Analysis

  • max time kernel
    19s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    20/12/2021, 15:01

General

  • Target

    b5e07ffa7b0fd520f763a7580528c84f.exe

  • Size

    6.8MB

  • MD5

    b5e07ffa7b0fd520f763a7580528c84f

  • SHA1

    cb255fabb58ccb3d0a3354241f1300b85d5ab7a7

  • SHA256

    98b744289399d40bee96ceada3e8a187627ca9d09e4815078b83762ae78cedfb

  • SHA512

    8276c31784a04b291f96d220440721f32503fb60f757fa6bc2cd02441a6952961689e676664d46dae080c5152640304df73400f809a95216d4c48121540fcf15

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media18n

C2

65.108.69.168:13293

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 10 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe
    "C:\Users\Admin\AppData\Local\Temp\b5e07ffa7b0fd520f763a7580528c84f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2560
      • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1260
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:620
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1132
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1096
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Fri16001824e7621ef.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2196
          • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16001824e7621ef.exe
            Fri16001824e7621ef.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:3788
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c taskkill /f /im chrome.exe
              6⤵
                PID:4700
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  7⤵
                  • Kills process with taskkill
                  PID:4064
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Fri166bb32b321cb.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2272
            • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri166bb32b321cb.exe
              Fri166bb32b321cb.exe
              5⤵
              • Executes dropped EXE
              PID:1136
              • C:\Users\Admin\AppData\Local\62e36a9b-acf6-4058-bd13-d2926231bc6e.exe
                "C:\Users\Admin\AppData\Local\62e36a9b-acf6-4058-bd13-d2926231bc6e.exe"
                6⤵
                  PID:1196
                • C:\Users\Admin\AppData\Local\91f4f328-b5b5-4365-ac77-2c8184d6eeb5.exe
                  "C:\Users\Admin\AppData\Local\91f4f328-b5b5-4365-ac77-2c8184d6eeb5.exe"
                  6⤵
                    PID:3144
                    • C:\Users\Admin\AppData\Roaming\6379627\7049811770498117.exe
                      "C:\Users\Admin\AppData\Roaming\6379627\7049811770498117.exe"
                      7⤵
                        PID:4268
                    • C:\Users\Admin\AppData\Local\8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe
                      "C:\Users\Admin\AppData\Local\8f1e24f8-295e-45d5-ac74-e5fa8d421bad.exe"
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1384
                    • C:\Users\Admin\AppData\Local\4dd24cf7-5bfd-4fb8-af89-78c77ac7e977.exe
                      "C:\Users\Admin\AppData\Local\4dd24cf7-5bfd-4fb8-af89-78c77ac7e977.exe"
                      6⤵
                        PID:2108
                      • C:\Users\Admin\AppData\Local\020b5b40-5a0c-48fd-87a5-8b8405f933fd.exe
                        "C:\Users\Admin\AppData\Local\020b5b40-5a0c-48fd-87a5-8b8405f933fd.exe"
                        6⤵
                          PID:1616
                          • C:\Users\Admin\AppData\Roaming\7623806.exe
                            "C:\Users\Admin\AppData\Roaming\7623806.exe"
                            7⤵
                              PID:4824
                              • C:\Windows\SysWOW64\control.exe
                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                8⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1136
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                  9⤵
                                    PID:2416
                                    • C:\Windows\system32\RunDll32.exe
                                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                      10⤵
                                        PID:1940
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                          11⤵
                                            PID:3908
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Fri160a13ed0cc30f79.exe /mixtwo
                              4⤵
                                PID:3488
                                • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exe
                                  Fri160a13ed0cc30f79.exe /mixtwo
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  PID:1284
                                  • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exe
                                    Fri160a13ed0cc30f79.exe /mixtwo
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2040
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /c taskkill /im "Fri160a13ed0cc30f79.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri160a13ed0cc30f79.exe" & exit
                                      7⤵
                                        PID:2856
                                        • C:\Windows\SysWOW64\taskkill.exe
                                          taskkill /im "Fri160a13ed0cc30f79.exe" /f
                                          8⤵
                                          • Kills process with taskkill
                                          PID:4664
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Fri16fd01fcb8a6c.exe
                                  4⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:2744
                                  • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exe
                                    Fri16fd01fcb8a6c.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2144
                                    • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exe
                                      C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16fd01fcb8a6c.exe
                                      6⤵
                                        PID:2868
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Fri16885ed77f383b.exe
                                    4⤵
                                      PID:3044
                                      • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exe
                                        Fri16885ed77f383b.exe
                                        5⤵
                                        • Executes dropped EXE
                                        PID:1888
                                        • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exe
                                          "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16885ed77f383b.exe" -u
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2672
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Fri1691e33fa9b0c.exe
                                      4⤵
                                        PID:1620
                                        • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri1691e33fa9b0c.exe
                                          Fri1691e33fa9b0c.exe
