Analysis

  • max time kernel
    96s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23/12/2021, 13:27

General

  • Target

    727539aeb8826517f3d1a1ba586bd62e3d89ba26cfdb9f4621209cb09d9ee7d1.exe

  • Size

    7.1MB

  • MD5

    40a84a31bb856ea2dfe98162488f6923

  • SHA1

    2c64beed469978c33f41668343e10d62c96a226c

  • SHA256

    727539aeb8826517f3d1a1ba586bd62e3d89ba26cfdb9f4621209cb09d9ee7d1

  • SHA512

    1ee165a273a2897ce62864eda8eb6d04d7e6962778faff8abce425f1b82334b75412f77b6dbcb127a5f15d062ac17e80f01f0942d654674245c730f2cc490c67

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 8 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 5 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 8 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 28 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 28 IoCs
  • Modifies registry class 29 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
      PID:1828
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      PID:3624
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:4704
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
          PID:4348
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
            PID:3400
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
              PID:2348
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Modifies registry class
              PID:4556
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Modifies registry class
              PID:4128
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Modifies registry class
              PID:5116
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Browser
            1⤵
              PID:2920
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s WpnService
              1⤵
                PID:2732
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                1⤵
                  PID:2708
                  • C:\Windows\system32\wbem\WMIADAP.EXE
                    wmiadap.exe /F /T /R
                    2⤵
                      PID:4512
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                    1⤵
                      PID:2504
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                      1⤵
                        PID:2492
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s SENS
                        1⤵
                          PID:1436
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                          1⤵
                            PID:1404
                          • c:\windows\system32\svchost.exe
                            c:\windows\system32\svchost.exe -k netsvcs -s Themes
                            1⤵
                              PID:1212
                            • c:\windows\system32\svchost.exe
                              c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                              1⤵
                                PID:1128
                              • c:\windows\system32\svchost.exe
                                c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                                1⤵
                                  PID:960
                                • c:\windows\system32\svchost.exe
                                  c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                                  1⤵
                                    PID:356
                                  • C:\Users\Admin\AppData\Local\Temp\727539aeb8826517f3d1a1ba586bd62e3d89ba26cfdb9f4621209cb09d9ee7d1.exe
                                    "C:\Users\Admin\AppData\Local\Temp\727539aeb8826517f3d1a1ba586bd62e3d89ba26cfdb9f4621209cb09d9ee7d1.exe"
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2772
                                    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                                      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                                      2⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:1472
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\setup_install.exe
                                        "C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\setup_install.exe"
                                        3⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of WriteProcessMemory
                                        PID:2908
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1012
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                                            5⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1688
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                          4⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:612
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                            5⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3004
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Thu061208181d570.exe
                                          4⤵
                                            PID:1156
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu061208181d570.exe
                                              Thu061208181d570.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Checks SCSI registry key(s)
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              PID:2200
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Thu0697928af5d.exe
                                            4⤵
                                              PID:1492
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0697928af5d.exe
                                                Thu0697928af5d.exe
                                                5⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2308
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0697928af5d.exe
                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0697928af5d.exe
                                                  6⤵
                                                  • Executes dropped EXE
                                                  PID:4252
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c Thu062bb616f6c9ecd.exe
                                              4⤵
                                                PID:680
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu062bb616f6c9ecd.exe
                                                  Thu062bb616f6c9ecd.exe
                                                  5⤵
                                                  • Executes dropped EXE
                                                  PID:1556
                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    6⤵
                                                      PID:1372
                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:2412
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Thu0677fae49be6e9f.exe
                                                  4⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1760
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0677fae49be6e9f.exe
                                                    Thu0677fae49be6e9f.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:2112
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Thu06678657f9aea.exe
                                                  4⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:3604
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06678657f9aea.exe
                                                    Thu06678657f9aea.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2236
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Thu0615aca5a753883.exe
                                                  4⤵
                                                    PID:516
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0615aca5a753883.exe
                                                      Thu0615aca5a753883.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:3856
                                                      • C:\Users\Admin\AppData\Local\Temp\is-CPGFM.tmp\Thu0615aca5a753883.tmp
                                                        "C:\Users\Admin\AppData\Local\Temp\is-CPGFM.tmp\Thu0615aca5a753883.tmp" /SL5="$40084,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0615aca5a753883.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:3904
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0615aca5a753883.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0615aca5a753883.exe" /SILENT
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:1312
                                                          • C:\Users\Admin\AppData\Local\Temp\is-2I2PP.tmp\Thu0615aca5a753883.tmp
                                                            "C:\Users\Admin\AppData\Local\Temp\is-2I2PP.tmp\Thu0615aca5a753883.tmp" /SL5="$201E6,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0615aca5a753883.exe" /SILENT
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Drops file in Program Files directory
                                                            • Suspicious use of FindShellTrayWindow
                                                            PID:3912
                                                            • C:\Users\Admin\AppData\Local\Temp\is-ONIJA.tmp\windllhost.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\is-ONIJA.tmp\windllhost.exe" 77
                                                              9⤵
                                                              • Executes dropped EXE
                                                              PID:4588
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Thu06ed3d26eb519b0.exe
                                                    4⤵
                                                      PID:1348
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06ed3d26eb519b0.exe
                                                        Thu06ed3d26eb519b0.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:900
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          cmd.exe /c taskkill /f /im chrome.exe
                                                          6⤵
                                                            PID:4124
                                                            • C:\Windows\SysWOW64\taskkill.exe
                                                              taskkill /f /im chrome.exe
                                                              7⤵
                                                              • Kills process with taskkill
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:4396
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        C:\Windows\system32\cmd.exe /c Thu0602744b28ae2d2db.exe /mixtwo
                                                        4⤵
                                                          PID:1292
                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0602744b28ae2d2db.exe
                                                            Thu0602744b28ae2d2db.exe /mixtwo
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:1612
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c Thu062fe8848b58e2779.exe
                                                          4⤵
                                                            PID:884
                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu062fe8848b58e2779.exe
                                                              Thu062fe8848b58e2779.exe
                                                              5⤵
                                                              • Executes dropped EXE
                                                              PID:3048
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            C:\Windows\system32\cmd.exe /c Thu06d1bf0b389.exe
