Analysis

  • max time kernel
    157s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:02

General

  • Target

    345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe

  • Size

    7.8MB

  • MD5

    bb627ed9b75d70e535ee848ce917aa65

  • SHA1

    7dc9b35117234134d910f53e2345d3157c25e8b2

  • SHA256

    345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b

  • SHA512

    acbac7166c809f43e50111bb118fac43d09f3219f1e15c593438ed5dc406e0100abf2fca68ba6c2e0545d49c853aeb75e71bf64f034dd0b13f5f48d61acbba67

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media19n

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 21 IoCs
  • Loads dropped DLL 6 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 7 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe
    "C:\Users\Admin\AppData\Local\Temp\345a5bef0a5c1535244633d9776391f07e1e2e803adc1f545135218dd4da301b.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1544
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1064
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:736
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Sat215d0254132.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3456
          • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat215d0254132.exe
            Sat215d0254132.exe
            5⤵
            • Executes dropped EXE
            PID:2924
            • C:\Users\Admin\Pictures\Adobe Films\880obRJ2peZVljWcvPfwSLYQ.exe
              "C:\Users\Admin\Pictures\Adobe Films\880obRJ2peZVljWcvPfwSLYQ.exe"
              6⤵
                PID:4912
              • C:\Users\Admin\Pictures\Adobe Films\vPfSSfVH3k5wJDIC1o_huerb.exe
                "C:\Users\Admin\Pictures\Adobe Films\vPfSSfVH3k5wJDIC1o_huerb.exe"
                6⤵
                  PID:6116
                • C:\Users\Admin\Pictures\Adobe Films\OoGcmDX43QVOqqOfwhrWveZU.exe
                  "C:\Users\Admin\Pictures\Adobe Films\OoGcmDX43QVOqqOfwhrWveZU.exe"
                  6⤵
                    PID:5536
                  • C:\Users\Admin\Pictures\Adobe Films\pKfT649gIz9ZLtXSj447kq71.exe
                    "C:\Users\Admin\Pictures\Adobe Films\pKfT649gIz9ZLtXSj447kq71.exe"
                    6⤵
                      PID:5528
                    • C:\Users\Admin\Pictures\Adobe Films\shs_R95LC6mIDYkurkxcHFKY.exe
                      "C:\Users\Admin\Pictures\Adobe Films\shs_R95LC6mIDYkurkxcHFKY.exe"
                      6⤵
                        PID:5500
                        • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                          "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                          7⤵
                            PID:720
                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                              8⤵
                                PID:4368
                            • C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe
                              "C:\Program Files (x86)\Company\NewProduct\OneCleanerInst931928.exe"
                              7⤵
                                PID:4668
                              • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                                "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                                7⤵
                                  PID:1392
                              • C:\Users\Admin\Pictures\Adobe Films\EZOzdpUS0_hiMYu4aND1lcte.exe
                                "C:\Users\Admin\Pictures\Adobe Films\EZOzdpUS0_hiMYu4aND1lcte.exe"
                                6⤵
                                  PID:5444
                                • C:\Users\Admin\Pictures\Adobe Films\ijcU8m0tyKZq1WtjIu4ar2GV.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\ijcU8m0tyKZq1WtjIu4ar2GV.exe"
                                  6⤵
                                    PID:2744
                                  • C:\Users\Admin\Pictures\Adobe Films\WJ8DKICj9QEHjJJyLDoXQ7Eg.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\WJ8DKICj9QEHjJJyLDoXQ7Eg.exe"
                                    6⤵
                                      PID:4728
                                    • C:\Users\Admin\Pictures\Adobe Films\RO1ZkncEfAhuKET5ToB8W8Zm.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\RO1ZkncEfAhuKET5ToB8W8Zm.exe"
                                      6⤵
                                        PID:6044
                                      • C:\Users\Admin\Pictures\Adobe Films\mOgpsEbKEaGKcs048SacWWJJ.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\mOgpsEbKEaGKcs048SacWWJJ.exe"
                                        6⤵
                                          PID:5688
                                        • C:\Users\Admin\Pictures\Adobe Films\ymqrQuypkEhs2hJHfmzZSOPK.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\ymqrQuypkEhs2hJHfmzZSOPK.exe"
                                          6⤵
                                            PID:2844
                                            • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                              "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                              7⤵
                                                PID:7072
                                            • C:\Users\Admin\Pictures\Adobe Films\ZXPOnilabxCgKqx7mafMB8i1.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\ZXPOnilabxCgKqx7mafMB8i1.exe"
                                              6⤵
                                                PID:4040
                                              • C:\Users\Admin\Pictures\Adobe Films\nAxi5YZZZSzvDlR74nfMxLBh.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\nAxi5YZZZSzvDlR74nfMxLBh.exe"
                                                6⤵
                                                  PID:1036
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS53F3.tmp\Install.exe
                                                    .\Install.exe
                                                    7⤵
                                                      PID:6432
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS8796.tmp\Install.exe
                                                        .\Install.exe /S /site_id "525403"
                                                        8⤵
                                                          PID:6792
                                                    • C:\Users\Admin\Pictures\Adobe Films\9ra5i0bFeJdqTXU7_J6hjLWO.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\9ra5i0bFeJdqTXU7_J6hjLWO.exe"
                                                      6⤵
                                                        PID:6128
                                                      • C:\Users\Admin\Pictures\Adobe Films\FN9w0XFS2p4xLClz_bPvHTgC.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\FN9w0XFS2p4xLClz_bPvHTgC.exe"
                                                        6⤵
                                                          PID:6600
                                                        • C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"
                                                          6⤵
                                                            PID:4480
                                                            • C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\vSUYybeInAzGX1oBbkXPpLSn.exe"
                                                              7⤵
                                                                PID:6184
                                                            • C:\Users\Admin\Pictures\Adobe Films\_W6jHmCW0avL60jMD77p4aY5.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\_W6jHmCW0avL60jMD77p4aY5.exe"
                                                              6⤵
                                                                PID:7040
                                                              • C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"
                                                                6⤵
                                                                  PID:5508
                                                                  • C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\e7ZNwLOdQGZ8QM5qayzB42Bh.exe"
                                                                    7⤵
                                                                      PID:3632
                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 24
                                                                        8⤵
                                                                        • Program crash
                                                                        PID:6948
                                                                  • C:\Users\Admin\Pictures\Adobe Films\CRwrfzVBfvoRW_3iVaSC9TuT.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\CRwrfzVBfvoRW_3iVaSC9TuT.exe"
                                                                    6⤵
                                                                      PID:6304
                                                                    • C:\Users\Admin\Pictures\Adobe Films\5IkqZ3toTZ3BJ3lzUYt6ZEnT.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\5IkqZ3toTZ3BJ3lzUYt6ZEnT.exe"
                                                                      6⤵
                                                                        PID:6232
                                                                      • C:\Users\Admin\Pictures\Adobe Films\8Fy7pOpaW9G5f_VEwo4hw5L0.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\8Fy7pOpaW9G5f_VEwo4hw5L0.exe"
                                                                        6⤵
                                                                          PID:6980
                                                                        • C:\Users\Admin\Pictures\Adobe Films\CNZTzSDEzk2YVEBGALjvKLhO.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\CNZTzSDEzk2YVEBGALjvKLhO.exe"
                                                                          6⤵
                                                                            PID:7020
