Analysis

  • max time kernel
    87s
  • max time network
    175s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 14:05

General

  • Target

    ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe

  • Size

    6.2MB

  • MD5

    c17d0b1a330fc02dc43b53e0f45eecf2

  • SHA1

    bf2f2b9f8f46adb0a3d222ef60d156c5848e94d8

  • SHA256

    ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138

  • SHA512

    6a067e05dd4afddb82544f392dc8a413db8a5d0e2dda8aa3bc4dca2ab792ede34ee4ca997a268553ff596bef3d9bd30340a7c659622cda01a110397ea7b3dc0d

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Loads dropped DLL 13 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Program crash 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 3 IoCs
  • Modifies registry class 9 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3456
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
        PID:2392
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2680
      • C:\Users\Admin\AppData\Local\Temp\ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe
        "C:\Users\Admin\AppData\Local\Temp\ed7ae148af089dfbd4b129eccb1723117ad5d2cb6cbe94f20b61b18db699b138.exe"
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3860
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:3284
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:608
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1212
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:1232
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3620
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri0861175859c9666.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:712
              • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0861175859c9666.exe
                Fri0861175859c9666.exe
                5⤵
                • Executes dropped EXE
                PID:1940
                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  6⤵
                  • Executes dropped EXE
                  PID:224
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Fri0871927e7e7933.exe
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2620
              • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0871927e7e7933.exe
                Fri0871927e7e7933.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1928
                • C:\Users\Admin\AppData\Local\c37225cf-3207-46c6-b956-c41b7b27be2a.exe
                  "C:\Users\Admin\AppData\Local\c37225cf-3207-46c6-b956-c41b7b27be2a.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2296
                • C:\Users\Admin\AppData\Local\0a05ce45-48de-4bcd-aff8-3a157ed9465a.exe
                  "C:\Users\Admin\AppData\Local\0a05ce45-48de-4bcd-aff8-3a157ed9465a.exe"
                  6⤵
                  • Executes dropped EXE
                  • Adds Run key to start application
                  PID:2268
                  • C:\Users\Admin\AppData\Roaming\77689908\4180922341809223.exe
                    "C:\Users\Admin\AppData\Roaming\77689908\4180922341809223.exe"
                    7⤵
                    • Executes dropped EXE
                    PID:4392
                • C:\Users\Admin\AppData\Local\a31a95c3-d248-457d-b67f-2d7aa4403a97.exe
                  "C:\Users\Admin\AppData\Local\a31a95c3-d248-457d-b67f-2d7aa4403a97.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1904
                • C:\Users\Admin\AppData\Local\67ae17ec-d63a-4c57-b299-f7c0c8a9b845.exe
                  "C:\Users\Admin\AppData\Local\67ae17ec-d63a-4c57-b299-f7c0c8a9b845.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • Suspicious behavior: EnumeratesProcesses
                  PID:676
                • C:\Users\Admin\AppData\Local\761b2c41-c899-42be-8539-d3471017e89a.exe
                  "C:\Users\Admin\AppData\Local\761b2c41-c899-42be-8539-d3471017e89a.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:680
                  • C:\Users\Admin\AppData\Roaming\1681562.exe
                    "C:\Users\Admin\AppData\Roaming\1681562.exe"
                    7⤵
                    • Executes dropped EXE
                    • Modifies registry class
                    PID:4948
                    • C:\Windows\SysWOW64\control.exe
                      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                      8⤵
                        PID:3180
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                          9⤵
                            PID:816
                            • C:\Windows\system32\RunDll32.exe
                              C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                              10⤵
                                PID:2252
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                  11⤵
                                    PID:6708
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Fri0897ed3c617.exe
                      4⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1412
                      • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0897ed3c617.exe
                        Fri0897ed3c617.exe
                        5⤵
                        • Executes dropped EXE
                        PID:2884
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Fri085b5476c14e3acf8.exe
                      4⤵
                        PID:764
                        • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri085b5476c14e3acf8.exe
                          Fri085b5476c14e3acf8.exe
                          5⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:3044
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri087f6f5c3e2165b.exe
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1276
                        • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri087f6f5c3e2165b.exe
                          Fri087f6f5c3e2165b.exe
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1956
                          • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri087f6f5c3e2165b.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri087f6f5c3e2165b.exe
