Analysis

  • max time kernel
    39s
  • max time network
    165s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:03

General

  • Target

    5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe

  • Size

    7.7MB

  • MD5

    1cae05a3646796c127912f7e2cb6ef28

  • SHA1

    76fbcc90f87a8935149cdd9a55aefd9b7893fc35

  • SHA256

    5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d

  • SHA512

    991ed48a025cffe2fa7fc94e0ad5ea39b975712645c19630675cd44207a30746900fa2989442768401c3ec656d381e60669d350f0ab6360f5938d1e3ae7d2646

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

raccoon

Botnet

164fb74855c13a4287d8fe7ac579a35bdf7002ab

Attributes
  • url4cnc

    http://194.180.174.53/takecareandkeepitup

    http://91.219.236.18/takecareandkeepitup

    http://194.180.174.41/takecareandkeepitup

    http://91.219.236.148/takecareandkeepitup

    https://t.me/takecareandkeepitup

rc4.plain
rc4.plain

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 45 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe
    "C:\Users\Admin\AppData\Local\Temp\5559eb4c20778c0531d586560bfb67605efe485b56ba30300331841586a0819d.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
            PID:1612
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
                PID:676
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
                PID:1988
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                  5⤵
                    PID:584
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Sat19bf318872f2f09a.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1588
                  • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19bf318872f2f09a.exe
                    Sat19bf318872f2f09a.exe
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:1724
                    • C:\Users\Admin\Pictures\Adobe Films\xVLHTAUgznypkXxOPmfq_QKL.exe
                      "C:\Users\Admin\Pictures\Adobe Films\xVLHTAUgznypkXxOPmfq_QKL.exe"
                      6⤵
                        PID:2412
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 568
                        6⤵
                        • Program crash
                        PID:2112
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat1988552a1d427c.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1476
                    • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exe
                      Sat1988552a1d427c.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1352
                      • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1988552a1d427c.exe" -u
                        6⤵
                          PID:1808
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat19b31e745e.exe
                      4⤵
                        PID:1004
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Sat1908ae0c8e3eb49.exe
                        4⤵
                        • Loads dropped DLL
                        PID:872
                        • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1908ae0c8e3eb49.exe
                          Sat1908ae0c8e3eb49.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1184
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Sat19ce299a2dc74.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1688
                        • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19ce299a2dc74.exe
                          Sat19ce299a2dc74.exe
                          5⤵
                          • Executes dropped EXE
                          PID:360
                          • C:\Users\Admin\AppData\Local\c88629e8-7483-440c-9f55-25e8949d8541.exe
                            "C:\Users\Admin\AppData\Local\c88629e8-7483-440c-9f55-25e8949d8541.exe"
                            6⤵
                              PID:2288
                            • C:\Users\Admin\AppData\Local\2bd82bdd-859a-40df-8c4b-8ec443c34ca4.exe
                              "C:\Users\Admin\AppData\Local\2bd82bdd-859a-40df-8c4b-8ec443c34ca4.exe"
                              6⤵
                                PID:2808
                                • C:\Users\Admin\AppData\Roaming\13323327\285471613652657.exe
                                  "C:\Users\Admin\AppData\Roaming\13323327\285471613652657.exe"
                                  7⤵
                                    PID:772
                                • C:\Users\Admin\AppData\Local\8cf84daf-b625-43a7-821e-154376175a40.exe
                                  "C:\Users\Admin\AppData\Local\8cf84daf-b625-43a7-821e-154376175a40.exe"
                                  6⤵
                                    PID:2688
                                  • C:\Users\Admin\AppData\Local\74b92d8b-b105-467c-911f-05460b07a139.exe
                                    "C:\Users\Admin\AppData\Local\74b92d8b-b105-467c-911f-05460b07a139.exe"
                                    6⤵
                                      PID:2992
                                    • C:\Users\Admin\AppData\Local\399f5f93-ce6c-4bb1-943c-98af1db4660b.exe
                                      "C:\Users\Admin\AppData\Local\399f5f93-ce6c-4bb1-943c-98af1db4660b.exe"
                                      6⤵
                                        PID:3008
                                        • C:\Users\Admin\AppData\Roaming\3131639.exe
                                          "C:\Users\Admin\AppData\Roaming\3131639.exe"
                                          7⤵
                                            PID:276
                                            • C:\Windows\SysWOW64\control.exe
                                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                              8⤵
                                                PID:2216
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                  9⤵
                                                    PID:1716
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sat199c2dca121aeaa18.exe
                                          4⤵
                                          • Loads dropped DLL
                                          PID:1720
                                          • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199c2dca121aeaa18.exe
                                            Sat199c2dca121aeaa18.exe
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:1756
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /c taskkill /im Sat199c2dca121aeaa18.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199c2dca121aeaa18.exe" & del C:\ProgramData\*.dll & exit
                                              6⤵
                                                PID:2604
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /im Sat199c2dca121aeaa18.exe /f
                                                  7⤵
                                                  • Kills process with taskkill
                                                  PID:2720
                                                • C:\Windows\SysWOW64\timeout.exe
                                                  timeout /t 6
                                                  7⤵
                                                  • Executes dropped EXE
                                                  • Delays execution with timeout.exe
                                                  PID:1808
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sat192d00daf043.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:2024
                                            • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat192d00daf043.exe
                                              Sat192d00daf043.exe
                                              5⤵
                                              • Executes dropped EXE
                                              PID:632
                                              • C:\Windows\SysWOW64\control.exe
                                                "C:\Windows\System32\control.exe" .\5LQZ.CB
                                                6⤵
                                                  PID:2392
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\5LQZ.CB
                                                    7⤵
                                                      PID:2456
                                                      • C:\Windows\system32\RunDll32.exe
                                                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\5LQZ.CB
                                                        8⤵
                                                          PID:2520
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Sat19ffa03d0eed4.exe
                                                  4⤵
                                                  • Loads dropped DLL
                                                  PID:1312
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19ffa03d0eed4.exe
                                                    Sat19ffa03d0eed4.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:1480
                                                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                                                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                                                      6⤵
                                                        PID:1864
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
                                                          7⤵
                                                            PID:1772
                                                          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                                                            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\@.cmd
                                                            7⤵
                                                              PID:1536
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Sat199e3c11cc71143ca.exe
                                                        4⤵
                                                          PID:1632
                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat199e3c11cc71143ca.exe
                                                            Sat199e3c11cc71143ca.exe
                                                            5⤵
                                                              PID:1072
                                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                6⤵
                                                                  PID:828
                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                  6⤵