                                                                          • C:\Users\Admin\Pictures\Adobe Films\GGA8POjM688o_sdJPqk4tQdg.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\GGA8POjM688o_sdJPqk4tQdg.exe"
                                                                            6⤵
                                                                              PID:7132
                                                                            • C:\Users\Admin\Pictures\Adobe Films\ETxQKzCYSpXi2kkcg3WSr1bQ.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\ETxQKzCYSpXi2kkcg3WSr1bQ.exe"
                                                                              6⤵
                                                                                PID:7128
                                                                              • C:\Users\Admin\Pictures\Adobe Films\5EhWvdmUwhG7QQ9fr9nW8AGz.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\5EhWvdmUwhG7QQ9fr9nW8AGz.exe"
                                                                                6⤵
                                                                                  PID:6520
                                                                                • C:\Users\Admin\Pictures\Adobe Films\_oxs0vHXmG5AnrbmwYwSZ89R.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\_oxs0vHXmG5AnrbmwYwSZ89R.exe"
                                                                                  6⤵
                                                                                    PID:2208
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c Sat2186a2fe17bc3.exe /mixtwo
                                                                                4⤵
                                                                                • Suspicious use of WriteProcessMemory
                                                                                PID:3064
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exe
                                                                                  Sat2186a2fe17bc3.exe /mixtwo
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  • Suspicious use of WriteProcessMemory
                                                                                  PID:1436
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                C:\Windows\system32\cmd.exe /c Sat211f3dc0dc85a790.exe
                                                                                4⤵
                                                                                  PID:1036
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe
                                                                                    Sat211f3dc0dc85a790.exe
                                                                                    5⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:3572
                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-EVBHU.tmp\Sat211f3dc0dc85a790.tmp
                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-EVBHU.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$60060,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe"
                                                                                      6⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:2284
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe" /SILENT
                                                                                        7⤵
                                                                                          PID:856
                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-5TM8H.tmp\Sat211f3dc0dc85a790.tmp
                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-5TM8H.tmp\Sat211f3dc0dc85a790.tmp" /SL5="$20206,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat211f3dc0dc85a790.exe" /SILENT
                                                                                            8⤵
                                                                                              PID:4120
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Sat214f898013408c.exe
                                                                                      4⤵
                                                                                        PID:1236
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat214f898013408c.exe
                                                                                          Sat214f898013408c.exe
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:1452
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c Sat21a3a382cb.exe
                                                                                        4⤵
                                                                                          PID:3148
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exe
                                                                                            Sat21a3a382cb.exe
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2864
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21a3a382cb.exe
                                                                                              6⤵
                                                                                                PID:1228
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 24
                                                                                                  7⤵
                                                                                                  • Program crash
                                                                                                  PID:4584
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Sat21331fd7d3.exe
                                                                                            4⤵
                                                                                              PID:2236
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21331fd7d3.exe
                                                                                                Sat21331fd7d3.exe
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2468
                                                                                                • C:\Windows\SysWOW64\control.exe
                                                                                                  "C:\Windows\System32\control.exe" .\T2bGV.~
                                                                                                  6⤵
                                                                                                    PID:3224
                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~
                                                                                                      7⤵
                                                                                                        PID:4132
                                                                                                        • C:\Windows\system32\RunDll32.exe
                                                                                                          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~
                                                                                                          8⤵
                                                                                                            PID:3744
                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                              "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~
                                                                                                              9⤵
                                                                                                                PID:5548
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Sat2175f29e38b1.exe
                                                                                                      4⤵
                                                                                                        PID:1588
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2175f29e38b1.exe
                                                                                                          Sat2175f29e38b1.exe
                                                                                                          5⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          PID:1932
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                                                                                            6⤵
                                                                                                              PID:4784
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\mynewstfile.exe"
                                                                                                                7⤵
                                                                                                                  PID:4128
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Ebook10.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Ebook10.exe"
                                                                                                                  7⤵
                                                                                                                    PID:1552
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              C:\Windows\system32\cmd.exe /c Sat21822ebb0e.exe
                                                                                                              4⤵
                                                                                                                PID:3256
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exe
                                                                                                                  Sat21822ebb0e.exe
                                                                                                                  5⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:3208
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exe
                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21822ebb0e.exe
