Analysis

  • max time kernel
    66s
  • max time network
    173s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:04

General

  • Target

    1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe

  • Size

    7.1MB

  • MD5

    d866d58ec1615ca95161e0f83c13dd73

  • SHA1

    258f6d8adaa4f6fad03a603c6a034b40cf731558

  • SHA256

    1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098

  • SHA512

    bc557b5c8ea1999aa101de52f23401b83b8d7c09990582cab9a17110ced814149101084b8e98948d81b401cc6e7b34a128930a860449b4378f5216a23a78cf3e

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 3 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 25 IoCs
  • Loads dropped DLL 17 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies registry class 10 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
    1⤵
      PID:2528
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:2764
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
          PID:4636
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
        1⤵
          PID:2480
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
          1⤵
            PID:1108
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Schedule
            1⤵
              PID:1040
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
              1⤵
                PID:316
              • C:\Users\Admin\AppData\Local\Temp\1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe
                "C:\Users\Admin\AppData\Local\Temp\1cf8b07078eeb719059ca5f31898d2252fb9c92077e0646900f14914c15a8098.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:2732
                • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\setup_install.exe
                  "C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\setup_install.exe"
                  2⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1312
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3748
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2804
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3220
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                      4⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:372
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Sat04e9d8f172e50.exe /mixtwo
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3208
                    • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04e9d8f172e50.exe
                      Sat04e9d8f172e50.exe /mixtwo
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of WriteProcessMemory
                      PID:2300
                      • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04e9d8f172e50.exe
                        Sat04e9d8f172e50.exe /mixtwo
                        5⤵
                        • Executes dropped EXE
                        PID:2324
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat04e9d8f172e50.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04e9d8f172e50.exe" & exit
                          6⤵
                            PID:696
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im "Sat04e9d8f172e50.exe" /f
                              7⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2364
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Sat0475667e2de8c3.exe
                      3⤵
                        PID:408
                        • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0475667e2de8c3.exe
                          Sat0475667e2de8c3.exe
                          4⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3580
                          • C:\Users\Admin\AppData\Local\1337ac59-dae0-466a-9371-5521afd08e46.exe
                            "C:\Users\Admin\AppData\Local\1337ac59-dae0-466a-9371-5521afd08e46.exe"
                            5⤵
                            • Executes dropped EXE
                            PID:4560
                          • C:\Users\Admin\AppData\Local\6f745f34-b8ce-4780-81d1-12650f73030d.exe
                            "C:\Users\Admin\AppData\Local\6f745f34-b8ce-4780-81d1-12650f73030d.exe"
                            5⤵
                            • Executes dropped EXE
                            PID:4644
                            • C:\Users\Admin\AppData\Roaming\25135226\5609560866893550.exe
                              "C:\Users\Admin\AppData\Roaming\25135226\5609560866893550.exe"
                              6⤵
                                PID:3580
                            • C:\Users\Admin\AppData\Local\30308263-6d15-4858-9e95-b8ab79b221ec.exe
                              "C:\Users\Admin\AppData\Local\30308263-6d15-4858-9e95-b8ab79b221ec.exe"
                              5⤵
                                PID:4828
                              • C:\Users\Admin\AppData\Local\63071577-ecd8-4a08-82fe-ce93960b9fda.exe
                                "C:\Users\Admin\AppData\Local\63071577-ecd8-4a08-82fe-ce93960b9fda.exe"
                                5⤵
                                  PID:4972
                                • C:\Users\Admin\AppData\Local\4f482831-5376-4256-b960-04ff179ac4c2.exe
                                  "C:\Users\Admin\AppData\Local\4f482831-5376-4256-b960-04ff179ac4c2.exe"
                                  5⤵
                                    PID:5056
                                    • C:\Users\Admin\AppData\Roaming\1591470.exe
                                      "C:\Users\Admin\AppData\Roaming\1591470.exe"
                                      6⤵
                                        PID:4656
                                        • C:\Windows\SysWOW64\control.exe
                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                          7⤵
                                            PID:4992
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                              8⤵
                                                PID:424
                                                • C:\Windows\system32\RunDll32.exe
                                                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                  9⤵
                                                    PID:6316
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                                      10⤵
                                                        PID:6460
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sat04582c0a08.exe
                                          3⤵
                                            PID:3512
                                            • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04582c0a08.exe
                                              Sat04582c0a08.exe
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2228
                                              • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04582c0a08.exe
                                                C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04582c0a08.exe
                                                5⤵
                                                  PID:4476
                                                • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04582c0a08.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04582c0a08.exe
                                                  5⤵
                                                    PID:4848
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Sat04efd3813d34d2686.exe
                                                3⤵
                                                  PID:2252
                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04efd3813d34d2686.exe
                                                    Sat04efd3813d34d2686.exe
                                                    4⤵
                                                    • Executes dropped EXE
                                                    • Modifies registry class
                                                    PID:2996