                                                            4⤵
                                                              PID:988
                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06d1bf0b389.exe
                                                                Thu06d1bf0b389.exe
                                                                5⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3936
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06d1bf0b389.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06d1bf0b389.exe
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  PID:4236
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06d1bf0b389.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06d1bf0b389.exe
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  PID:4416
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c Thu06df48f4827.exe
                                                              4⤵
                                                                PID:1284
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06df48f4827.exe
                                                                  Thu06df48f4827.exe
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies registry class
                                                                  PID:1084
                                                                  • C:\Windows\SysWOW64\control.exe
                                                                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                    6⤵
                                                                      PID:2020
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                        7⤵
                                                                        • Loads dropped DLL
                                                                        PID:1172
                                                                        • C:\Windows\system32\RunDll32.exe
                                                                          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                          8⤵
                                                                            PID:3416
                                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                                              "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                              9⤵
                                                                                PID:1612
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c Thu06c6d0f15a.exe
                                                                      4⤵
                                                                        PID:3020
                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06c6d0f15a.exe
                                                                          Thu06c6d0f15a.exe
                                                                          5⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:300
                                                                          • C:\Windows\system32\WerFault.exe
                                                                            C:\Windows\system32\WerFault.exe -u -p 300 -s 1404
                                                                            6⤵
                                                                            • Program crash
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:4112
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        C:\Windows\system32\cmd.exe /c Thu06dcf2a86fbc491.exe
                                                                        4⤵
                                                                          PID:3400
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06dcf2a86fbc491.exe
                                                                            Thu06dcf2a86fbc491.exe
                                                                            5⤵
                                                                            • Executes dropped EXE
                                                                            PID:3544
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06dcf2a86fbc491.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06dcf2a86fbc491.exe" -u
                                                                              6⤵
                                                                              • Executes dropped EXE
                                                                              PID:1812
                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c Thu06af883c80a1fc.exe
                                                                          4⤵
                                                                            PID:8
                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06af883c80a1fc.exe
                                                                              Thu06af883c80a1fc.exe
                                                                              5⤵
                                                                              • Executes dropped EXE
                                                                              • Modifies registry class
                                                                              PID:2320
                                                                              • C:\Windows\SysWOW64\control.exe
                                                                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                                6⤵
                                                                                • Executes dropped EXE
                                                                                PID:1372
                                                                                • C:\Windows\SysWOW64\rundll32.exe
                                                                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                                  7⤵
                                                                                  • Loads dropped DLL
                                                                                  PID:2276
                                                                                  • C:\Windows\system32\RunDll32.exe
                                                                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                                    8⤵
                                                                                      PID:4960
                                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                                        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\2qmCD.Cpl",
                                                                                        9⤵
                                                                                        • Loads dropped DLL
                                                                                        PID:4996
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c Thu06a0ba6e94e8207d.exe
                                                                              4⤵
                                                                                PID:1584
                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06a0ba6e94e8207d.exe
                                                                                  Thu06a0ba6e94e8207d.exe
                                                                                  5⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  • Checks processor information in registry
                                                                                  PID:3548
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /c taskkill /im Thu06a0ba6e94e8207d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu06a0ba6e94e8207d.exe" & del C:\ProgramData\*.dll & exit
                                                                                    6⤵
                                                                                      PID:3680
                                                                                      • C:\Windows\SysWOW64\taskkill.exe
                                                                                        taskkill /im Thu06a0ba6e94e8207d.exe /f
                                                                                        7⤵
                                                                                        • Kills process with taskkill
                                                                                        PID:2940
                                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                                        timeout /t 6
                                                                                        7⤵
                                                                                        • Delays execution with timeout.exe
                                                                                        PID:3196
                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0602744b28ae2d2db.exe
                                                                            Thu0602744b28ae2d2db.exe /mixtwo
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:1232
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0602744b28ae2d2db.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0C5384F5\Thu0602744b28ae2d2db.exe" & exit
                                                                              2⤵
                                                                                PID:2200
                                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                                  taskkill /im "Thu0602744b28ae2d2db.exe" /f
                                                                                  3⤵
                                                                                  • Kills process with taskkill
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:632
                                                                            • C:\Windows\system32\rundll32.exe
                                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                              1⤵
                                                                              • Process spawned unexpected child process
                                                                              PID:4344
                                                                              • C:\Windows\SysWOW64\rundll32.exe
                                                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                2⤵
                                                                                • Loads dropped DLL
                                                                                • Modifies registry class
                                                                                PID:4388
                                                                            • C:\Windows\system32\LogonUI.exe
                                                                              "LogonUI.exe" /flags:0x0 /state0:0xa3ad3055 /state1:0x41c64e6d
                                                                              1⤵
                                                                              • Modifies data under HKEY_USERS
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:4572

