:2016
                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          2⤵
                                          • Executes dropped EXE
                                          PID:3592
                                      • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02a326084de0.exe
                                        Sun02a326084de0.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Modifies registry class
                                        PID:1900
                                        • C:\Windows\SysWOW64\control.exe
                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",
                                          2⤵
                                            PID:2268
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",
                                              3⤵
                                              • Loads dropped DLL
                                              PID:4920
                                              • C:\Windows\system32\RunDll32.exe
                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",
                                                4⤵
                                                  PID:4780
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",
                                                    5⤵
                                                      PID:1664
                                            • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe
                                              Sun020570a5cfa553fb.exe
                                              1⤵
                                              • Executes dropped EXE
                                              PID:1664
                                              • C:\Users\Admin\AppData\Local\Temp\is-A2K72.tmp\Sun020570a5cfa553fb.tmp
                                                "C:\Users\Admin\AppData\Local\Temp\is-A2K72.tmp\Sun020570a5cfa553fb.tmp" /SL5="$20084,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:756
                                                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe" /SILENT
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:1772
                                                  • C:\Users\Admin\AppData\Local\Temp\is-UALMO.tmp\Sun020570a5cfa553fb.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-UALMO.tmp\Sun020570a5cfa553fb.tmp" /SL5="$201D0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun020570a5cfa553fb.exe" /SILENT
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Loads dropped DLL
                                                    PID:3352
                                            • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun02989ef95cb95.exe
                                              Sun02989ef95cb95.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1576
                                              • C:\Windows\SysWOW64\cmd.exe
                                                cmd.exe /c taskkill /f /im chrome.exe
                                                2⤵
                                                  PID:4932
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im chrome.exe
                                                    3⤵
                                                    • Kills process with taskkill
                                                    PID:4224
                                              • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe
                                                Sun025e2074db2bd693.exe
                                                1⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3908
                                                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:1664
                                                • C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7zS43642456\Sun025e2074db2bd693.exe
                                                  2⤵
                                                  • Executes dropped EXE
                                                  PID:4204
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:3320
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                  2⤵
                                                    PID:4280
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                  1⤵
                                                    PID:1188

                                                  Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • memory/316-653-0x0000022DE5E90000-0x0000022DE5F02000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/396-283-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

                                                          Filesize

                                                          88KB

                                                        • memory/400-258-0x0000000004B10000-0x0000000004B11000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/400-260-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/400-308-0x00000000052B0000-0x00000000052B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/400-223-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/592-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/592-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/592-143-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/592-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                          Filesize

                                                          572KB

                                                        • memory/592-142-0x0000000064940000-0x0000000064959000-memory.dmp

                                                          Filesize

                                                          100KB

                                                        • memory/592-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                          Filesize

                                                          572KB

                                                        • memory/592-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                          Filesize

                                                          572KB

                                                        • memory/592-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                          Filesize

                                                          100KB

                                                        • memory/592-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                          Filesize

                                                          1.5MB

                                                        • memory/592-145-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                          Filesize

                                                          152KB

                                                        • memory/592-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                          Filesize

                                                          100KB

                                                        • memory/592-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                          Filesize

                                                          100KB

                                                        • memory/756-261-0x0000000000730000-0x00000000007DE000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/968-975-0x000002A56FB60000-0x000002A56FBD2000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/1016-359-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1016-317-0x0000000002300000-0x0000000002345000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/1016-319-0x0000000000C30000-0x0000000000DFF000-memory.dmp

                                                          Filesize

                                                          1.8MB

                                                        • memory/1016-321-0x0000000000120000-0x0000000000121000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1016-320-0x0000000000C30000-0x0000000000DFF000-memory.dmp

                                                          Filesize

                                                          1.8MB

                                                        • memory/1048-270-0x00000000005F0000-0x00000000005F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1108-665-0x0000021C87000000-0x0000021C87072000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/1180-435-0x0000000002534000-0x0000000002536000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/1180-420-0x0000000000400000-0x00000000004ED000-memory.dmp

                                                          Filesize

                                                          948KB

                                                        • memory/1180-434-0x0000000002533000-0x0000000002534000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1180-432-0x0000000002532000-0x0000000002533000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1180-422-0x0000000002530000-0x0000000002531000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1180-417-0x0000000002110000-0x0000000002149000-memory.dmp

                                                          Filesize

                                                          228KB

                                                        • memory/1188-862-0x0000020CB2300000-0x0000020CB2405000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                        • memory/1188-654-0x0000020CAF880000-0x0000020CAF8F2000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/1188-859-0x0000020CAF9A0000-0x0000020CAF9C9000-memory.dmp

                                                          Filesize

                                                          164KB

                                                        • memory/1188-856-0x0000020CAF980000-0x0000020CAF99B000-memory.dmp

                                                          Filesize

                                                          108KB

                                                        • memory/1348-483-0x00000000045F3000-0x00000000045F4000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-313-0x0000000007790000-0x0000000007791000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-228-0x0000000004640000-0x0000000004641000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-456-0x000000007EFD0000-0x000000007EFD1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-234-0x00000000045F2000-0x00000000045F3000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-226-0x00000000045F0000-0x00000000045F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-200-0x0000000001000000-0x0000000001001000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-197-0x0000000001000000-0x0000000001001000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-235-0x0000000006D80000-0x0000000006D81000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1348-295-0x0000000006D40000-0x0000000006D41000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1392-309-0x0000000000E60000-0x0000000000E61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1392-318-0x0000000001380000-0x0000000001381000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1572-250-0x0000000002E40000-0x0000000002E41000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1572-247-0x0000000002E40000-0x0000000002E41000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1664-974-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1664-224-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                          Filesize