                                                                                                                    6⤵
                                                                                                                      PID:1080
                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                  C:\Windows\system32\cmd.exe /c Sat21cab531e24c.exe
                                                                                                                  4⤵
                                                                                                                    PID:3060
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21cab531e24c.exe
                                                                                                                      Sat21cab531e24c.exe
                                                                                                                      5⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:1448
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                        6⤵
                                                                                                                          PID:4572
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                                                          6⤵
                                                                                                                            PID:4960
                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                        C:\Windows\system32\cmd.exe /c Sat21fad2ad3b493fd4.exe
                                                                                                                        4⤵
                                                                                                                          PID:1824
                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                          C:\Windows\system32\cmd.exe /c Sat21e5d4a320d0.exe
                                                                                                                          4⤵
                                                                                                                            PID:2004
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21e5d4a320d0.exe
                                                                                                                              Sat21e5d4a320d0.exe
                                                                                                                              5⤵
                                                                                                                              • Executes dropped EXE
                                                                                                                              PID:3656
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                6⤵
                                                                                                                                  PID:3008
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\AdvancedRun.exe" /SpecialRun 4101d8 3008
                                                                                                                                    7⤵
                                                                                                                                      PID:4568
                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force
                                                                                                                                    6⤵
                                                                                                                                      PID:4996
                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\34f8a741-c325-4b33-9552-a01ea3633ea2.exe
                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\d1eed1bf-2f84-4568-b93b-84d272967dee\34f8a741-c325-4b33-9552-a01ea3633ea2.exe" /o /c "Windows-Defender" /r
                                                                                                                                      6⤵
                                                                                                                                        PID:3152
                                                                                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\compostdeb\svchost.exe" -Force
                                                                                                                                        6⤵
                                                                                                                                          PID:2196
                                                                                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21e5d4a320d0.exe" -Force
                                                                                                                                          6⤵
                                                                                                                                            PID:2812
                                                                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
                                                                                                                                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
                                                                                                                                            6⤵
                                                                                                                                              PID:936
                                                                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe
                                                                                                                                              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe"
                                                                                                                                              6⤵
                                                                                                                                                PID:4728
                                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
                                                                                                                                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"
                                                                                                                                                6⤵
                                                                                                                                                  PID:4820
                                                                                                                                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
                                                                                                                                                  6⤵
                                                                                                                                                    PID:5264
                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                C:\Windows\system32\cmd.exe /c Sat21de94a76558.exe
                                                                                                                                                4⤵
                                                                                                                                                  PID:2068
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21de94a76558.exe
                                                                                                                                                    Sat21de94a76558.exe
                                                                                                                                                    5⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:1840
                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\bENXrHqz8bRohr5r3xBqsO1F.exe
                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\bENXrHqz8bRohr5r3xBqsO1F.exe"
                                                                                                                                                      6⤵
                                                                                                                                                        PID:4476
                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\dwm2b84989tejiglmLPLiKJI.exe
                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\dwm2b84989tejiglmLPLiKJI.exe"
                                                                                                                                                        6⤵
                                                                                                                                                          PID:6076
                                                                                                                                                        • C:\Users\Admin\Pictures\Adobe Films\r1i9oC5EdQwV2UvO7hvdApFY.exe
                                                                                                                                                          "C:\Users\Admin\Pictures\Adobe Films\r1i9oC5EdQwV2UvO7hvdApFY.exe"
                                                                                                                                                          6⤵
                                                                                                                                                            PID:668
                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\OtyFnL2iOD3HA7nmznvDlcFU.exe
