Analysis

  • max time kernel
    153s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:05

General

  • Target

    ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe

  • Size

    6.2MB

  • MD5

    c17d0b1a330fc02dc43b53e0f45eecf2

  • SHA1

    bf2f2b9f8f46adb0a3d222ef60d156c5848e94d8

  • SHA256

    ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138

  • SHA512

    6a067e05dd4afddb82544f392dc8a413db8a5d0e2dda8aa3bc4dca2ab792ede34ee4ca997a268553ff596bef3d9bd30340a7c659622cda01a110397ea7b3dc0d

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 3 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 34 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:856
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:3020
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:2564
      • C:\Users\Admin\AppData\Local\Temp\ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe
        "C:\Users\Admin\AppData\Local\Temp\ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS882E6116\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
                PID:1972
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1144
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:1828
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1392
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Fri0861175859c9666.exe
                  4⤵
                  • Loads dropped DLL
                  PID:744
                  • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0861175859c9666.exe
                    Fri0861175859c9666.exe
                    5⤵
                    • Executes dropped EXE
                    PID:1312
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Fri0871927e7e7933.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1128
                  • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0871927e7e7933.exe
                    Fri0871927e7e7933.exe
                    5⤵
                    • Executes dropped EXE
                    PID:1712
                    • C:\Users\Admin\AppData\Local\00d80cd9-434e-4efe-8c95-101e6ea1cd59.exe
                      "C:\Users\Admin\AppData\Local\00d80cd9-434e-4efe-8c95-101e6ea1cd59.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:1052
                    • C:\Users\Admin\AppData\Local\8643008b-a8f3-46d2-8048-c5926de96991.exe
                      "C:\Users\Admin\AppData\Local\8643008b-a8f3-46d2-8048-c5926de96991.exe"
                      6⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      PID:2500
                      • C:\Users\Admin\AppData\Roaming\54782198\7114375671143756.exe
                        "C:\Users\Admin\AppData\Roaming\54782198\7114375671143756.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2444
                    • C:\Users\Admin\AppData\Local\7ee942e5-564e-4c51-9c6c-49beae18b2f6.exe
                      "C:\Users\Admin\AppData\Local\7ee942e5-564e-4c51-9c6c-49beae18b2f6.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2784
                    • C:\Users\Admin\AppData\Local\ac1ef471-40bc-4065-8875-9931e7160196.exe
                      "C:\Users\Admin\AppData\Local\ac1ef471-40bc-4065-8875-9931e7160196.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      PID:2696
                    • C:\Users\Admin\AppData\Local\54432f78-4913-4503-92e4-70b86f823a73.exe
                      "C:\Users\Admin\AppData\Local\54432f78-4913-4503-92e4-70b86f823a73.exe"
                      6⤵
                      • Executes dropped EXE
                      PID:592
                      • C:\Users\Admin\AppData\Roaming\4574227.exe
                        "C:\Users\Admin\AppData\Roaming\4574227.exe"
                        7⤵
                        • Executes dropped EXE
                        PID:2140
                        • C:\Windows\SysWOW64\control.exe
                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                          8⤵
                            PID:1916
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                              9⤵
                                PID:2176
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Fri08454bd6b0ba.exe
                      4⤵
                        PID:1660
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri0897ed3c617.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1616
                        • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0897ed3c617.exe
                          Fri0897ed3c617.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:584
                          • C:\Users\Admin\AppData\Local\Temp\is-T1T6D.tmp\Fri0897ed3c617.tmp
                            "C:\Users\Admin\AppData\Local\Temp\is-T1T6D.tmp\Fri0897ed3c617.tmp" /SL5="$5014C,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0897ed3c617.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:1732
                            • C:\Users\Admin\AppData\Local\Temp\is-U9MFC.tmp\Tougay.exe
                              "C:\Users\Admin\AppData\Local\Temp\is-U9MFC.tmp\Tougay.exe" /S /UID=91
                              7⤵
                              • Drops file in Drivers directory
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Drops file in Program Files directory
                              PID:2400
                              • C:\Users\Admin\AppData\Local\Temp\53-59a15-c5c-c63bf-644fd271546b7\Nysypoxyno.exe
                                "C:\Users\Admin\AppData\Local\Temp\53-59a15-c5c-c63bf-644fd271546b7\Nysypoxyno.exe"
                                8⤵
                                • Executes dropped EXE
                                PID:2420
                              • C:\Users\Admin\AppData\Local\Temp\8a-16973-f2e-26f80-256a9ce7ca74a\Faejequsyga.exe
                                "C:\Users\Admin\AppData\Local\Temp\8a-16973-f2e-26f80-256a9ce7ca74a\Faejequsyga.exe"
                                8⤵
                                • Executes dropped EXE
                                PID:1904
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri0839f326271a.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1844
                        • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0839f326271a.exe
                          Fri0839f326271a.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1308
                          • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0839f326271a.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0839f326271a.exe
                            6⤵
                            • Executes dropped EXE
                            PID:2644
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri087f6f5c3e2165b.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1740
                        • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri087f6f5c3e2165b.exe
                          Fri087f6f5c3e2165b.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1424
                          • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri087f6f5c3e2165b.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri087f6f5c3e2165b.exe
                            6⤵
                            • Executes dropped EXE
                            PID:2636
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri085b5476c14e3acf8.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1748
