Analysis

  • max time kernel
    54s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21/12/2021, 00:17

General

  • Target

    a03b66a1ddbda28b4624edd0b7ec2cda.exe

  • Size

    6.8MB

  • MD5

    a03b66a1ddbda28b4624edd0b7ec2cda

  • SHA1

    3f1fd35352fbde7a47d94646e6565e7e0e202306

  • SHA256

    045480a084a090029c9f86b103e3f23b4e9e3923180c35d61eca933af3802060

  • SHA512

    7fb596d601010dd91a84ecf056b8f379f776d21270396e655f455119e571e42965b1f82561f827d5141ddde78efcf21b271f7b80648ec41b8a7254bc88f57120

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

media18n

C2

65.108.69.168:13293

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Executes dropped EXE 31 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 19 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2720
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Browser
      1⤵
        PID:2688
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
        1⤵
          PID:2484
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
            PID:2440
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s BITS
            1⤵
            • Suspicious use of SetThreadContext
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:3328
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Checks processor information in registry
              • Modifies data under HKEY_USERS
              • Modifies registry class
              PID:4968
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1856
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1440
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1356
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s Themes
                  1⤵
                    PID:1272
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                    1⤵
                      PID:1092
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:1036
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:324
                        • C:\Users\Admin\AppData\Local\Temp\a03b66a1ddbda28b4624edd0b7ec2cda.exe
                          "C:\Users\Admin\AppData\Local\Temp\a03b66a1ddbda28b4624edd0b7ec2cda.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2544
                          • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\setup_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\setup_install.exe"
                            2⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:1256
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3632
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3980
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3160
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                4⤵
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4004
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat02554508507a106c.exe /mixtwo
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:3144
                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02554508507a106c.exe
                                Sat02554508507a106c.exe /mixtwo
                                4⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Suspicious use of WriteProcessMemory
                                PID:720
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat02f0e19902a987a7.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1320
                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02f0e19902a987a7.exe
                                Sat02f0e19902a987a7.exe
                                4⤵
                                • Executes dropped EXE
                                PID:924
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat02962f4664577a689.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2856
                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02962f4664577a689.exe
                                Sat02962f4664577a689.exe
                                4⤵
                                • Executes dropped EXE
                                PID:972
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat02b21a81470677.exe
                              3⤵
                              • Suspicious use of SetWindowsHookEx
                              PID:1100
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat029fae24be9c.exe
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2660
                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat029fae24be9c.exe
                                Sat029fae24be9c.exe
                                4⤵
                                • Executes dropped EXE
                                PID:1048
                                • C:\Users\Admin\AppData\Local\Temp\is-7RBPJ.tmp\Sat029fae24be9c.tmp
                                  "C:\Users\Admin\AppData\Local\Temp\is-7RBPJ.tmp\Sat029fae24be9c.tmp" /SL5="$20084,140047,56320,C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat029fae24be9c.exe"
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:2996
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Sat02298d70f9.exe
                              3⤵
                                PID:908
                                • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02298d70f9.exe
                                  Sat02298d70f9.exe
                                  4⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3860
                                  • C:\Windows\SysWOW64\cmd.exe
                                    cmd.exe /c taskkill /f /im chrome.exe
                                    5⤵
                                      PID:408
                                      • C:\Windows\SysWOW64\taskkill.exe
                                        taskkill /f /im chrome.exe
                                        6⤵
                                        • Kills process with taskkill
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4436
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Sat02558cff42bd34.exe
                                  3⤵
                                    PID:1188
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02558cff42bd34.exe
                                      Sat02558cff42bd34.exe
                                      4⤵
                                      • Executes dropped EXE
                                      PID:1520
                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        5⤵
                                        • Executes dropped EXE
                                        PID:2872
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sat0207a7d2dcf2a6b.exe
                                    3⤵
                                      PID:1316
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0207a7d2dcf2a6b.exe
                                        Sat0207a7d2dcf2a6b.exe
                                        4⤵
                                        • Executes dropped EXE
                                        PID:2436
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Sat02c0e2b6cedc92a.exe
                                      3⤵
                                        PID:1472
                                        • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02c0e2b6cedc92a.exe
                                          Sat02c0e2b6cedc92a.exe
                                          4⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3496
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Sat0225632ecb8.exe
                                        3⤵
                                          PID:1892
                                          • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0225632ecb8.exe
                                            Sat0225632ecb8.exe
                                            4⤵
                                              PID:3852
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0225632ecb8.exe
                                                C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0225632ecb8.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:2172
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0225632ecb8.exe
                                                C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0225632ecb8.exe
                                                5⤵
                                                • Executes dropped EXE
                                                PID:1164
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sat0247671baec424a.exe
                                            3⤵
                                              PID:1672
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Sat021c98f040eaa485.exe
                                              3⤵
                                                PID:2108