                                          5⤵
                                          • Executes dropped EXE
                                          PID:1624
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /c taskkill /im Fri1691e33fa9b0c.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri1691e33fa9b0c.exe" & del C:\ProgramData\*.dll & exit
                                            6⤵
                                              PID:828
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /im Fri1691e33fa9b0c.exe /f
                                                7⤵
                                                • Kills process with taskkill
                                                PID:3860
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Fri164a0149aa.exe
                                          4⤵
                                            PID:372
                                            • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164a0149aa.exe
                                              Fri164a0149aa.exe
                                              5⤵
                                              • Executes dropped EXE
                                              PID:1528
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Fri16a36a6a837.exe
                                            4⤵
                                              PID:2552
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Fri16794d8e6c1f8.exe
                                              4⤵
                                                PID:3168
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Fri161c534d708b.exe
                                                4⤵
                                                  PID:3776
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Fri16bd645415835b795.exe
                                                  4⤵
                                                    PID:3884
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Fri164c727b138e8e5.exe
                                                    4⤵
                                                      PID:1752
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c Fri167e14a5b3d5dc.exe
                                                      4⤵
                                                        PID:1652
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Fri165bcbc7f8b.exe
                                                        4⤵
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:3916
                                                • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exe
                                                  Fri164c727b138e8e5.exe
                                                  1⤵
                                                    PID:1384
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exe
                                                      C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri164c727b138e8e5.exe
                                                      2⤵
                                                        PID:1568
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16794d8e6c1f8.exe
                                                      Fri16794d8e6c1f8.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:2192
                                                      • C:\Windows\SysWOW64\control.exe
                                                        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",
                                                        2⤵
                                                          PID:1328
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\UMtQ.cpL",
                                                            3⤵
                                                              PID:3904
                                                        • C:\Users\Admin\AppData\Local\Temp\is-TH3ST.tmp\Fri16a36a6a837.tmp
                                                          "C:\Users\Admin\AppData\Local\Temp\is-TH3ST.tmp\Fri16a36a6a837.tmp" /SL5="$30086,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16a36a6a837.exe"
                                                          1⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          PID:968
                                                          • C:\Users\Admin\AppData\Local\Temp\is-98JG6.tmp\Tougay.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\is-98JG6.tmp\Tougay.exe" /S /UID=91
                                                            2⤵
                                                            • Executes dropped EXE
                                                            PID:1360
                                                            • C:\Users\Admin\AppData\Local\Temp\4a-4013c-7a1-6e1b5-a01e781eb2c69\Fujimarasi.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\4a-4013c-7a1-6e1b5-a01e781eb2c69\Fujimarasi.exe"
                                                              3⤵
                                                                PID:4900
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exe /qn CAMPAIGN="654" & exit
                                                                  4⤵
                                                                    PID:772
                                                                    • C:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\cqwkmssl.pkh\installer.exe /qn CAMPAIGN="654"
                                                                      5⤵
                                                                        PID:5188
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe & exit
                                                                      4⤵
                                                                        PID:4220
                                                                        • C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe
                                                                          5⤵
                                                                            PID:5216
                                                                            • C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\1oxtpxpw.tv0\any.exe" -u
                                                                              6⤵
                                                                                PID:5356
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exe /S & exit
                                                                            4⤵
                                                                              PID:1836
                                                                              • C:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\uo0tnejj.baz\autosubplayer.exe /S
                                                                                5⤵
                                                                                  PID:5340
                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsr6AC9.tmp\tempfile.ps1"