                                                    • C:\Windows\SysWOW64\control.exe
                                                      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",
                                                      5⤵
                                                        PID:3432
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\1S3Y.CPl",
                                                          6⤵
                                                          • Loads dropped DLL
                                                          PID:3164
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Sat04cf04f0504c7.exe
                                                    3⤵
                                                      PID:1692
                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04cf04f0504c7.exe
                                                        Sat04cf04f0504c7.exe
                                                        4⤵
                                                        • Executes dropped EXE
                                                        PID:3964
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Sat04091e9a4f.exe
                                                      3⤵
                                                        PID:1556
                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04091e9a4f.exe
                                                          Sat04091e9a4f.exe
                                                          4⤵
                                                          • Executes dropped EXE
                                                          PID:3216
                                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:1780
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Sat0413d2f09b96ff.exe
                                                        3⤵
                                                          PID:608
                                                          • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0413d2f09b96ff.exe
                                                            Sat0413d2f09b96ff.exe
                                                            4⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2468
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                              5⤵
                                                                PID:1012
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im chrome.exe
                                                                  6⤵
                                                                  • Kills process with taskkill
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1904
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Sat0448d9fa84aca6c1.exe
                                                            3⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:3968
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Sat0440a840bf678986a.exe
                                                            3⤵
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1272
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Sat045fe73e29fa5e0b2.exe
                                                            3⤵
                                                              PID:2420
                                                              • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat045fe73e29fa5e0b2.exe
                                                                Sat045fe73e29fa5e0b2.exe
                                                                4⤵
                                                                • Executes dropped EXE
                                                                • Modifies registry class
                                                                PID:1496
                                                                • C:\Windows\SysWOW64\control.exe
                                                                  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",
                                                                  5⤵
                                                                    PID:3976
                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\JQOzcH.CPL",
                                                                      6⤵
                                                                      • Loads dropped DLL
                                                                      PID:2176
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sat047cc0debc59.exe
                                                                3⤵
                                                                  PID:2144
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat047cc0debc59.exe
                                                                    Sat047cc0debc59.exe
                                                                    4⤵
                                                                    • Executes dropped EXE
                                                                    PID:2208
                                                                    • C:\Users\Admin\AppData\Local\Temp\is-9IVES.tmp\Sat047cc0debc59.tmp
                                                                      "C:\Users\Admin\AppData\Local\Temp\is-9IVES.tmp\Sat047cc0debc59.tmp" /SL5="$5002E,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat047cc0debc59.exe"
                                                                      5⤵
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:2816
                                                                      • C:\Users\Admin\AppData\Local\Temp\is-8FAES.tmp\Tougay.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\is-8FAES.tmp\Tougay.exe" /S /UID=91
                                                                        6⤵
                                                                        • Executes dropped EXE
                                                                        PID:3548
                                                                        • C:\Users\Admin\AppData\Local\Temp\3a-ea4b2-df4-75ca2-f5058de29567f\Mishyfemejae.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\3a-ea4b2-df4-75ca2-f5058de29567f\Mishyfemejae.exe"
                                                                          7⤵
                                                                            PID:5116
                                                                          • C:\Users\Admin\AppData\Local\Temp\2c-96d88-78c-99280-41fa269a27ef5\Pyxegaelati.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\2c-96d88-78c-99280-41fa269a27ef5\Pyxegaelati.exe"
                                                                            7⤵
                                                                              PID:4456
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3rosefwq.wpx\installer.exe /qn CAMPAIGN="654" & exit
                                                                                8⤵
                                                                                  PID:5796
                                                                                  • C:\Users\Admin\AppData\Local\Temp\3rosefwq.wpx\installer.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\3rosefwq.wpx\installer.exe /qn CAMPAIGN="654"
                                                                                    9⤵
                                                                                      PID:6128
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl3jrsfx.yam\any.exe & exit
                                                                                    8⤵
                                                                                      PID:5848