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Sat02c4a0a9f5d95.exe
                                                3⤵
                                                  PID:844
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Sat02162a2f7cc8.exe
                                                  3⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:64
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02162a2f7cc8.exe
                                              Sat02162a2f7cc8.exe
                                              1⤵
                                              • Executes dropped EXE
                                              • Checks SCSI registry key(s)
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              PID:1296
                                            • C:\Users\Admin\AppData\Local\Temp\is-RL6LA.tmp\Sat0207a7d2dcf2a6b.tmp
                                              "C:\Users\Admin\AppData\Local\Temp\is-RL6LA.tmp\Sat0207a7d2dcf2a6b.tmp" /SL5="$2019E,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0207a7d2dcf2a6b.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:772
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0207a7d2dcf2a6b.exe
                                                "C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0207a7d2dcf2a6b.exe" /SILENT
                                                2⤵
                                                • Executes dropped EXE
                                                PID:1300
                                                • C:\Users\Admin\AppData\Local\Temp\is-3FEPD.tmp\Sat0207a7d2dcf2a6b.tmp
                                                  "C:\Users\Admin\AppData\Local\Temp\is-3FEPD.tmp\Sat0207a7d2dcf2a6b.tmp" /SL5="$10234,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0207a7d2dcf2a6b.exe" /SILENT
                                                  3⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:1268
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat021c98f040eaa485.exe
                                              "C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat021c98f040eaa485.exe" -u
                                              1⤵
                                              • Executes dropped EXE
                                              PID:4060
                                            • C:\Windows\SysWOW64\control.exe
                                              "C:\Windows\System32\control.exe" .\D933.N
                                              1⤵
                                                PID:1220
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\D933.N
                                                  2⤵
                                                    PID:2764
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat0247671baec424a.exe
                                                  Sat0247671baec424a.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:504
                                                  • C:\Windows\SysWOW64\control.exe
                                                    "C:\Windows\System32\control.exe" .\D933.N
                                                    2⤵
                                                      PID:1720
                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\D933.N
                                                        3⤵
                                                        • Loads dropped DLL
                                                        PID:1752
                                                  • C:\Windows\system32\RunDll32.exe
                                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\D933.N
                                                    1⤵
                                                      PID:1988
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02c0e2b6cedc92a.exe
                                                      C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02c0e2b6cedc92a.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:364
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02c4a0a9f5d95.exe
                                                      Sat02c4a0a9f5d95.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3048
                                                      • C:\Users\Admin\AppData\Local\edf5c72b-d664-4bca-a7bf-e59dc0199df6.exe
                                                        "C:\Users\Admin\AppData\Local\edf5c72b-d664-4bca-a7bf-e59dc0199df6.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1220
                                                      • C:\Users\Admin\AppData\Local\0ebb8073-c4be-49a9-9dac-99ff3f0d7ab8.exe
                                                        "C:\Users\Admin\AppData\Local\0ebb8073-c4be-49a9-9dac-99ff3f0d7ab8.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Adds Run key to start application
                                                        PID:2136
                                                        • C:\Users\Admin\AppData\Roaming\43093746\4309317743093177.exe
                                                          "C:\Users\Admin\AppData\Roaming\43093746\4309317743093177.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          PID:2320
                                                      • C:\Users\Admin\AppData\Local\ce92ba9e-358d-4f94-a3e2-50cd76f87c2a.exe
                                                        "C:\Users\Admin\AppData\Local\ce92ba9e-358d-4f94-a3e2-50cd76f87c2a.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:376
                                                      • C:\Users\Admin\AppData\Local\1eddf650-7694-4f7c-a7d4-d63fbf1f5abd.exe
                                                        "C:\Users\Admin\AppData\Local\1eddf650-7694-4f7c-a7d4-d63fbf1f5abd.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1472
                                                      • C:\Users\Admin\AppData\Local\020ae99e-2cdb-4eda-8b2c-dfaf519b26be.exe
                                                        "C:\Users\Admin\AppData\Local\020ae99e-2cdb-4eda-8b2c-dfaf519b26be.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2556
                                                        • C:\Users\Admin\AppData\Roaming\4561478.exe
                                                          "C:\Users\Admin\AppData\Roaming\4561478.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Modifies registry class
                                                          PID:4104
                                                          • C:\Windows\SysWOW64\control.exe
                                                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",
                                                            4⤵
                                                              PID:4340
                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\YAuR5.CPl",
                                                                5⤵
                                                                • Loads dropped DLL
                                                                PID:4456
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat021c98f040eaa485.exe
                                                        Sat021c98f040eaa485.exe
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:2832
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02554508507a106c.exe
                                                        Sat02554508507a106c.exe /mixtwo
                                                        1⤵
                                                        • Executes dropped EXE
                                                        PID:2212
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Sat02554508507a106c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0F98CBD5\Sat02554508507a106c.exe" & exit
                                                          2⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3852
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /im "Sat02554508507a106c.exe" /f
                                                            3⤵
                                                            • Kills process with taskkill
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2660
                                                      • C:\Windows\system32\rundll32.exe
                                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        PID:4652
                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                          2⤵
                                                          • Loads dropped DLL
                                                          • Modifies registry class
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:4692