                        • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri085b5476c14e3acf8.exe
                          Fri085b5476c14e3acf8.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:1064
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri087f686be76.exe
                        4⤵
                        • Loads dropped DLL
                        PID:1148
                        • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri087f686be76.exe
                          Fri087f686be76.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          PID:564
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c taskkill /im Fri087f686be76.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri087f686be76.exe" & del C:\ProgramData\*.dll & exit
                            6⤵
                              PID:2416
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im Fri087f686be76.exe /f
                                7⤵
                                • Kills process with taskkill
                                PID:2152
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 6
                                7⤵
                                • Delays execution with timeout.exe
                                PID:2164
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Fri0860e1a2193a0.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1724
                          • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0860e1a2193a0.exe
                            Fri0860e1a2193a0.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Modifies system certificate store
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1716
                            • C:\Windows\SysWOW64\cmd.exe
                              cmd.exe /c taskkill /f /im chrome.exe
                              6⤵
                                PID:2228
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /f /im chrome.exe
                                  7⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2280
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Fri085742187ff8.exe /mixtwo
                            4⤵
                            • Loads dropped DLL
                            PID:1760
                            • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri085742187ff8.exe
                              Fri085742187ff8.exe /mixtwo
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Suspicious use of SetThreadContext
                              PID:940
                              • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri085742187ff8.exe
                                Fri085742187ff8.exe /mixtwo
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:836
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri085742187ff8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri085742187ff8.exe" & exit
                                  7⤵
                                    PID:2084
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im "Fri085742187ff8.exe" /f
                                      8⤵
                                      • Kills process with taskkill
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2140
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Fri0894c3c79de49d.exe
                              4⤵
                              • Loads dropped DLL
                              PID:1592
                              • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri0894c3c79de49d.exe
                                Fri0894c3c79de49d.exe
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:1364
                                • C:\Windows\SysWOW64\msiexec.exe
                                  "C:\Windows\System32\msiexec.exe" /y .\Zs7GMe.C
                                  6⤵
                                    PID:664
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Fri08b8354eae1672549.exe
                                4⤵
                                • Loads dropped DLL
                                PID:460
                                • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08b8354eae1672549.exe
                                  Fri08b8354eae1672549.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1944
                                  • C:\Users\Admin\AppData\Local\Temp\is-RQ5VR.tmp\Fri08b8354eae1672549.tmp
                                    "C:\Users\Admin\AppData\Local\Temp\is-RQ5VR.tmp\Fri08b8354eae1672549.tmp" /SL5="$60154,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08b8354eae1672549.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:1388
                                    • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08b8354eae1672549.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08b8354eae1672549.exe" /SILENT
                                      7⤵
                                      • Executes dropped EXE
                                      PID:1312
                                      • C:\Users\Admin\AppData\Local\Temp\is-A37RB.tmp\Fri08b8354eae1672549.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-A37RB.tmp\Fri08b8354eae1672549.tmp" /SL5="$70154,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08b8354eae1672549.exe" /SILENT
                                        8⤵
                                        • Executes dropped EXE
                                        • Suspicious behavior: GetForegroundWindowSpam
                                        PID:872
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Fri08ea3107dc.exe
                                4⤵
                                • Loads dropped DLL
                                PID:336
                                • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08ea3107dc.exe
                                  Fri08ea3107dc.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1788
                                  • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08ea3107dc.exe
                                    "C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08ea3107dc.exe" -u
                                    6⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    PID:1832
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Fri08a97091d3bdc702.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1196
                                • C:\Users\Admin\AppData\Local\Temp\7zS882E6116\Fri08a97091d3bdc702.exe
                                  Fri08a97091d3bdc702.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Loads dropped DLL
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:1908
                                  • C:\Users\Admin\Pictures\Adobe Films\vCJ8OEuyDqDCJKCbIL5szDFd.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\vCJ8OEuyDqDCJKCbIL5szDFd.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2876
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 1520
                                    6⤵
                                    • Program crash
                                    PID:2464
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                          1⤵
                          • Process spawned unexpected child process
                          PID:2460
                          • C:\Windows\SysWOW64\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            2⤵
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2476