                                                          816KB

                                                        • memory/1772-276-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                          Filesize

                                                          816KB

                                                        • memory/1788-278-0x0000000002210000-0x00000000022E9000-memory.dmp

                                                          Filesize

                                                          868KB

                                                        • memory/1788-275-0x0000000000746000-0x00000000007C2000-memory.dmp

                                                          Filesize

                                                          496KB

                                                        • memory/1788-280-0x0000000000400000-0x0000000000536000-memory.dmp

                                                          Filesize

                                                          1.2MB

                                                        • memory/1872-188-0x0000000001150000-0x0000000001152000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/1872-176-0x00000000008A0000-0x00000000008A1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1900-218-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/1900-214-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2016-289-0x0000000000400000-0x0000000000455000-memory.dmp

                                                          Filesize

                                                          340KB

                                                        • memory/2328-663-0x0000014744940000-0x00000147449B2000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/2364-662-0x000001DA28840000-0x000001DA288B2000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/2504-652-0x0000014EF7C30000-0x0000014EF7C7D000-memory.dmp

                                                          Filesize

                                                          308KB

                                                        • memory/2504-656-0x0000014EF8670000-0x0000014EF86E2000-memory.dmp

                                                          Filesize

                                                          456KB

                                                        • memory/2616-279-0x0000000000400000-0x00000000004CA000-memory.dmp

                                                          Filesize

                                                          808KB

                                                        • memory/2616-277-0x0000000000520000-0x0000000000529000-memory.dmp

                                                          Filesize

                                                          36KB

                                                        • memory/2704-231-0x0000000000400000-0x0000000000450000-memory.dmp

                                                          Filesize

                                                          320KB

                                                        • memory/2704-248-0x0000000000400000-0x0000000000450000-memory.dmp

                                                          Filesize

                                                          320KB

                                                        • memory/2960-380-0x00000000057F0000-0x0000000005DF6000-memory.dmp

                                                          Filesize

                                                          6.0MB

                                                        • memory/2976-230-0x0000000006770000-0x0000000006771000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-198-0x00000000008F0000-0x00000000008F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-453-0x000000007EC60000-0x000000007EC61000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-307-0x00000000075C0000-0x00000000075C1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-302-0x0000000007450000-0x0000000007451000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-202-0x00000000008F0000-0x00000000008F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-485-0x0000000006773000-0x0000000006774000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/2976-251-0x0000000006772000-0x0000000006773000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3352-301-0x0000000000690000-0x000000000073E000-memory.dmp

                                                          Filesize

                                                          696KB

                                                        • memory/3824-335-0x0000000002480000-0x00000000024C5000-memory.dmp

                                                          Filesize

                                                          276KB

                                                        • memory/3824-373-0x0000000004F90000-0x0000000004F91000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3856-323-0x000000000DE20000-0x000000000DE80000-memory.dmp

                                                          Filesize

                                                          384KB

                                                        • memory/3856-304-0x0000000002F10000-0x0000000002F11000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3856-339-0x00000000054E0000-0x00000000054E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3856-299-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3908-222-0x00000000000A0000-0x00000000000A1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3908-255-0x0000000004980000-0x0000000004981000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3908-254-0x00000000048F0000-0x00000000048F1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3908-252-0x0000000004990000-0x0000000004991000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3908-257-0x00000000022E0000-0x00000000022E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3980-206-0x00000000013A0000-0x00000000013A1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3980-245-0x0000000002D70000-0x0000000002D84000-memory.dmp

                                                          Filesize

                                                          80KB

                                                        • memory/3980-241-0x000000001B850000-0x000000001B852000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/3980-180-0x0000000000C80000-0x0000000000C81000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/3980-262-0x00000000013B0000-0x00000000013B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4024-377-0x0000000002A90000-0x0000000002A91000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4204-400-0x0000000005530000-0x0000000005B36000-memory.dmp

                                                          Filesize

                                                          6.0MB

                                                        • memory/4280-648-0x0000000000D70000-0x0000000000DCD000-memory.dmp

                                                          Filesize

                                                          372KB

                                                        • memory/4280-646-0x0000000000BD8000-0x0000000000CD9000-memory.dmp

                                                          Filesize

                                                          1.0MB

                                                        • memory/4388-888-0x000000002F290000-0x000000002F349000-memory.dmp

                                                          Filesize

                                                          740KB

                                                        • memory/4388-892-0x000000002F410000-0x000000002F4C8000-memory.dmp

                                                          Filesize

                                                          736KB

                                                        • memory/4388-838-0x00000000009B0000-0x00000000009B1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                        • memory/4856-440-0x000000001AFF0000-0x000000001AFF2000-memory.dmp

                                                          Filesize

                                                          8KB

                                                        • memory/4884-965-0x0000000000530000-0x000000000067A000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/4920-635-0x000000002FBB0000-0x000000002FC68000-memory.dmp

                                                          Filesize

                                                          736KB

                                                        • memory/4920-629-0x0000000002E90000-0x0000000002FDA000-memory.dmp

                                                          Filesize

                                                          1.3MB

                                                        • memory/4920-636-0x000000002FD70000-0x000000002FE26000-memory.dmp

                                                          Filesize

                                                          728KB