                            6⤵
                            • Executes dropped EXE
                            PID:4540
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri0839f326271a.exe
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2400
                        • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0839f326271a.exe
                          Fri0839f326271a.exe
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3904
                          • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0839f326271a.exe
                            C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0839f326271a.exe
                            6⤵
                            • Executes dropped EXE
                            PID:4524
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri08454bd6b0ba.exe
                        4⤵
                        • Suspicious use of SetWindowsHookEx
                        PID:1308
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Fri087f686be76.exe
                        4⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                        • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri087f686be76.exe
                          Fri087f686be76.exe
                          5⤵
                          • Executes dropped EXE
                          PID:3132
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c taskkill /im Fri087f686be76.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri087f686be76.exe" & del C:\ProgramData\*.dll & exit
                            6⤵
                              PID:384
                              • C:\Windows\SysWOW64\taskkill.exe
                                taskkill /im Fri087f686be76.exe /f
                                7⤵
                                • Kills process with taskkill
                                PID:3008
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Fri0860e1a2193a0.exe
                          4⤵
                            PID:2304
                            • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0860e1a2193a0.exe
                              Fri0860e1a2193a0.exe
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3188
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                6⤵
                                  PID:2416
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im chrome.exe
                                    7⤵
                                    • Kills process with taskkill
                                    PID:5048
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Fri0894c3c79de49d.exe
                              4⤵
                                PID:1944
                                • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0894c3c79de49d.exe
                                  Fri0894c3c79de49d.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2216
                                  • C:\Windows\SysWOW64\msiexec.exe
                                    "C:\Windows\System32\msiexec.exe" /y .\Zs7GMe.C
                                    6⤵
                                    • Loads dropped DLL
                                    PID:4608
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Fri08b8354eae1672549.exe
                                4⤵
                                  PID:3536
                                  • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08b8354eae1672549.exe
                                    Fri08b8354eae1672549.exe
                                    5⤵
                                    • Executes dropped EXE
                                    PID:2200
                                    • C:\Users\Admin\AppData\Local\Temp\is-EUVR4.tmp\Fri08b8354eae1672549.tmp
                                      "C:\Users\Admin\AppData\Local\Temp\is-EUVR4.tmp\Fri08b8354eae1672549.tmp" /SL5="$201A0,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08b8354eae1672549.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:2728
                                      • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08b8354eae1672549.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08b8354eae1672549.exe" /SILENT
                                        7⤵
                                        • Executes dropped EXE
                                        PID:2580
                                        • C:\Users\Admin\AppData\Local\Temp\is-G9007.tmp\Fri08b8354eae1672549.tmp
                                          "C:\Users\Admin\AppData\Local\Temp\is-G9007.tmp\Fri08b8354eae1672549.tmp" /SL5="$10220,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08b8354eae1672549.exe" /SILENT
                                          8⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          PID:216
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Fri08a97091d3bdc702.exe
                                  4⤵
                                    PID:1936
                                    • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08a97091d3bdc702.exe
                                      Fri08a97091d3bdc702.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:3996
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Fri08ea3107dc.exe
                                    4⤵
                                      PID:1464
                                      • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08ea3107dc.exe
                                        Fri08ea3107dc.exe
                                        5⤵
                                        • Executes dropped EXE
                                        PID:3164
                                        • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08ea3107dc.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri08ea3107dc.exe" -u
                                          6⤵
                                          • Executes dropped EXE
                                          PID:1812