                                                                    PID:2280
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sat1901bcef783ac39.exe /mixtwo
                                                                4⤵
                                                                • Loads dropped DLL
                                                                PID:1288
                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exe
                                                                  Sat1901bcef783ac39.exe /mixtwo
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  PID:800
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exe
                                                                    Sat1901bcef783ac39.exe /mixtwo
                                                                    6⤵
                                                                      PID:1040
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat1901bcef783ac39.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1901bcef783ac39.exe" & exit
                                                                        7⤵
                                                                          PID:1976
                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                            taskkill /im "Sat1901bcef783ac39.exe" /f
                                                                            8⤵
                                                                            • Kills process with taskkill
                                                                            PID:2132
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c Sat197d72e4232.exe
                                                                    4⤵
                                                                    • Loads dropped DLL
                                                                    PID:384
                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe
                                                                      Sat197d72e4232.exe
                                                                      5⤵
                                                                        PID:1020
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe
                                                                          6⤵
                                                                            PID:1000
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197d72e4232.exe
                                                                            6⤵
                                                                              PID:2724
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c Sat1958c142005a6c92.exe
                                                                          4⤵
                                                                            PID:920
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe
                                                                              Sat1958c142005a6c92.exe
                                                                              5⤵
                                                                                PID:1404
                                                                                • C:\Users\Admin\AppData\Local\Temp\is-98QKI.tmp\Sat1958c142005a6c92.tmp
                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-98QKI.tmp\Sat1958c142005a6c92.tmp" /SL5="$20166,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe"
                                                                                  6⤵
                                                                                    PID:1736
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe" /SILENT
                                                                                      7⤵
                                                                                        PID:2152
                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-MCGAF.tmp\Sat1958c142005a6c92.tmp
                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-MCGAF.tmp\Sat1958c142005a6c92.tmp" /SL5="$101B6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1958c142005a6c92.exe" /SILENT
                                                                                          8⤵
                                                                                            PID:2360
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Sat1912c54135c725.exe
                                                                                    4⤵
                                                                                    • Loads dropped DLL
                                                                                    PID:804
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat1912c54135c725.exe
                                                                                      Sat1912c54135c725.exe
                                                                                      5⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:292
                                                                                      • C:\Windows\SysWOW64\control.exe
                                                                                        "C:\Windows\System32\control.exe" .\5LQZ.CB
                                                                                        6⤵
                                                                                          PID:2628
                                                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\5LQZ.CB
                                                                                            7⤵
                                                                                              PID:2668
                                                                                              • C:\Windows\system32\RunDll32.exe
                                                                                                C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\5LQZ.CB
                                                                                                8⤵
                                                                                                  PID:2396
                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                    "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\5LQZ.CB
                                                                                                    9⤵
                                                                                                      PID:2388
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Sat19e81939673f.exe
                                                                                            4⤵
                                                                                            • Loads dropped DLL
                                                                                            PID:1684
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat19e81939673f.exe
                                                                                              Sat19e81939673f.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              PID:1728
                                                                                              • C:\Users\Admin\Pictures\Adobe Films\17mE5VuCxCdX2ACcyEj8E_Xh.exe
                                                                                                "C:\Users\Admin\Pictures\Adobe Films\17mE5VuCxCdX2ACcyEj8E_Xh.exe"
                                                                                                6⤵
                                                                                                  PID:1828
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 396
                                                                                                  6⤵
                                                                                                  • Program crash
                                                                                                  PID:1808
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c Sat194450a25aea7.exe
                                                                                              4⤵
                                                                                              • Loads dropped DLL
                                                                                              PID:1792
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat194450a25aea7.exe
                                                                                                Sat194450a25aea7.exe
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:1932
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c Sat197b041c46.exe
                                                                                              4⤵
                                                                                                PID:1272
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exe
                                                                                                  Sat197b041c46.exe
                                                                                                  5⤵
                                                                                                    PID:316
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSC01BCB46\Sat197b041c46.exe
                                                                                                      6⤵
                                                                                                        PID:2100
                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                              1⤵
                                                                                              • Process spawned unexpected child process
                                                                                              PID:2688
                                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                2⤵
                                                                                                  PID:2700
                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                                1⤵
                                                                                                  PID:2792