                                                      Network

                                                            MITRE ATT&CK Enterprise v6

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • memory/324-595-0x000001C344FD0000-0x000001C345042000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/364-277-0x0000000000400000-0x0000000000420000-memory.dmp

                                                              Filesize

                                                              128KB

                                                            • memory/364-296-0x00000000056C0000-0x00000000056C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/364-284-0x0000000005C60000-0x0000000005C61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/364-302-0x00000000057F0000-0x00000000057F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/364-313-0x0000000005650000-0x0000000005C56000-memory.dmp

                                                              Filesize

                                                              6.0MB

                                                            • memory/376-316-0x0000000002A10000-0x0000000002A55000-memory.dmp

                                                              Filesize

                                                              276KB

                                                            • memory/376-362-0x0000000005610000-0x0000000005611000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/504-214-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/504-210-0x00000000000F0000-0x00000000000F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/772-253-0x00000000025B0000-0x00000000025B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/972-178-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/972-174-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1036-639-0x000001CA3A070000-0x000001CA3A0E2000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/1048-215-0x0000000000400000-0x0000000000414000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/1092-637-0x000001BB714A0000-0x000001BB71512000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/1164-359-0x0000000005530000-0x0000000005B36000-memory.dmp

                                                              Filesize

                                                              6.0MB

                                                            • memory/1220-303-0x0000000005590000-0x0000000005591000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1220-333-0x00000000055A0000-0x00000000055A1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1220-290-0x0000000000E00000-0x0000000000E01000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1256-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                              Filesize

                                                              100KB

                                                            • memory/1256-130-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                              Filesize

                                                              572KB

                                                            • memory/1256-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                              Filesize

                                                              1.5MB

                                                            • memory/1256-136-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                              Filesize

                                                              152KB

                                                            • memory/1256-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                              Filesize

                                                              572KB

                                                            • memory/1256-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                              Filesize

                                                              100KB

                                                            • memory/1256-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                              Filesize

                                                              1.5MB

                                                            • memory/1256-129-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                              Filesize

                                                              572KB

                                                            • memory/1256-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                              Filesize

                                                              100KB

                                                            • memory/1256-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                              Filesize

                                                              1.5MB

                                                            • memory/1256-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                              Filesize

                                                              1.5MB

                                                            • memory/1256-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                              Filesize

                                                              100KB

                                                            • memory/1268-263-0x0000000000690000-0x00000000007DA000-memory.dmp

                                                              Filesize

                                                              1.3MB

                                                            • memory/1272-648-0x000001EB1EFA0000-0x000001EB1F012000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/1296-382-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                              Filesize

                                                              816KB

                                                            • memory/1296-380-0x00000000004D0000-0x000000000061A000-memory.dmp

                                                              Filesize

                                                              1.3MB

                                                            • memory/1300-245-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                              Filesize