                                                                            Network

                                                                                  MITRE ATT&CK Enterprise v6

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • memory/300-228-0x0000000001560000-0x0000000001566000-memory.dmp

                                                                                    Filesize

                                                                                    24KB

                                                                                  • memory/300-225-0x0000000000F20000-0x0000000000F6A000-memory.dmp

                                                                                    Filesize

                                                                                    296KB

                                                                                  • memory/300-259-0x00000000015A0000-0x00000000015A6000-memory.dmp

                                                                                    Filesize

                                                                                    24KB

                                                                                  • memory/300-239-0x000000001BAE0000-0x000000001BAE2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/300-223-0x0000000000F20000-0x0000000000F6A000-memory.dmp

                                                                                    Filesize

                                                                                    296KB

                                                                                  • memory/300-233-0x0000000001570000-0x00000000015A6000-memory.dmp

                                                                                    Filesize

                                                                                    216KB

                                                                                  • memory/356-346-0x000001B4A4FF0000-0x000001B4A4FF2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/356-348-0x000001B4A4FF0000-0x000001B4A4FF2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/960-366-0x000002388CAF0000-0x000002388CAF2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/960-367-0x000002388CAF0000-0x000002388CAF2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1084-210-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1084-214-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1128-361-0x00000279923C0000-0x00000279923C2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1128-363-0x00000279923C0000-0x00000279923C2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1172-299-0x0000000005080000-0x000000002FA98000-memory.dmp

                                                                                    Filesize

                                                                                    682.1MB

                                                                                  • memory/1212-374-0x0000021ED74C0000-0x0000021ED74C2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1212-375-0x0000021ED74C0000-0x0000021ED74C2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1232-218-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                    Filesize

                                                                                    320KB

                                                                                  • memory/1232-227-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                    Filesize

                                                                                    320KB

                                                                                  • memory/1312-264-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                    Filesize

                                                                                    816KB

                                                                                  • memory/1372-257-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                    Filesize

                                                                                    340KB

                                                                                  • memory/1404-381-0x0000021B22DE0000-0x0000021B22DE2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1404-377-0x0000021B22DE0000-0x0000021B22DE2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1436-369-0x000001EB27A90000-0x000001EB27A92000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1436-368-0x000001EB27A90000-0x000001EB27A92000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1688-308-0x00000000077B0000-0x0000000007B00000-memory.dmp