                                                                                                Network

                                                                                                      MITRE ATT&CK Enterprise v6

                                                                                                      Replay Monitor

                                                                                                      Loading Replay Monitor...

                                                                                                      Downloads

                                                                                                      • memory/316-303-0x0000000000530000-0x0000000000531000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/316-300-0x0000000004A20000-0x0000000004A21000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/360-290-0x000000001AF10000-0x000000001AF12000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/564-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.5MB

                                                                                                      • memory/564-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                        Filesize

                                                                                                        100KB

                                                                                                      • memory/564-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                        Filesize

                                                                                                        152KB

                                                                                                      • memory/564-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                        Filesize

                                                                                                        152KB

                                                                                                      • memory/564-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                        Filesize

                                                                                                        100KB

                                                                                                      • memory/564-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                        Filesize

                                                                                                        572KB

                                                                                                      • memory/564-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.5MB

                                                                                                      • memory/564-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.5MB

                                                                                                      • memory/564-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                        Filesize

                                                                                                        572KB

                                                                                                      • memory/564-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                        Filesize

                                                                                                        572KB

                                                                                                      • memory/564-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                        Filesize

                                                                                                        572KB

                                                                                                      • memory/564-85-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                        Filesize

                                                                                                        100KB

                                                                                                      • memory/564-87-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                        Filesize

                                                                                                        100KB

                                                                                                      • memory/564-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.5MB

                                                                                                      • memory/564-93-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.5MB

                                                                                                      • memory/584-275-0x0000000001FB0000-0x0000000002BFA000-memory.dmp

                                                                                                        Filesize

                                                                                                        12.3MB

                                                                                                      • memory/584-295-0x0000000001FB0000-0x0000000002BFA000-memory.dmp

                                                                                                        Filesize

                                                                                                        12.3MB

                                                                                                      • memory/584-298-0x0000000001FB0000-0x0000000002BFA000-memory.dmp

                                                                                                        Filesize

                                                                                                        12.3MB

                                                                                                      • memory/676-294-0x00000000004A1000-0x00000000004A2000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/676-262-0x00000000004A0000-0x00000000004A1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/676-297-0x00000000004A2000-0x00000000004A4000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/772-391-0x000000001AEC0000-0x000000001AEC2000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/828-237-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                        Filesize

                                                                                                        340KB

                                                                                                      • memory/884-283-0x0000000000940000-0x000000000098D000-memory.dmp

                                                                                                        Filesize

                                                                                                        308KB

                                                                                                      • memory/884-285-0x0000000001580000-0x00000000015F2000-memory.dmp

                                                                                                        Filesize

                                                                                                        456KB

                                                                                                      • memory/1020-302-0x0000000000350000-0x00000000003DC000-memory.dmp

                                                                                                        Filesize

                                                                                                        560KB

                                                                                                      • memory/1020-299-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/1040-210-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                        Filesize

                                                                                                        320KB

                                                                                                      • memory/1040-211-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                        Filesize

                                                                                                        320KB

                                                                                                      • memory/1040-199-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                        Filesize

                                                                                                        320KB

                                                                                                      • memory/1040-198-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                        Filesize