                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\OtyFnL2iOD3HA7nmznvDlcFU.exe"
                                                                                                                                                            6⤵
                                                                                                                                                              PID:5584
                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\eSIhQfvjChZA1qPbL8qffvQY.exe
                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\eSIhQfvjChZA1qPbL8qffvQY.exe"
                                                                                                                                                              6⤵
                                                                                                                                                                PID:512
                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\Ygn5N1H14gI8IljYx2Zmvb1u.exe
                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\Ygn5N1H14gI8IljYx2Zmvb1u.exe"
                                                                                                                                                                6⤵
                                                                                                                                                                  PID:4776
                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\_kj4FXQXpt_iG8HgZkaf9QrR.exe
                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\_kj4FXQXpt_iG8HgZkaf9QrR.exe"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:5884
                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\gKkgVRaZcQw1OrXNvLFpZUdF.exe
                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\gKkgVRaZcQw1OrXNvLFpZUdF.exe"
                                                                                                                                                                    6⤵
                                                                                                                                                                      PID:1912
                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\n685NpOXMOXzRokqpO9M_Ygl.exe
                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\n685NpOXMOXzRokqpO9M_Ygl.exe"
                                                                                                                                                                      6⤵
                                                                                                                                                                        PID:2192
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS648D.tmp\Install.exe
                                                                                                                                                                          .\Install.exe
                                                                                                                                                                          7⤵
                                                                                                                                                                            PID:6512
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS8C97.tmp\Install.exe
                                                                                                                                                                              .\Install.exe /S /site_id "525403"
                                                                                                                                                                              8⤵
                                                                                                                                                                                PID:2964
                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\KtgkOQ1zjjVq4WUOkdyY4Ikh.exe
                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\KtgkOQ1zjjVq4WUOkdyY4Ikh.exe"
                                                                                                                                                                            6⤵
                                                                                                                                                                              PID:5892
                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\A5WgVguV5bJg2atIEhV54OsM.exe
                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\A5WgVguV5bJg2atIEhV54OsM.exe"
                                                                                                                                                                              6⤵
                                                                                                                                                                                PID:5588
                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe
                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"
                                                                                                                                                                                6⤵
                                                                                                                                                                                  PID:612
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\TACcuaDvCMuG37f1vpK6LKVE.exe"
                                                                                                                                                                                    7⤵
                                                                                                                                                                                      PID:6660
                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\uPQyPaFr6nks2aZQ9MrNog6P.exe
                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\uPQyPaFr6nks2aZQ9MrNog6P.exe"
                                                                                                                                                                                    6⤵
                                                                                                                                                                                      PID:5392
                                                                                                                                                                                    • C:\Users\Admin\Pictures\Adobe Films\GgWGI0s4t0TJ_ms9rIiOop9p.exe
                                                                                                                                                                                      "C:\Users\Admin\Pictures\Adobe Films\GgWGI0s4t0TJ_ms9rIiOop9p.exe"
                                                                                                                                                                                      6⤵
                                                                                                                                                                                        PID:6500
                                                                                                                                                                                      • C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe
                                                                                                                                                                                        "C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"
                                                                                                                                                                                        6⤵
                                                                                                                                                                                          PID:2208
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\tlfFKKQhrW_D_XapN4w2Ugsj.exe"
                                                                                                                                                                                            7⤵
                                                                                                                                                                                              PID:4844
                                                                                                                                                                                          • C:\Users\Admin\Pictures\Adobe Films\Q4R_7EhHkn2G3Ft_SH5XIZr7.exe
                                                                                                                                                                                            "C:\Users\Admin\Pictures\Adobe Films\Q4R_7EhHkn2G3Ft_SH5XIZr7.exe"
                                                                                                                                                                                            6⤵
                                                                                                                                                                                              PID:1644
                                                                                                                                                                                            • C:\Users\Admin\Pictures\Adobe Films\cXsLWo9chnycB3PD3PGLzzxj.exe
                                                                                                                                                                                              "C:\Users\Admin\Pictures\Adobe Films\cXsLWo9chnycB3PD3PGLzzxj.exe"