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Fri085742187ff8.exe /mixtwo
                                      4⤵
                                        PID:1904
                                • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri085742187ff8.exe
                                  Fri085742187ff8.exe /mixtwo
                                  1⤵
                                  • Executes dropped EXE
                                  PID:940
                                  • C:\Windows\SysWOW64\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri085742187ff8.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri085742187ff8.exe" & exit
                                    2⤵
                                      PID:4224
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /im "Fri085742187ff8.exe" /f
                                        3⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4700
                                  • C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri085742187ff8.exe
                                    Fri085742187ff8.exe /mixtwo
                                    1⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:2224
                                  • C:\Users\Admin\AppData\Local\Temp\is-T830G.tmp\Fri0897ed3c617.tmp
                                    "C:\Users\Admin\AppData\Local\Temp\is-T830G.tmp\Fri0897ed3c617.tmp" /SL5="$20086,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS033F0C06\Fri0897ed3c617.exe"
                                    1⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    PID:1512
                                    • C:\Users\Admin\AppData\Local\Temp\is-URRHO.tmp\Tougay.exe
                                      "C:\Users\Admin\AppData\Local\Temp\is-URRHO.tmp\Tougay.exe" /S /UID=91
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1260
                                      • C:\Users\Admin\AppData\Local\Temp\b6-6d27d-4a7-6369f-8fb34c5d2e2de\Nodisulixae.exe
                                        "C:\Users\Admin\AppData\Local\Temp\b6-6d27d-4a7-6369f-8fb34c5d2e2de\Nodisulixae.exe"
                                        3⤵
                                          PID:4588
                                        • C:\Users\Admin\AppData\Local\Temp\24-baab7-a01-b9b89-5eec860a9b56b\Paeshufishybu.exe
                                          "C:\Users\Admin\AppData\Local\Temp\24-baab7-a01-b9b89-5eec860a9b56b\Paeshufishybu.exe"
                                          3⤵
                                            PID:3200
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ysoo3c1t.lqp\installer.exe /qn CAMPAIGN="654" & exit
                                              4⤵
                                                PID:3680
                                                • C:\Users\Admin\AppData\Local\Temp\ysoo3c1t.lqp\installer.exe
                                                  C:\Users\Admin\AppData\Local\Temp\ysoo3c1t.lqp\installer.exe /qn CAMPAIGN="654"
                                                  5⤵
                                                    PID:6504
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pjywt0y1.3xt\any.exe & exit
                                                  4⤵
                                                    PID:6148
                                                    • C:\Users\Admin\AppData\Local\Temp\pjywt0y1.3xt\any.exe
                                                      C:\Users\Admin\AppData\Local\Temp\pjywt0y1.3xt\any.exe
                                                      5⤵
                                                        PID:6520
                                                        • C:\Users\Admin\AppData\Local\Temp\pjywt0y1.3xt\any.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\pjywt0y1.3xt\any.exe" -u
                                                          6⤵
                                                            PID:6848
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3tjbhhye.3f0\autosubplayer.exe /S & exit
                                                        4⤵
                                                          PID:6276
                                                  • C:\Windows\system32\rundll32.exe
                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    PID:3512
                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                      2⤵
                                                      • Loads dropped DLL
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2200
                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                    1⤵
                                                      PID:6636
                                                      • C:\Windows\system32\WerFault.exe
                                                        C:\Windows\system32\WerFault.exe -u -p 6636 -s 1056
                                                        2⤵
                                                        • Program crash
                                                        PID:6152
                                                    • C:\Windows\system32\browser_broker.exe
                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                      1⤵
                                                        PID:6692
                                                      • C:\Windows\system32\msiexec.exe
                                                        C:\Windows\system32\msiexec.exe /V
                                                        1⤵
                                                          PID:6300
                                                          • C:\Windows\syswow64\MsiExec.exe
                                                            C:\Windows\syswow64\MsiExec.exe -Embedding FEC82E4C0F14970C81DC7CBEB80B6B7D C
                                                            2⤵
                                                              PID:3352