                                                                                                        320KB

                                                                                                      • memory/1184-234-0x0000000000400000-0x00000000004CA000-memory.dmp

                                                                                                        Filesize

                                                                                                        808KB

                                                                                                      • memory/1184-233-0x0000000000240000-0x0000000000249000-memory.dmp

                                                                                                        Filesize

                                                                                                        36KB

                                                                                                      • memory/1184-231-0x0000000000630000-0x0000000000641000-memory.dmp

                                                                                                        Filesize

                                                                                                        68KB

                                                                                                      • memory/1220-258-0x0000000002B40000-0x0000000002B56000-memory.dmp

                                                                                                        Filesize

                                                                                                        88KB

                                                                                                      • memory/1404-221-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                        Filesize

                                                                                                        816KB

                                                                                                      • memory/1536-238-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                                                                                        Filesize

                                                                                                        57.4MB

                                                                                                      • memory/1536-224-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                                                                                        Filesize

                                                                                                        57.4MB

                                                                                                      • memory/1536-223-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                                                                                        Filesize

                                                                                                        57.4MB

                                                                                                      • memory/1536-225-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                                                                                        Filesize

                                                                                                        57.4MB

                                                                                                      • memory/1536-222-0x0000000000300000-0x0000000000400000-memory.dmp

                                                                                                        Filesize

                                                                                                        1024KB

                                                                                                      • memory/1536-232-0x0000000000400000-0x0000000003D6C000-memory.dmp

                                                                                                        Filesize

                                                                                                        57.4MB

                                                                                                      • memory/1576-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/1724-301-0x0000000003B50000-0x0000000003C9E000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.3MB

                                                                                                      • memory/1728-304-0x00000000040A0000-0x00000000041EE000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.3MB

                                                                                                      • memory/1736-252-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/1756-229-0x0000000000400000-0x0000000000536000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.2MB

                                                                                                      • memory/1756-228-0x0000000001DD0000-0x0000000001EA9000-memory.dmp

                                                                                                        Filesize

                                                                                                        868KB

                                                                                                      • memory/1756-226-0x0000000000280000-0x00000000002FD000-memory.dmp

                                                                                                        Filesize

                                                                                                        500KB

                                                                                                      • memory/1808-397-0x00000000003A0000-0x00000000003A1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/1864-218-0x0000000000240000-0x0000000000242000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/1864-220-0x0000000000360000-0x0000000000365000-memory.dmp

                                                                                                        Filesize

                                                                                                        20KB

                                                                                                      • memory/1932-239-0x00000000010E0000-0x00000000010E1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/1932-289-0x000000001AB90000-0x000000001AB92000-memory.dmp

                                                                                                        Filesize

                                                                                                        8KB

                                                                                                      • memory/2100-349-0x0000000002680000-0x0000000002681000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2112-395-0x0000000000700000-0x0000000000701000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2152-253-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                        Filesize

                                                                                                        816KB

                                                                                                      • memory/2288-352-0x0000000000450000-0x0000000000451000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2360-266-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2388-313-0x0000000000180000-0x0000000000181000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2668-291-0x000000002D680000-0x000000002D737000-memory.dmp

                                                                                                        Filesize

                                                                                                        732KB

                                                                                                      • memory/2668-287-0x0000000000180000-0x0000000000181000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2668-292-0x000000002D800000-0x000000002D8B5000-memory.dmp

                                                                                                        Filesize

                                                                                                        724KB

                                                                                                      • memory/2688-357-0x0000000000960000-0x0000000000B2F000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.8MB

                                                                                                      • memory/2700-281-0x0000000000A00000-0x0000000000A5D000-memory.dmp

                                                                                                        Filesize

                                                                                                        372KB

                                                                                                      • memory/2700-280-0x0000000000810000-0x0000000000911000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.0MB

                                                                                                      • memory/2724-350-0x0000000000F20000-0x0000000000F21000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB

                                                                                                      • memory/2792-371-0x0000000001C90000-0x0000000001CAB000-memory.dmp

                                                                                                        Filesize

                                                                                                        108KB

                                                                                                      • memory/2792-372-0x0000000001D50000-0x0000000001D79000-memory.dmp

                                                                                                        Filesize

                                                                                                        164KB

                                                                                                      • memory/2792-374-0x0000000002CC0000-0x0000000002DC5000-memory.dmp

                                                                                                        Filesize

                                                                                                        1.0MB

                                                                                                      • memory/2792-284-0x0000000000210000-0x0000000000282000-memory.dmp

                                                                                                        Filesize

                                                                                                        456KB

                                                                                                      • memory/2992-353-0x00000000004E0000-0x0000000000525000-memory.dmp

                                                                                                        Filesize

                                                                                                        276KB

                                                                                                      • memory/3008-378-0x0000000004C00000-0x0000000004C01000-memory.dmp

                                                                                                        Filesize

                                                                                                        4KB