                                                                                      • C:\Users\Admin\AppData\Local\Temp\wl3jrsfx.yam\any.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\wl3jrsfx.yam\any.exe
                                                                                        9⤵
                                                                                          PID:6108
                                                                                          • C:\Users\Admin\AppData\Local\Temp\wl3jrsfx.yam\any.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\wl3jrsfx.yam\any.exe" -u
                                                                                            10⤵
                                                                                              PID:6360
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bnheotxz.gt0\autosubplayer.exe /S & exit
                                                                                          8⤵
                                                                                            PID:5956
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c Sat04951cf2a61625.exe
                                                                                  3⤵
                                                                                    PID:2016
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04951cf2a61625.exe
                                                                                      Sat04951cf2a61625.exe
                                                                                      4⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:3640
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04951cf2a61625.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04951cf2a61625.exe" -u
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:2832
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    C:\Windows\system32\cmd.exe /c Sat049b33b1be29125.exe
                                                                                    3⤵
                                                                                      PID:2608
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat049b33b1be29125.exe
                                                                                        Sat049b33b1be29125.exe
                                                                                        4⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:836
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Sat04d99657076.exe
                                                                                      3⤵
                                                                                        PID:3148
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04d99657076.exe
                                                                                          Sat04d99657076.exe
                                                                                          4⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks SCSI registry key(s)
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:424
                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0448d9fa84aca6c1.exe
                                                                                    Sat0448d9fa84aca6c1.exe
                                                                                    1⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1292
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0448d9fa84aca6c1.exe
                                                                                      C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0448d9fa84aca6c1.exe
                                                                                      2⤵
                                                                                        PID:4468
                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0440a840bf678986a.exe
                                                                                      Sat0440a840bf678986a.exe
                                                                                      1⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Checks processor information in registry
                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                      PID:2620
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im Sat0440a840bf678986a.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat0440a840bf678986a.exe" & del C:\ProgramData\*.dll & exit
                                                                                        2⤵
                                                                                          PID:2468
                                                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                                                            taskkill /im Sat0440a840bf678986a.exe /f
                                                                                            3⤵
                                                                                            • Kills process with taskkill
                                                                                            PID:4516
                                                                                          • C:\Windows\SysWOW64\timeout.exe
                                                                                            timeout /t 6
                                                                                            3⤵
                                                                                            • Delays execution with timeout.exe
                                                                                            PID:3284
                                                                                      • C:\Users\Admin\AppData\Local\Temp\is-99G3B.tmp\Sat04cf04f0504c7.tmp
                                                                                        "C:\Users\Admin\AppData\Local\Temp\is-99G3B.tmp\Sat04cf04f0504c7.tmp" /SL5="$50032,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04cf04f0504c7.exe"
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        PID:872
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04cf04f0504c7.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04cf04f0504c7.exe" /SILENT
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:3872
                                                                                          • C:\Users\Admin\AppData\Local\Temp\is-34N3C.tmp\Sat04cf04f0504c7.tmp
                                                                                            "C:\Users\Admin\AppData\Local\Temp\is-34N3C.tmp\Sat04cf04f0504c7.tmp" /SL5="$201E0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCAA7A696\Sat04cf04f0504c7.exe" /SILENT
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            • Loads dropped DLL
                                                                                            PID:1516
                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                        1⤵
                                                                                        • Process spawned unexpected child process
                                                                                        PID:4236
                                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                          2⤵
                                                                                          • Loads dropped DLL
                                                                                          • Modifies registry class
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:4260
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                        1⤵
                                                                                          PID:6780