                                                                                    6⤵
                                                                                      PID:5972
                                                                              • C:\Users\Admin\AppData\Local\Temp\e5-d60b5-32c-f3896-8947aef8b37ed\Selefomaly.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\e5-d60b5-32c-f3896-8947aef8b37ed\Selefomaly.exe"
                                                                                3⤵
                                                                                  PID:4844
                                                                            • C:\Users\Admin\AppData\Local\Temp\is-U225S.tmp\Fri165bcbc7f8b.tmp
                                                                              "C:\Users\Admin\AppData\Local\Temp\is-U225S.tmp\Fri165bcbc7f8b.tmp" /SL5="$20156,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe"
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              PID:3064
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe" /SILENT
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                PID:1932
                                                                                • C:\Users\Admin\AppData\Local\Temp\is-IBG4R.tmp\Fri165bcbc7f8b.tmp
                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-IBG4R.tmp\Fri165bcbc7f8b.tmp" /SL5="$1021A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe" /SILENT
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:2280
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri167e14a5b3d5dc.exe
                                                                              Fri167e14a5b3d5dc.exe
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              PID:2060
                                                                              • C:\Windows\SysWOW64\msiexec.exe
                                                                                "C:\Windows\System32\msiexec.exe" -y .\l2RRL.WC
                                                                                2⤵
                                                                                  PID:2564
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16a36a6a837.exe
                                                                                Fri16a36a6a837.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                PID:1552
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri16bd645415835b795.exe
                                                                                Fri16bd645415835b795.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                PID:1516
                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri161c534d708b.exe
                                                                                Fri161c534d708b.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                PID:2908
                                                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                  2⤵
                                                                                    PID:608
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS00A2BA16\Fri165bcbc7f8b.exe
                                                                                  Fri165bcbc7f8b.exe
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3804
                                                                                • C:\Windows\system32\rundll32.exe
                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                  1⤵
                                                                                  • Process spawned unexpected child process
                                                                                  PID:368
                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                    2⤵
                                                                                      PID:1316
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                    1⤵
                                                                                      PID:5004
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                      1⤵
                                                                                        PID:5460
                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                        1⤵
                                                                                          PID:5544
                                                                                        • C:\Windows\system32\msiexec.exe
                                                                                          C:\Windows\system32\msiexec.exe /V
                                                                                          1⤵
                                                                                            PID:6012
                                                                                            • C:\Windows\syswow64\MsiExec.exe
                                                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 216203C8DCD5B33A9A9D380AF5D590B9 C
                                                                                              2⤵
                                                                                                PID:1712
                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                              1⤵
                                                                                                PID:5784
                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                1⤵
                                                                                                  PID:5268
                                                                                                • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                  "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                  1⤵
                                                                                                    PID:4696
                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                    1⤵
                                                                                                      PID:4200
                                                                                                    • C:\Windows\system32\rundll32.exe
                                                                                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                      1⤵
                                                                                                      • Process spawned unexpected child process
                                                                                                      PID:5256
                                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                        2⤵
                                                                                                          PID:2576