                        Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/564-292-0x0000000000400000-0x000000000088C000-memory.dmp

                                Filesize

                                4.5MB

                              • memory/564-291-0x0000000000A30000-0x0000000000B09000-memory.dmp

                                Filesize

                                868KB

                              • memory/564-288-0x0000000000890000-0x000000000090C000-memory.dmp

                                Filesize

                                496KB

                              • memory/584-193-0x0000000000400000-0x0000000000414000-memory.dmp

                                Filesize

                                80KB

                              • memory/592-343-0x0000000000D50000-0x0000000000D51000-memory.dmp

                                Filesize

                                4KB

                              • memory/836-218-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/836-201-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/836-221-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/836-198-0x0000000000400000-0x0000000000450000-memory.dmp

                                Filesize

                                320KB

                              • memory/856-261-0x0000000001CD0000-0x0000000001D42000-memory.dmp

                                Filesize

                                456KB

                              • memory/856-259-0x0000000000FB0000-0x0000000000FFD000-memory.dmp

                                Filesize

                                308KB

                              • memory/872-233-0x0000000000260000-0x0000000000261000-memory.dmp

                                Filesize

                                4KB

                              • memory/1064-283-0x00000000003D0000-0x00000000003D9000-memory.dmp

                                Filesize

                                36KB

                              • memory/1064-282-0x0000000000250000-0x0000000000258000-memory.dmp

                                Filesize

                                32KB

                              • memory/1064-284-0x0000000000400000-0x0000000000818000-memory.dmp

                                Filesize

                                4.1MB

                              • memory/1144-250-0x0000000002020000-0x0000000002C6A000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1144-235-0x0000000002020000-0x0000000002C6A000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1144-232-0x0000000002020000-0x0000000002C6A000-memory.dmp

                                Filesize

                                12.3MB

                              • memory/1308-253-0x00000000004C0000-0x00000000004C1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1308-197-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1308-247-0x0000000004E10000-0x0000000004E11000-memory.dmp

                                Filesize

                                4KB

                              • memory/1312-228-0x0000000000400000-0x00000000004CC000-memory.dmp

                                Filesize

                                816KB

                              • memory/1372-287-0x0000000002720000-0x0000000002736000-memory.dmp

                                Filesize

                                88KB

                              • memory/1388-224-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1392-234-0x00000000002A1000-0x00000000002A2000-memory.dmp