                                                          Network

                                                                MITRE ATT&CK Enterprise v6

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • memory/216-312-0x00000000006E0000-0x00000000006E1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/224-266-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                  Filesize

                                                                  340KB

                                                                • memory/372-438-0x000001C8DA060000-0x000001C8DA0D2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/676-313-0x0000000076350000-0x0000000076512000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/676-355-0x0000000002D10000-0x0000000002D11000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/676-306-0x0000000001200000-0x00000000013CF000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/676-298-0x0000000001200000-0x00000000013CF000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/676-305-0x0000000001190000-0x00000000011D5000-memory.dmp

                                                                  Filesize

                                                                  276KB

                                                                • memory/676-302-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/680-315-0x00000000027F0000-0x00000000027F1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/680-297-0x00000000005B0000-0x00000000005B1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/680-338-0x0000000004F30000-0x0000000004F31000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/680-311-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/680-314-0x0000000000E00000-0x0000000000E29000-memory.dmp

                                                                  Filesize

                                                                  164KB

                                                                • memory/940-225-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                  Filesize

                                                                  320KB

                                                                • memory/940-199-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                  Filesize

                                                                  320KB

                                                                • memory/1048-454-0x0000020042860000-0x00000200428D2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1112-453-0x0000023820970000-0x00000238209E2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1212-224-0x00000000045B0000-0x00000000045B1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1212-257-0x0000000004680000-0x0000000004681000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1212-279-0x0000000004682000-0x0000000004683000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1212-221-0x00000000045B0000-0x00000000045B1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1212-491-0x000000007E9D0000-0x000000007E9D1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1212-525-0x0000000004683000-0x0000000004684000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1236-475-0x000001877AB60000-0x000001877ABD2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1260-301-0x0000000002F60000-0x0000000002F62000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/1292-478-0x0000023256B70000-0x0000023256BE2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1428-464-0x0000024C0E800000-0x0000024C0E872000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1512-234-0x0000000000590000-0x0000000000591000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1860-465-0x00000161A4760000-0x00000161A47D2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/1904-280-0x0000000000F00000-0x00000000010CF000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/1904-275-0x0000000000CC0000-0x0000000000D05000-memory.dmp

                                                                  Filesize

                                                                  276KB

                                                                • memory/1904-310-0x0000000073DD0000-0x0000000073E50000-memory.dmp

                                                                  Filesize

                                                                  512KB

                                                                • memory/1904-353-0x0000000004F40000-0x0000000004F41000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1904-299-0x0000000077190000-0x0000000077281000-memory.dmp

                                                                  Filesize

                                                                  964KB

                                                                • memory/1904-285-0x0000000000F00000-0x00000000010CF000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/1904-290-0x0000000000120000-0x0000000000121000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1904-303-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1904-294-0x0000000076350000-0x0000000076512000-memory.dmp

                                                                  Filesize

                                                                  1.8MB

                                                                • memory/1928-206-0x00000000009F0000-0x00000000009F2000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/1928-190-0x0000000000D00000-0x0000000000D01000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1928-184-0x00000000008A0000-0x00000000008A1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1956-282-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1956-232-0x0000000000B50000-0x0000000000B51000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/1956-271-0x0000000005470000-0x0000000005471000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2200-406-0x0000000004A70000-0x0000000004ACD000-memory.dmp

                                                                  Filesize

                                                                  372KB

                                                                • memory/2200-226-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                  Filesize

                                                                  816KB

                                                                • memory/2200-405-0x0000000004C97000-0x0000000004D98000-memory.dmp

                                                                  Filesize

                                                                  1.0MB

                                                                • memory/2216-216-0x0000000000660000-0x0000000000661000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2216-218-0x0000000000660000-0x0000000000661000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2268-256-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2268-291-0x0000000000810000-0x0000000000822000-memory.dmp

                                                                  Filesize

                                                                  72KB

                                                                • memory/2268-304-0x0000000000830000-0x0000000000831000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2268-270-0x0000000000800000-0x0000000000801000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2296-251-0x0000000000300000-0x0000000000301000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2296-286-0x00000000025A0000-0x0000000002600000-memory.dmp

                                                                  Filesize

                                                                  384KB

                                                                • memory/2296-308-0x0000000002650000-0x0000000002651000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2296-296-0x0000000000B40000-0x0000000000B41000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2296-264-0x0000000000C00000-0x0000000000C01000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2392-436-0x000001DB4D870000-0x000001DB4D8E2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2528-451-0x000001AD1A0A0000-0x000001AD1A112000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2568-439-0x0000024E2C300000-0x0000024E2C372000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2580-259-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                  Filesize