                                                                                                      Network

                                                                                                            MITRE ATT&CK Enterprise v6

                                                                                                            Replay Monitor

                                                                                                            Loading Replay Monitor...

                                                                                                            Downloads

                                                                                                            • memory/64-552-0x0000020858B00000-0x0000020858B72000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/608-302-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                              Filesize

                                                                                                              340KB

                                                                                                            • memory/620-209-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-216-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-474-0x0000000007303000-0x0000000007304000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-233-0x0000000007940000-0x0000000007941000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-226-0x00000000050E0000-0x00000000050E1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-227-0x0000000007300000-0x0000000007301000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-443-0x000000007E9F0000-0x000000007E9F1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-235-0x0000000007302000-0x0000000007303000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/620-276-0x0000000008280000-0x0000000008281000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/968-254-0x0000000000690000-0x0000000000691000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1068-588-0x0000024785000000-0x0000024785072000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/1096-446-0x000000007F310000-0x000000007F311000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-204-0x0000000000740000-0x0000000000741000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-231-0x0000000006710000-0x0000000006711000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-472-0x0000000006713000-0x0000000006714000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-213-0x0000000000740000-0x0000000000741000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-274-0x0000000006C80000-0x0000000006C81000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-237-0x0000000006712000-0x0000000006713000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-269-0x00000000067F0000-0x00000000067F1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1096-271-0x0000000007380000-0x0000000007381000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1116-575-0x000001E5EB1D0000-0x000001E5EB242000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/1136-260-0x0000000005620000-0x0000000005621000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1136-239-0x00000000016E0000-0x00000000016E1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1136-224-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1196-366-0x0000000005720000-0x0000000005721000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1196-313-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1316-514-0x0000000004803000-0x0000000004904000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.0MB

                                                                                                            • memory/1316-517-0x0000000003120000-0x00000000031CE000-memory.dmp

                                                                                                              Filesize

                                                                                                              696KB

                                                                                                            • memory/1360-278-0x00000000026E0000-0x00000000026E2000-memory.dmp

                                                                                                              Filesize

                                                                                                              8KB

                                                                                                            • memory/1384-252-0x0000000001950000-0x0000000001951000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-262-0x0000000006060000-0x0000000006061000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-362-0x00000000057B0000-0x00000000057B1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-321-0x0000000001040000-0x000000000118A000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.3MB

                                                                                                            • memory/1384-251-0x0000000005850000-0x0000000005851000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-248-0x00000000057E0000-0x00000000057E1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-242-0x00000000058E0000-0x00000000058E1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1384-218-0x0000000000F90000-0x0000000000F91000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1404-589-0x0000018DBB100000-0x0000018DBB172000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/1528-384-0x00000000008F0000-0x00000000008F9000-memory.dmp

                                                                                                              Filesize

                                                                                                              36KB

                                                                                                            • memory/1528-379-0x0000000000400000-0x0000000000817000-memory.dmp

                                                                                                              Filesize

                                                                                                              4.1MB

                                                                                                            • memory/1528-377-0x0000000000030000-0x0000000000038000-memory.dmp

                                                                                                              Filesize

                                                                                                              32KB

                                                                                                            • memory/1552-221-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                              Filesize

                                                                                                              80KB

                                                                                                            • memory/1568-283-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                              Filesize

                                                                                                              128KB

                                                                                                            • memory/1568-316-0x0000000005150000-0x0000000005756000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.0MB

                                                                                                            • memory/1568-295-0x0000000005760000-0x0000000005761000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1616-386-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/1624-370-0x0000000000400000-0x000000000088B000-memory.dmp

                                                                                                              Filesize

                                                                                                              4.5MB

                                                                                                            • memory/1624-356-0x0000000000D40000-0x0000000000DBC000-memory.dmp

                                                                                                              Filesize

                                                                                                              496KB

                                                                                                            • memory/1624-360-0x0000000000DC0000-0x0000000000E99000-memory.dmp

                                                                                                              Filesize

                                                                                                              868KB

                                                                                                            • memory/1640-533-0x00000154F5CC0000-0x00000154F5D32000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/1640-528-0x00000154F5C00000-0x00000154F5C4D000-memory.dmp

                                                                                                              Filesize

                                                                                                              308KB

                                                                                                            • memory/1920-600-0x0000026B4ED70000-0x0000026B4EDE2000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/1932-258-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                              Filesize

                                                                                                              816KB

                                                                                                            • memory/2040-219-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                              Filesize

                                                                                                              320KB

                                                                                                            • memory/2040-201-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                              Filesize

                                                                                                              320KB

                                                                                                            • memory/2060-215-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2060-208-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2108-330-0x0000000001110000-0x0000000001155000-memory.dmp