                                Filesize

                                4KB

                              • memory/1392-231-0x00000000002A0000-0x00000000002A1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1392-249-0x00000000002A2000-0x00000000002A4000-memory.dmp

                                Filesize

                                8KB

                              • memory/1424-246-0x0000000000F70000-0x0000000000F71000-memory.dmp

                                Filesize

                                4KB

                              • memory/1424-196-0x0000000001120000-0x0000000001121000-memory.dmp

                                Filesize

                                4KB

                              • memory/1424-252-0x00000000002E0000-0x000000000036C000-memory.dmp

                                Filesize

                                560KB

                              • memory/1632-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1632-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1632-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1632-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1632-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                Filesize

                                152KB

                              • memory/1632-95-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1632-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1632-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1632-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1632-96-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1632-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1632-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                Filesize

                                572KB

                              • memory/1632-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                Filesize

                                152KB

                              • memory/1632-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                Filesize

                                1.5MB

                              • memory/1632-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                Filesize

                                100KB

                              • memory/1660-206-0x00000000004F0000-0x00000000004F1000-memory.dmp

                                Filesize

                                4KB

                              • memory/1668-55-0x0000000076641000-0x0000000076643000-memory.dmp

                                Filesize

                                8KB

                              • memory/1712-237-0x0000000000B90000-0x0000000000B91000-memory.dmp

                                Filesize

                                4KB

                              • memory/1712-285-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

                                Filesize

                                8KB

                              • memory/1732-222-0x0000000000280000-0x0000000000281000-memory.dmp

                                Filesize

                                4KB

                              • memory/1904-361-0x0000000000B00000-0x0000000000B02000-memory.dmp

                                Filesize

                                8KB

                              • memory/1908-262-0x00000000041A0000-0x00000000042EE000-memory.dmp

                                Filesize

                                1.3MB

                              • memory/1944-217-0x0000000000400000-0x00000000004CC000-memory.dmp

                                Filesize

                                816KB

                              • memory/2176-365-0x0000000000190000-0x0000000000191000-memory.dmp

                                Filesize

                                4KB

                              • memory/2176-366-0x000000002D980000-0x000000002DA35000-memory.dmp

                                Filesize

                                724KB

                              • memory/2400-266-0x00000000004F0000-0x00000000004F2000-memory.dmp

                                Filesize

                                8KB

                              • memory/2420-362-0x0000000000340000-0x0000000000342000-memory.dmp

                                Filesize

                                8KB

                              • memory/2444-354-0x000000001B100000-0x000000001B102000-memory.dmp

                                Filesize

                                8KB

                              • memory/2464-337-0x00000000025B0000-0x00000000025B1000-memory.dmp

                                Filesize

                                4KB

                              • memory/2476-258-0x0000000001DC0000-0x0000000001EC1000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/2476-260-0x0000000000260000-0x00000000002BD000-memory.dmp

                                Filesize

                                372KB

                              • memory/2564-316-0x00000000004E0000-0x00000000004FB000-memory.dmp

                                Filesize

                                108KB

                              • memory/2564-317-0x0000000000500000-0x0000000000529000-memory.dmp

                                Filesize

                                164KB

                              • memory/2564-318-0x00000000030F0000-0x00000000031F5000-memory.dmp

                                Filesize

                                1.0MB

                              • memory/2564-265-0x0000000000450000-0x00000000004C2000-memory.dmp

                                Filesize

                                456KB

                              • memory/2636-286-0x0000000000A30000-0x0000000000A31000-memory.dmp

                                Filesize

                                4KB

                              • memory/2644-296-0x0000000004C00000-0x0000000004C01000-memory.dmp

                                Filesize

                                4KB

                              • memory/2696-331-0x0000000000550000-0x000000000071F000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2784-320-0x00000000001B0000-0x00000000001F5000-memory.dmp

                                Filesize

                                276KB