                                                                                                                                                                                              6⤵
                                                                                                                                                                                                PID:5804
                                                                                                                                                                                              • C:\Users\Admin\Pictures\Adobe Films\y36J83KsPS3Z0w5IvKlA0Jlj.exe
                                                                                                                                                                                                "C:\Users\Admin\Pictures\Adobe Films\y36J83KsPS3Z0w5IvKlA0Jlj.exe"
                                                                                                                                                                                                6⤵
                                                                                                                                                                                                  PID:6968
                                                                                                                                                                                                • C:\Users\Admin\Pictures\Adobe Films\tXDfUCeICEt8kO0AQB4fFtSR.exe
                                                                                                                                                                                                  "C:\Users\Admin\Pictures\Adobe Films\tXDfUCeICEt8kO0AQB4fFtSR.exe"
                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                    PID:5488
                                                                                                                                                                                                  • C:\Users\Admin\Pictures\Adobe Films\zLcPbq2DL9uvf23CqPLkSIAH.exe
                                                                                                                                                                                                    "C:\Users\Admin\Pictures\Adobe Films\zLcPbq2DL9uvf23CqPLkSIAH.exe"
                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                      PID:5716
                                                                                                                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c Sat2106af2f1b2e3716.exe
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:1712
                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2106af2f1b2e3716.exe
                                                                                                                                                                                                      Sat2106af2f1b2e3716.exe
                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                      PID:2104
                                                                                                                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c Sat21d2de5c9915e148.exe
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:2936
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21d2de5c9915e148.exe
                                                                                                                                                                                                        Sat21d2de5c9915e148.exe
                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:2716
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\efb9624f-cc2e-4a1f-bf67-b57bcbb044a2.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\efb9624f-cc2e-4a1f-bf67-b57bcbb044a2.exe"
                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                            PID:4676
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\a526dff2-4fc5-4797-94fc-684db9956f30.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\a526dff2-4fc5-4797-94fc-684db9956f30.exe"
                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                              PID:4696
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\52285273\1640433316404333.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\52285273\1640433316404333.exe"
                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:3208
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\72bfc834-71c8-4a2e-9d8d-6fcb5d59b771.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\72bfc834-71c8-4a2e-9d8d-6fcb5d59b771.exe"
                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                PID:4872
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\429e20d6-b092-4135-a050-5a1943f63a02.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\429e20d6-b092-4135-a050-5a1943f63a02.exe"
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                  PID:4972
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\1fca6883-42b8-42fc-95fa-d97bb1210ed7.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\1fca6883-42b8-42fc-95fa-d97bb1210ed7.exe"
                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                    PID:5104
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\5751764.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\5751764.exe"
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                        PID:4404
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                            PID:5256
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                PID:5448
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c Sat2191af1420045d6af.exe
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:3972
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2191af1420045d6af.exe
                                                                                                                                                                                                                          Sat2191af1420045d6af.exe
                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:1804
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                              PID:4344
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                taskkill /f /im chrome.exe
                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                PID:5384
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c Sat2184c3c6c75ad8f83.exe
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:3648
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exe
                                                                                                                                                                                                                              Sat2184c3c6c75ad8f83.exe
                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:656
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2184c3c6c75ad8f83.exe" -u
                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:3620
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exe
                                                                                                                                                                                                                      Sat2186a2fe17bc3.exe /mixtwo
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:2164
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat2186a2fe17bc3.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat2186a2fe17bc3.exe" & exit
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:4452
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                            taskkill /im "Sat2186a2fe17bc3.exe" /f
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                                                                            PID:4732
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4721B236\Sat21fad2ad3b493fd4.exe
                                                                                                                                                                                                                        Sat21fad2ad3b493fd4.exe
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        PID:2964
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                                          "C:\Windows\System32\control.exe" .\T2bGV.~
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:4336
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\T2bGV.~
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:4464
                                                                                                                                                                                                                                • C:\Windows\system32\RunDll32.exe
                                                                                                                                                                                                                                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\T2bGV.~
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:2440
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\T2bGV.~
                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                        PID:5844
                                                                                                                                                                                                                              • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Process spawned unexpected child process
                                                                                                                                                                                                                                PID:1980
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:5116
                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:4484