                                                              816KB

                                                            • memory/1356-650-0x000002712D0D0000-0x000002712D142000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/1440-641-0x00000196A68B0000-0x00000196A6922000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/1472-384-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1472-340-0x0000000000D10000-0x0000000000D55000-memory.dmp

                                                              Filesize

                                                              276KB

                                                            • memory/1752-622-0x00000000023F0000-0x00000000023F1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/1856-638-0x0000017693180000-0x00000176931F2000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2136-307-0x0000000000B60000-0x0000000000B61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2212-216-0x0000000000400000-0x0000000000450000-memory.dmp

                                                              Filesize

                                                              320KB

                                                            • memory/2212-179-0x0000000000400000-0x0000000000450000-memory.dmp

                                                              Filesize

                                                              320KB

                                                            • memory/2320-407-0x000000001AF90000-0x000000001AF92000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/2436-217-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                              Filesize

                                                              816KB

                                                            • memory/2440-618-0x000001F8234A0000-0x000001F823512000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2484-615-0x0000012BF4A10000-0x0000012BF4A82000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2556-392-0x0000000005180000-0x0000000005181000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/2688-587-0x0000025FD07C0000-0x0000025FD0832000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2700-652-0x00000208983A0000-0x0000020898412000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2720-651-0x000001D5E0000000-0x000001D5E0072000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/2872-299-0x0000000000400000-0x0000000000455000-memory.dmp

                                                              Filesize

                                                              340KB

                                                            • memory/2996-254-0x0000000000610000-0x0000000000611000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3032-424-0x0000000001050000-0x0000000001066000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/3048-232-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3048-222-0x0000000000200000-0x0000000000201000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3048-249-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3328-582-0x000001C5A92C0000-0x000001C5A9332000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/3328-564-0x000001C5A9200000-0x000001C5A924D000-memory.dmp

                                                              Filesize

                                                              308KB

                                                            • memory/3496-218-0x0000000000230000-0x0000000000231000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3496-252-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3496-248-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3496-241-0x0000000000B60000-0x0000000000B61000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3496-266-0x0000000005300000-0x0000000005301000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3852-250-0x0000000004980000-0x0000000004981000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3852-219-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3852-242-0x0000000004A20000-0x0000000004A21000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3852-240-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-206-0x0000000002F40000-0x0000000002F41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-237-0x0000000003262000-0x0000000003263000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-211-0x0000000002F40000-0x0000000002F41000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-421-0x000000007E680000-0x000000007E681000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-227-0x0000000003050000-0x0000000003051000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-233-0x0000000003260000-0x0000000003261000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-451-0x0000000003263000-0x0000000003264000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-230-0x0000000007630000-0x0000000007631000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/3980-273-0x0000000008030000-0x0000000008031000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-207-0x0000000004940000-0x0000000004941000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-264-0x0000000007D30000-0x0000000007D31000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-251-0x00000000070C2000-0x00000000070C3000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-262-0x0000000007560000-0x0000000007561000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-267-0x0000000007DB0000-0x0000000007DB1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-258-0x00000000074C0000-0x00000000074C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-275-0x0000000008640000-0x0000000008641000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-452-0x00000000070C3000-0x00000000070C4000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-236-0x00000000070C0000-0x00000000070C1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-213-0x0000000004940000-0x0000000004941000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4004-427-0x000000007F4B0000-0x000000007F4B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4456-688-0x00000000029B0000-0x00000000029B1000-memory.dmp

                                                              Filesize

                                                              4KB

                                                            • memory/4692-545-0x00000000048F0000-0x000000000494D000-memory.dmp

                                                              Filesize

                                                              372KB

                                                            • memory/4692-542-0x00000000047E5000-0x00000000048E6000-memory.dmp

                                                              Filesize

                                                              1.0MB

                                                            • memory/4968-592-0x0000024EEC240000-0x0000024EEC2B2000-memory.dmp

                                                              Filesize

                                                              456KB

                                                            • memory/4968-857-0x0000024EEDA60000-0x0000024EEDA7B000-memory.dmp

                                                              Filesize

                                                              108KB

                                                            • memory/4968-861-0x0000024EEDA80000-0x0000024EEDAA9000-memory.dmp

                                                              Filesize

                                                              164KB

                                                            • memory/4968-863-0x0000024EEE900000-0x0000024EEEA05000-memory.dmp

                                                              Filesize

                                                              1.0MB