                                                                                        Network

                                                                                              MITRE ATT&CK Enterprise v6

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • memory/316-322-0x0000020AB0610000-0x0000020AB0682000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/316-312-0x0000020AB03F0000-0x0000020AB03F2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/316-311-0x0000020AB03F0000-0x0000020AB03F2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/372-239-0x0000000006CD0000-0x0000000006CD1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-222-0x00000000042C0000-0x00000000042C1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-225-0x00000000042C0000-0x00000000042C1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-506-0x0000000006693000-0x0000000006694000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-296-0x0000000006B90000-0x0000000006B91000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-469-0x000000007EDB0000-0x000000007EDB1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-235-0x0000000006690000-0x0000000006691000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-237-0x00000000043D0000-0x00000000043D1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/372-242-0x0000000006692000-0x0000000006693000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/424-255-0x0000000000786000-0x0000000000796000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                              • memory/424-256-0x00000000004D0000-0x000000000061A000-memory.dmp

                                                                                                Filesize

                                                                                                1.3MB

                                                                                              • memory/424-265-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                Filesize

                                                                                                816KB

                                                                                              • memory/872-221-0x00000000006E0000-0x000000000082A000-memory.dmp

                                                                                                Filesize

                                                                                                1.3MB

                                                                                              • memory/1040-331-0x000002A791C20000-0x000002A791C22000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/1040-342-0x000002A792300000-0x000002A792372000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/1108-327-0x00000276A7140000-0x00000276A71B2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/1108-325-0x00000276A69D0000-0x00000276A69D2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/1108-323-0x00000276A69D0000-0x00000276A69D2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/1200-367-0x0000025C4C940000-0x0000025C4C9B2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/1292-230-0x00000000007C0000-0x00000000007C1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1292-277-0x0000000005060000-0x0000000005061000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1292-268-0x0000000005050000-0x0000000005051000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1292-292-0x0000000005010000-0x0000000005011000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1292-270-0x0000000001100000-0x0000000001101000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1312-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                Filesize

                                                                                                1.5MB

                                                                                              • memory/1312-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                Filesize

                                                                                                100KB

                                                                                              • memory/1312-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                Filesize

                                                                                                1.5MB

                                                                                              • memory/1312-132-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                Filesize

                                                                                                100KB

                                                                                              • memory/1312-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                Filesize

                                                                                                152KB

                                                                                              • memory/1312-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                Filesize

                                                                                                572KB

                                                                                              • memory/1312-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                Filesize

                                                                                                572KB

                                                                                              • memory/1312-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                Filesize

                                                                                                1.5MB

                                                                                              • memory/1312-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                Filesize

                                                                                                572KB

                                                                                              • memory/1312-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                Filesize

                                                                                                100KB

                                                                                              • memory/1312-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                Filesize

                                                                                                1.5MB

                                                                                              • memory/1312-130-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                Filesize

                                                                                                100KB

                                                                                              • memory/1380-370-0x000001EA5AAA0000-0x000001EA5AB12000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/1392-341-0x00000179F77A0000-0x00000179F7812000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/1496-200-0x0000000000560000-0x0000000000561000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1496-203-0x0000000000560000-0x0000000000561000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1516-264-0x0000000000B00000-0x0000000000B01000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/1780-251-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                Filesize

                                                                                                340KB

                                                                                              • memory/1860-363-0x0000016B5B4B0000-0x0000016B5B522000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2176-432-0x0000000003370000-0x00000000034BA000-memory.dmp

                                                                                                Filesize

                                                                                                1.3MB

                                                                                              • memory/2208-214-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                Filesize

                                                                                                80KB

                                                                                              • memory/2228-229-0x0000000000060000-0x0000000000061000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2228-306-0x0000000005130000-0x0000000005131000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2228-269-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2228-271-0x0000000004830000-0x0000000004831000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2324-182-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                Filesize

                                                                                                320KB

                                                                                              • memory/2324-212-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                Filesize

                                                                                                320KB

                                                                                              • memory/2480-316-0x000002041FBE0000-0x000002041FBE2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2480-318-0x000002041FBE0000-0x000002041FBE2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2480-320-0x0000020420440000-0x00000204204B2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2528-313-0x0000027A13160000-0x0000027A13162000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2528-314-0x0000027A13160000-0x0000027A13162000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2528-326-0x0000027A13960000-0x0000027A139D2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2620-266-0x0000000000400000-0x0000000000539000-memory.dmp