                                                                                                                                                                                                                                  Network

                                                                                                                                                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                        Replay Monitor

                                                                                                                                                                                                                                        Loading Replay Monitor...

                                                                                                                                                                                                                                        Downloads

                                                                                                                                                                                                                                        • memory/736-470-0x000000007F120000-0x000000007F121000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-256-0x0000000007E60000-0x0000000007E61000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-260-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-169-0x0000000003340000-0x0000000003341000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-546-0x0000000005153000-0x0000000005154000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-205-0x0000000005150000-0x0000000005151000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-165-0x0000000003340000-0x0000000003341000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-245-0x0000000005152000-0x0000000005153000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-267-0x0000000008090000-0x0000000008091000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/736-263-0x0000000008020000-0x0000000008021000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/820-448-0x0000023DB7F40000-0x0000023DB7FB2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/820-446-0x0000023DB7E80000-0x0000023DB7ECD000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          308KB

                                                                                                                                                                                                                                        • memory/856-290-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          816KB

                                                                                                                                                                                                                                        • memory/900-527-0x000001B0FE920000-0x000001B0FE992000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1020-479-0x000002033BB80000-0x000002033BBF2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1080-337-0x0000000004E10000-0x0000000005416000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          6.0MB

                                                                                                                                                                                                                                        • memory/1080-299-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                        • memory/1100-516-0x00000245C3F40000-0x00000245C3FB2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1144-243-0x0000000004702000-0x0000000004703000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-213-0x00000000046A0000-0x00000000046A1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-235-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-204-0x0000000004700000-0x0000000004701000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-510-0x000000007F4A0000-0x000000007F4A1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-550-0x0000000004703000-0x0000000004704000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-164-0x0000000002980000-0x0000000002981000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1144-166-0x0000000002980000-0x0000000002981000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/1220-557-0x000001B4029B0000-0x000001B402A22000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1228-298-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          128KB

                                                                                                                                                                                                                                        • memory/1360-571-0x000002AEBBA60000-0x000002AEBBAD2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1416-541-0x000001BCAD840000-0x000001BCAD8B2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1452-343-0x00000000004D0000-0x000000000057E000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                        • memory/1452-351-0x0000000000400000-0x00000000004C9000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          804KB

                                                                                                                                                                                                                                        • memory/1544-148-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                        • memory/1544-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          152KB

                                                                                                                                                                                                                                        • memory/1544-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                        • memory/1544-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                        • memory/1544-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                        • memory/1544-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                        • memory/1544-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.5MB

                                                                                                                                                                                                                                        • memory/1544-149-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                        • memory/1544-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                        • memory/1544-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          572KB

                                                                                                                                                                                                                                        • memory/1544-152-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                        • memory/1544-155-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          100KB