                                                                  816KB

                                                                • memory/2680-433-0x0000018081010000-0x0000018081082000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2728-236-0x0000000000A00000-0x0000000000A01000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/2780-476-0x0000018959340000-0x00000189593B2000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2800-488-0x0000028F47CD0000-0x0000028F47D42000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/2884-205-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                  Filesize

                                                                  80KB

                                                                • memory/2928-384-0x0000000000670000-0x0000000000686000-memory.dmp

                                                                  Filesize

                                                                  88KB

                                                                • memory/3044-330-0x0000000000400000-0x0000000000818000-memory.dmp

                                                                  Filesize

                                                                  4.1MB

                                                                • memory/3044-321-0x0000000000860000-0x0000000000868000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                • memory/3044-323-0x0000000000870000-0x0000000000879000-memory.dmp

                                                                  Filesize

                                                                  36KB

                                                                • memory/3132-325-0x0000000000400000-0x000000000088C000-memory.dmp

                                                                  Filesize

                                                                  4.5MB

                                                                • memory/3132-328-0x0000000000E70000-0x0000000000F49000-memory.dmp

                                                                  Filesize

                                                                  868KB

                                                                • memory/3132-326-0x0000000000910000-0x0000000000A5A000-memory.dmp

                                                                  Filesize

                                                                  1.3MB

                                                                • memory/3200-546-0x0000000002F74000-0x0000000002F75000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3200-523-0x0000000002F70000-0x0000000002F72000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/3200-614-0x0000000002F75000-0x0000000002F76000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3200-542-0x0000000002F72000-0x0000000002F74000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/3284-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                  Filesize

                                                                  100KB

                                                                • memory/3284-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                  Filesize

                                                                  100KB

                                                                • memory/3284-149-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                  Filesize

                                                                  100KB

                                                                • memory/3284-148-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                  Filesize

                                                                  100KB

                                                                • memory/3284-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                  Filesize

                                                                  572KB

                                                                • memory/3284-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                  Filesize

                                                                  572KB

                                                                • memory/3284-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                  Filesize

                                                                  152KB

                                                                • memory/3284-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                • memory/3284-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                • memory/3284-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                • memory/3284-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                • memory/3284-138-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                  Filesize

                                                                  572KB

                                                                • memory/3456-413-0x0000025B49780000-0x0000025B497CD000-memory.dmp

                                                                  Filesize

                                                                  308KB

                                                                • memory/3456-417-0x0000025B49B00000-0x0000025B49B72000-memory.dmp

                                                                  Filesize

                                                                  456KB

                                                                • memory/3620-220-0x0000000004890000-0x0000000004891000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-524-0x0000000006B13000-0x0000000006B14000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-223-0x0000000004890000-0x0000000004891000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-247-0x0000000006A10000-0x0000000006A11000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-494-0x000000007F1C0000-0x000000007F1C1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-252-0x0000000007150000-0x0000000007151000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-309-0x0000000007110000-0x0000000007111000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-255-0x0000000006B10000-0x0000000006B11000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3620-277-0x0000000006B12000-0x0000000006B13000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3904-267-0x00000000031F0000-0x00000000031F1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3904-233-0x0000000000E70000-0x0000000000E71000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3904-262-0x00000000057E0000-0x00000000057E1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3904-292-0x0000000003270000-0x0000000003271000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/3904-272-0x00000000056F0000-0x00000000056F1000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                • memory/4392-365-0x0000000001390000-0x0000000001392000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/4524-400-0x0000000005780000-0x0000000005D86000-memory.dmp

                                                                  Filesize

                                                                  6.0MB

                                                                • memory/4540-401-0x0000000004CA0000-0x00000000052A6000-memory.dmp

                                                                  Filesize

                                                                  6.0MB

                                                                • memory/4588-522-0x0000000002250000-0x0000000002252000-memory.dmp

                                                                  Filesize

                                                                  8KB

                                                                • memory/4608-416-0x0000000003150000-0x0000000003151000-memory.dmp

                                                                  Filesize

                                                                  4KB