                                                                                                Filesize

                                                                                                1.2MB

                                                                                              • memory/2620-254-0x0000000002140000-0x0000000002219000-memory.dmp

                                                                                                Filesize

                                                                                                868KB

                                                                                              • memory/2720-294-0x00000000012B0000-0x00000000012C6000-memory.dmp

                                                                                                Filesize

                                                                                                88KB

                                                                                              • memory/2764-319-0x000001BB38360000-0x000001BB383D2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2764-309-0x000001BB37AF0000-0x000001BB37AF2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2764-317-0x000001BB37C00000-0x000001BB37C4D000-memory.dmp

                                                                                                Filesize

                                                                                                308KB

                                                                                              • memory/2764-310-0x000001BB37AF0000-0x000001BB37AF2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/2804-305-0x0000000008200000-0x0000000008201000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-223-0x0000000005010000-0x0000000005011000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-505-0x0000000005083000-0x0000000005084000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-226-0x0000000005010000-0x0000000005011000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-298-0x00000000080B0000-0x00000000080B1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-470-0x000000007ECE0000-0x000000007ECE1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-301-0x0000000008190000-0x0000000008191000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-236-0x0000000005080000-0x0000000005081000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2804-243-0x0000000005082000-0x0000000005083000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2816-224-0x0000000000640000-0x0000000000641000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2840-395-0x00000282A8B30000-0x00000282A8BA2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2856-397-0x00000176D5F40000-0x00000176D5FB2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/2996-189-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/2996-195-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3164-434-0x0000000002800000-0x000000000294A000-memory.dmp

                                                                                                Filesize

                                                                                                1.3MB

                                                                                              • memory/3548-304-0x0000000002B40000-0x0000000002B42000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/3580-283-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3580-511-0x000000001B130000-0x000000001B132000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/3580-232-0x0000000000490000-0x0000000000491000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3580-240-0x0000000004C40000-0x0000000004C41000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/3872-252-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                Filesize

                                                                                                816KB

                                                                                              • memory/3964-213-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                Filesize

                                                                                                816KB

                                                                                              • memory/4260-300-0x00000000044D0000-0x00000000045D1000-memory.dmp

                                                                                                Filesize

                                                                                                1.0MB

                                                                                              • memory/4260-303-0x0000000004430000-0x000000000448D000-memory.dmp

                                                                                                Filesize

                                                                                                372KB

                                                                                              • memory/4456-507-0x00000000008B0000-0x00000000008B2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/4456-587-0x00000000008B2000-0x00000000008B4000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/4456-589-0x00000000008B4000-0x00000000008B5000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4456-652-0x00000000008B5000-0x00000000008B6000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4468-405-0x00000000056F0000-0x0000000005CF6000-memory.dmp

                                                                                                Filesize

                                                                                                6.0MB

                                                                                              • memory/4560-390-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4560-329-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4636-452-0x000001D83BF00000-0x000001D83C005000-memory.dmp

                                                                                                Filesize

                                                                                                1.0MB

                                                                                              • memory/4636-328-0x000001D83AEB0000-0x000001D83AEB2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/4636-330-0x000001D83AEB0000-0x000001D83AEB2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                              • memory/4636-339-0x000001D839670000-0x000001D8396E2000-memory.dmp

                                                                                                Filesize

                                                                                                456KB

                                                                                              • memory/4636-450-0x000001D83AF70000-0x000001D83AF8B000-memory.dmp

                                                                                                Filesize

                                                                                                108KB

                                                                                              • memory/4636-451-0x000001D83AFC0000-0x000001D83AFE9000-memory.dmp

                                                                                                Filesize

                                                                                                164KB

                                                                                              • memory/4828-404-0x0000000001040000-0x0000000001041000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/4828-345-0x0000000000D40000-0x0000000000D85000-memory.dmp

                                                                                                Filesize

                                                                                                276KB

                                                                                              • memory/4848-407-0x0000000004E80000-0x0000000005486000-memory.dmp

                                                                                                Filesize

                                                                                                6.0MB

                                                                                              • memory/4972-365-0x0000000002420000-0x0000000002465000-memory.dmp

                                                                                                Filesize

                                                                                                276KB

                                                                                              • memory/5056-412-0x00000000050D0000-0x00000000050D1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                              • memory/5116-504-0x0000000002510000-0x0000000002512000-memory.dmp

                                                                                                Filesize

                                                                                                8KB