                                                                                                                                                                                                                                        • memory/1840-405-0x0000000004140000-0x000000000428E000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                        • memory/1904-553-0x00000206CAE70000-0x00000206CAEE2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/1932-247-0x00000000023C0000-0x00000000023C2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                        • memory/1932-233-0x0000000000310000-0x0000000000311000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2104-391-0x00000000021B0000-0x0000000002289000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          868KB

                                                                                                                                                                                                                                        • memory/2104-395-0x0000000000400000-0x0000000000536000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.2MB

                                                                                                                                                                                                                                        • memory/2164-182-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          320KB

                                                                                                                                                                                                                                        • memory/2164-206-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          320KB

                                                                                                                                                                                                                                        • memory/2196-489-0x0000000004792000-0x0000000004793000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2196-475-0x0000000004790000-0x0000000004791000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2284-271-0x00000000007B0000-0x00000000007B1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2300-502-0x0000026050260000-0x00000260502D2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/2340-491-0x00000190AF800000-0x00000190AF872000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/2420-412-0x0000000000D20000-0x0000000000D36000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          88KB

                                                                                                                                                                                                                                        • memory/2468-196-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2468-194-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2520-506-0x00000217B0BA0000-0x00000217B0C12000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/2640-574-0x0000027AC9800000-0x0000027AC9872000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/2648-583-0x000002341F5A0000-0x000002341F612000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/2716-268-0x00000000011E0000-0x00000000011F4000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          80KB

                                                                                                                                                                                                                                        • memory/2716-251-0x00000000011D0000-0x00000000011D1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2716-280-0x0000000001420000-0x0000000001421000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2716-239-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2716-277-0x000000001B790000-0x000000001B792000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                        • memory/2812-500-0x0000000006F80000-0x0000000006F81000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2812-496-0x0000000006F82000-0x0000000006F83000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2864-269-0x0000000002550000-0x0000000002551000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2864-265-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2864-217-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2864-258-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2924-341-0x00000000041F0000-0x000000000433E000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.3MB

                                                                                                                                                                                                                                        • memory/2964-202-0x0000000002990000-0x0000000002991000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/2964-200-0x0000000002990000-0x0000000002991000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3208-274-0x0000000002970000-0x0000000002971000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3208-275-0x0000000002900000-0x0000000002901000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3208-226-0x0000000000780000-0x0000000000781000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3208-429-0x000000001BAE0000-0x000000001BAE2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          8KB

                                                                                                                                                                                                                                        • memory/3572-246-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          816KB

                                                                                                                                                                                                                                        • memory/3656-255-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3656-273-0x0000000004B70000-0x000000000506E000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          5.0MB

                                                                                                                                                                                                                                        • memory/3656-264-0x0000000004B70000-0x0000000004B71000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3656-249-0x00000000049B0000-0x00000000049B1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3656-232-0x0000000000130000-0x0000000000131000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/3656-279-0x0000000004A70000-0x0000000004A73000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          12KB

                                                                                                                                                                                                                                        • memory/3656-291-0x0000000004C10000-0x0000000004CB3000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          652KB

                                                                                                                                                                                                                                        • memory/3656-259-0x0000000005070000-0x0000000005071000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4120-296-0x0000000000770000-0x0000000000771000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4132-559-0x000000002F890000-0x000000002F891000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4464-563-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4484-465-0x0000023D16170000-0x0000023D161E2000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          456KB

                                                                                                                                                                                                                                        • memory/4676-410-0x0000000001230000-0x0000000001231000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4872-352-0x0000000000DB0000-0x0000000000DF5000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          276KB

                                                                                                                                                                                                                                        • memory/4872-400-0x00000000053D0000-0x00000000053D1000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4972-365-0x0000000000940000-0x00000000009EE000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          696KB

                                                                                                                                                                                                                                        • memory/4972-408-0x0000000005550000-0x0000000005551000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4996-513-0x0000000002A32000-0x0000000002A33000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/4996-482-0x0000000002A30000-0x0000000002A31000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5104-420-0x0000000004940000-0x0000000004941000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          4KB

                                                                                                                                                                                                                                        • memory/5116-438-0x0000000004F80000-0x0000000004FDD000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          372KB

                                                                                                                                                                                                                                        • memory/5116-436-0x0000000004E7B000-0x0000000004F7C000-memory.dmp

                                                                                                                                                                                                                                          Filesize

                                                                                                                                                                                                                                          1.0MB