                                                                                    Filesize

                                                                                    3.3MB

                                                                                  • memory/1688-304-0x0000000007690000-0x00000000076F6000-memory.dmp

                                                                                    Filesize

                                                                                    408KB

                                                                                  • memory/1688-265-0x00000000048F2000-0x00000000048F3000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1688-263-0x00000000048F0000-0x00000000048F1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1688-261-0x0000000006F60000-0x0000000007588000-memory.dmp

                                                                                    Filesize

                                                                                    6.2MB

                                                                                  • memory/1688-251-0x00000000047A0000-0x00000000047D6000-memory.dmp

                                                                                    Filesize

                                                                                    216KB

                                                                                  • memory/1688-302-0x0000000006E80000-0x0000000006EA2000-memory.dmp

                                                                                    Filesize

                                                                                    136KB

                                                                                  • memory/1688-232-0x0000000004330000-0x0000000004331000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1688-230-0x0000000004330000-0x0000000004331000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1688-376-0x0000000004330000-0x0000000004331000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/1688-307-0x0000000007700000-0x0000000007766000-memory.dmp

                                                                                    Filesize

                                                                                    408KB

                                                                                  • memory/1828-372-0x00000199EB350000-0x00000199EB352000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/1828-373-0x00000199EB350000-0x00000199EB352000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2200-244-0x0000000000910000-0x0000000000919000-memory.dmp

                                                                                    Filesize

                                                                                    36KB

                                                                                  • memory/2200-268-0x0000000000400000-0x000000000083D000-memory.dmp

                                                                                    Filesize

                                                                                    4.2MB

                                                                                  • memory/2200-243-0x0000000000030000-0x0000000000038000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                  • memory/2236-196-0x000000001ADB0000-0x000000001ADB2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2236-177-0x00000000002F0000-0x00000000002F8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                  • memory/2236-181-0x00000000002F0000-0x00000000002F8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                  • memory/2276-297-0x0000000004BF0000-0x000000002F608000-memory.dmp

                                                                                    Filesize

                                                                                    682.1MB

                                                                                  • memory/2308-238-0x0000000000570000-0x00000000005FC000-memory.dmp

                                                                                    Filesize

                                                                                    560KB

                                                                                  • memory/2308-267-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2308-278-0x00000000027E0000-0x00000000027E1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2308-284-0x0000000002870000-0x000000000288E000-memory.dmp

                                                                                    Filesize

                                                                                    120KB

                                                                                  • memory/2308-234-0x0000000000570000-0x00000000005FC000-memory.dmp

                                                                                    Filesize

                                                                                    560KB

                                                                                  • memory/2308-275-0x0000000004E70000-0x0000000004EE6000-memory.dmp

                                                                                    Filesize

                                                                                    472KB

                                                                                  • memory/2308-311-0x0000000005670000-0x0000000005B6E000-memory.dmp

                                                                                    Filesize

                                                                                    5.0MB

                                                                                  • memory/2320-213-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2320-207-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/2412-291-0x0000000000400000-0x000000000047C000-memory.dmp

                                                                                    Filesize

                                                                                    496KB

                                                                                  • memory/2492-358-0x000001C3E3A70000-0x000001C3E3A72000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2492-357-0x000001C3E3A70000-0x000001C3E3A72000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2504-352-0x000001D475AB0000-0x000001D475AB2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2504-355-0x000001D475AB0000-0x000001D475AB2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2708-385-0x00000221951B0000-0x00000221951B2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2708-386-0x00000221951B0000-0x00000221951B2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2732-388-0x000002449E0F0000-0x000002449E0F2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2732-387-0x000002449E0F0000-0x000002449E0F2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2908-146-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                  • memory/2908-144-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                  • memory/2908-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                    Filesize

                                                                                    572KB

                                                                                  • memory/2908-147-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                  • memory/2908-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                    Filesize

                                                                                    572KB

                                                                                  • memory/2908-137-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                    Filesize

                                                                                    1.5MB

                                                                                  • memory/2908-145-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                    Filesize

                                                                                    100KB

                                                                                  • memory/2908-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                    Filesize

                                                                                    1.5MB

                                                                                  • memory/2908-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                    Filesize

                                                                                    572KB

                                                                                  • memory/2908-141-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                    Filesize

                                                                                    152KB

                                                                                  • memory/2908-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                    Filesize

                                                                                    1.5MB

                                                                                  • memory/2908-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                    Filesize

                                                                                    1.5MB

                                                                                  • memory/2920-341-0x000002281F0E0000-0x000002281F0E2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/2920-339-0x000002281F0E0000-0x000002281F0E2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/3004-305-0x0000000007D50000-0x0000000007DB6000-memory.dmp