                                                                                                              Filesize

                                                                                                              276KB

                                                                                                            • memory/2108-374-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2136-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                              Filesize

                                                                                                              572KB

                                                                                                            • memory/2136-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                              Filesize

                                                                                                              100KB

                                                                                                            • memory/2136-152-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                              Filesize

                                                                                                              100KB

                                                                                                            • memory/2136-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.5MB

                                                                                                            • memory/2136-140-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                              Filesize

                                                                                                              152KB

                                                                                                            • memory/2136-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.5MB

                                                                                                            • memory/2136-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                              Filesize

                                                                                                              572KB

                                                                                                            • memory/2136-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.5MB

                                                                                                            • memory/2136-149-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                              Filesize

                                                                                                              100KB

                                                                                                            • memory/2136-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                              Filesize

                                                                                                              572KB

                                                                                                            • memory/2136-154-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                              Filesize

                                                                                                              100KB

                                                                                                            • memory/2136-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.5MB

                                                                                                            • memory/2144-247-0x0000000005570000-0x0000000005571000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2144-220-0x0000000000B50000-0x0000000000B51000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2144-250-0x0000000005320000-0x0000000005321000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2192-202-0x0000000000020000-0x0000000000021000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2192-210-0x0000000000020000-0x0000000000021000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2280-268-0x00000000006E0000-0x00000000006E1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2416-489-0x000000002FBE0000-0x000000002FBE1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2416-537-0x0000000030020000-0x00000000300D5000-memory.dmp

                                                                                                              Filesize

                                                                                                              724KB

                                                                                                            • memory/2416-530-0x000000002FEA0000-0x000000002FF57000-memory.dmp

                                                                                                              Filesize

                                                                                                              732KB

                                                                                                            • memory/2476-570-0x0000024DA94A0000-0x0000024DA9512000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/2512-560-0x000001ADC6C30000-0x000001ADC6CA2000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/2564-282-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2564-281-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2564-555-0x0000000001200000-0x00000000012AE000-memory.dmp

                                                                                                              Filesize

                                                                                                              696KB

                                                                                                            • memory/2868-284-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                              Filesize

                                                                                                              128KB

                                                                                                            • memory/2868-306-0x0000000005040000-0x0000000005041000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2868-314-0x0000000004F90000-0x0000000005596000-memory.dmp

                                                                                                              Filesize

                                                                                                              6.0MB

                                                                                                            • memory/2868-309-0x0000000005170000-0x0000000005171000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/2888-539-0x0000022B95A20000-0x0000022B95A92000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB

                                                                                                            • memory/3056-409-0x00000000005A0000-0x00000000005B6000-memory.dmp

                                                                                                              Filesize

                                                                                                              88KB

                                                                                                            • memory/3064-255-0x0000000000690000-0x00000000007DA000-memory.dmp

                                                                                                              Filesize

                                                                                                              1.3MB

                                                                                                            • memory/3804-212-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                              Filesize

                                                                                                              816KB

                                                                                                            • memory/3904-573-0x00000000008A0000-0x00000000008A1000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/4268-420-0x000000001B040000-0x000000001B042000-memory.dmp

                                                                                                              Filesize

                                                                                                              8KB

                                                                                                            • memory/4844-436-0x00000000026E0000-0x00000000026E2000-memory.dmp

                                                                                                              Filesize

                                                                                                              8KB

                                                                                                            • memory/4900-558-0x0000000001415000-0x0000000001416000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/4900-502-0x0000000001414000-0x0000000001415000-memory.dmp

                                                                                                              Filesize

                                                                                                              4KB

                                                                                                            • memory/4900-449-0x0000000001410000-0x0000000001412000-memory.dmp

                                                                                                              Filesize

                                                                                                              8KB

                                                                                                            • memory/4900-486-0x0000000001412000-0x0000000001414000-memory.dmp

                                                                                                              Filesize

                                                                                                              8KB

                                                                                                            • memory/5004-550-0x000001FF8E900000-0x000001FF8E972000-memory.dmp

                                                                                                              Filesize

                                                                                                              456KB