                                                                                    Filesize

                                                                                    408KB

                                                                                  • memory/3004-271-0x0000000006EF2000-0x0000000006EF3000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3004-229-0x00000000031D0000-0x00000000031D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3004-309-0x0000000007DC0000-0x0000000008110000-memory.dmp

                                                                                    Filesize

                                                                                    3.3MB

                                                                                  • memory/3004-262-0x0000000006EF0000-0x0000000006EF1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3004-379-0x00000000031D0000-0x00000000031D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3004-260-0x0000000007530000-0x0000000007B58000-memory.dmp

                                                                                    Filesize

                                                                                    6.2MB

                                                                                  • memory/3004-301-0x0000000007500000-0x0000000007522000-memory.dmp

                                                                                    Filesize

                                                                                    136KB

                                                                                  • memory/3004-254-0x0000000006EA0000-0x0000000006ED6000-memory.dmp

                                                                                    Filesize

                                                                                    216KB

                                                                                  • memory/3004-231-0x00000000031D0000-0x00000000031D1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3004-306-0x0000000007C10000-0x0000000007C76000-memory.dmp

                                                                                    Filesize

                                                                                    408KB

                                                                                  • memory/3060-287-0x0000000000460000-0x0000000000476000-memory.dmp

                                                                                    Filesize

                                                                                    88KB

                                                                                  • memory/3548-241-0x00000000009C0000-0x0000000000B0A000-memory.dmp

                                                                                    Filesize

                                                                                    1.3MB

                                                                                  • memory/3548-242-0x0000000000DD0000-0x0000000000EA5000-memory.dmp

                                                                                    Filesize

                                                                                    852KB

                                                                                  • memory/3548-270-0x0000000000400000-0x00000000008B0000-memory.dmp

                                                                                    Filesize

                                                                                    4.7MB

                                                                                  • memory/3624-333-0x000001F8337E0000-0x000001F8337E2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/3624-336-0x000001F8337E0000-0x000001F8337E2000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/3856-215-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                    Filesize

                                                                                    816KB

                                                                                  • memory/3904-236-0x0000000000780000-0x0000000000781000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3912-280-0x0000000000690000-0x000000000073E000-memory.dmp

                                                                                    Filesize

                                                                                    696KB

                                                                                  • memory/3936-266-0x0000000005320000-0x0000000005321000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3936-274-0x0000000005160000-0x00000000051D6000-memory.dmp

                                                                                    Filesize

                                                                                    472KB

                                                                                  • memory/3936-279-0x00000000050C0000-0x00000000050C1000-memory.dmp

                                                                                    Filesize

                                                                                    4KB

                                                                                  • memory/3936-240-0x00000000008F0000-0x000000000097C000-memory.dmp

                                                                                    Filesize

                                                                                    560KB

                                                                                  • memory/3936-283-0x0000000005140000-0x000000000515E000-memory.dmp

                                                                                    Filesize

                                                                                    120KB

                                                                                  • memory/3936-235-0x00000000008F0000-0x000000000097C000-memory.dmp

                                                                                    Filesize

                                                                                    560KB

                                                                                  • memory/3936-310-0x0000000005A30000-0x0000000005F2E000-memory.dmp

                                                                                    Filesize

                                                                                    5.0MB

                                                                                  • memory/4252-320-0x0000000005A80000-0x0000000006086000-memory.dmp

                                                                                    Filesize

                                                                                    6.0MB

                                                                                  • memory/4252-314-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4252-316-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4252-318-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4252-324-0x00000000054C0000-0x00000000054D2000-memory.dmp

                                                                                    Filesize

                                                                                    72KB

                                                                                  • memory/4388-319-0x0000000004860000-0x00000000048BD000-memory.dmp

                                                                                    Filesize

                                                                                    372KB

                                                                                  • memory/4388-317-0x00000000048FA000-0x00000000049FB000-memory.dmp

                                                                                    Filesize

                                                                                    1.0MB

                                                                                  • memory/4416-321-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4416-323-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4416-327-0x0000000005340000-0x0000000005946000-memory.dmp

                                                                                    Filesize

                                                                                    6.0MB

                                                                                  • memory/4416-325-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                    Filesize

                                                                                    128KB

                                                                                  • memory/4704-344-0x000001FE8B020000-0x000001FE8B022000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/4704-406-0x000001FE8B020000-0x000001FE8B022000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                  • memory/4704-342-0x000001FE8B020000-0x000001FE8B022000-memory.dmp

                                                                                    Filesize

                                                                                    8KB