Analysis

  • max time kernel
    122s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 13:27

General

  • Target

    2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe

  • Size

    7.0MB

  • MD5

    e3377587921b08dbf82f1c517c46c771

  • SHA1

    d6a64cfc0d0965a2138c1711db9068c05edbbf99

  • SHA256

    2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e

  • SHA512

    a35bc53bb085406e65258fd9493c447b1b555fb292b8629832d23a49f55cb8c684c19c601187bc1062b19405d3260773874f98fb0338d8f82e612efc127a869e

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:868
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2332
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:1612
      • C:\Users\Admin\AppData\Local\Temp\2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe
        "C:\Users\Admin\AppData\Local\Temp\2cf4059fbbb6c4a47cb245974bd7a7ef8702c4ebf30b8e18439b1930088b773e.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:460
          • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\setup_install.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\setup_install.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1320
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
                PID:1492
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:1552
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1580
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Thu0496e1dd7fba63.exe /mixtwo
                  4⤵
                  • Loads dropped DLL
                  PID:1296
                  • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0496e1dd7fba63.exe
                    Thu0496e1dd7fba63.exe /mixtwo
                    5⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    PID:676
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0496e1dd7fba63.exe
                      Thu0496e1dd7fba63.exe /mixtwo
                      6⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1636
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu0496e1dd7fba63.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0496e1dd7fba63.exe" & exit
                        7⤵
                          PID:2136
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im "Thu0496e1dd7fba63.exe" /f
                            8⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2252
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu045bf6b666088d.exe
                    4⤵
                    • Loads dropped DLL
                    PID:744
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu045bf6b666088d.exe
                      Thu045bf6b666088d.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1540
                      • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu045bf6b666088d.exe
                        C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu045bf6b666088d.exe
                        6⤵
                        • Executes dropped EXE
                        PID:1828
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu047d85274a427.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1000
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu047d85274a427.exe
                      Thu047d85274a427.exe
                      5⤵
                      • Executes dropped EXE
                      PID:1632
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        6⤵
                        • Executes dropped EXE
                        PID:1296
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                        C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        6⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2196
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu0431d38e2544.exe
                    4⤵
                    • Loads dropped DLL
                    PID:968
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0431d38e2544.exe
                      Thu0431d38e2544.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1712
                      • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0431d38e2544.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0431d38e2544.exe" -u
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:392
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu0483c35fbf3ec8d.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1628
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0483c35fbf3ec8d.exe
                      Thu0483c35fbf3ec8d.exe
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1684
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu04eef50b2b35a1.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1300
                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04eef50b2b35a1.exe
                      Thu04eef50b2b35a1.exe
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1080
                      • C:\Users\Admin\AppData\Local\d7a19ccc-06a7-4079-b832-3efabf0dfcb7.exe
                        "C:\Users\Admin\AppData\Local\d7a19ccc-06a7-4079-b832-3efabf0dfcb7.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2500
                      • C:\Users\Admin\AppData\Local\0c15e234-c5dd-491b-a6af-baedc601233b.exe
                        "C:\Users\Admin\AppData\Local\0c15e234-c5dd-491b-a6af-baedc601233b.exe"
                        6⤵
                        • Executes dropped EXE
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:2688
                      • C:\Users\Admin\AppData\Local\ef53cf00-b2b1-4a46-a610-799d06df79ae.exe
                        "C:\Users\Admin\AppData\Local\ef53cf00-b2b1-4a46-a610-799d06df79ae.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2960
                        • C:\Users\Admin\AppData\Roaming\2140079.exe
                          "C:\Users\Admin\AppData\Roaming\2140079.exe"
                          7⤵
                            PID:1732
                            • C:\Windows\SysWOW64\control.exe
                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                              8⤵
                                PID:2816
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                  9⤵
                                    PID:2824
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Thu04ab2fb4f7.exe
                          4⤵
                          • Loads dropped DLL
                          PID:1508
                          • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04ab2fb4f7.exe
                            Thu04ab2fb4f7.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:1112
                            • C:\Windows\SysWOW64\control.exe
                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",
                              6⤵
                                PID:2980
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",
                                  7⤵
                                    PID:3020
                                    • C:\Windows\system32\RunDll32.exe
                                      C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",
                                      8⤵
                                        PID:2100
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu0442fc62eeb857aca.exe
                                4⤵
                                • Loads dropped DLL
                                PID:548
                                • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0442fc62eeb857aca.exe
                                  Thu0442fc62eeb857aca.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Loads dropped DLL
                                  PID:1832
                                  • C:\Users\Admin\Pictures\Adobe Films\2oDk4WA3ddDaPKJgzVaB4gkW.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\2oDk4WA3ddDaPKJgzVaB4gkW.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2996
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1520
                                    6⤵
                                    • Program crash
                                    PID:760
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu04a1df34ace0e8.exe
                                4⤵
                                • Loads dropped DLL
                                PID:892
                                • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04a1df34ace0e8.exe
                                  Thu04a1df34ace0e8.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Checks computer location settings
                                  • Loads dropped DLL
                                  PID:1032
                                  • C:\Users\Admin\Pictures\Adobe Films\0VSVLKL68tAbqnyvUcXozMPA.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\0VSVLKL68tAbqnyvUcXozMPA.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2724
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 1520
                                    6⤵
                                    • Program crash
                                    PID:2648
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu04c109370946a.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1920
                                • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04c109370946a.exe
                                  Thu04c109370946a.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:1668
                                  • C:\Users\Admin\AppData\Local\Temp\is-5U7P2.tmp\Thu04c109370946a.tmp
                                    "C:\Users\Admin\AppData\Local\Temp\is-5U7P2.tmp\Thu04c109370946a.tmp" /SL5="$1017A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04c109370946a.exe"
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2124
                                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04c109370946a.exe
                                      "C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04c109370946a.exe" /SILENT
                                      7⤵
                                      • Executes dropped EXE
                                      PID:2348
                                      • C:\Users\Admin\AppData\Local\Temp\is-N313N.tmp\Thu04c109370946a.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-N313N.tmp\Thu04c109370946a.tmp" /SL5="$2017A,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04c109370946a.exe" /SILENT
                                        8⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        • Suspicious use of FindShellTrayWindow
                                        PID:2468
                                        • C:\Users\Admin\AppData\Local\Temp\is-KLQH6.tmp\windllhost.exe
                                          "C:\Users\Admin\AppData\Local\Temp\is-KLQH6.tmp\windllhost.exe" 77
                                          9⤵
                                          • Executes dropped EXE
                                          PID:3040
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu04fb797f99fe7dae8.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1900
                                • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04fb797f99fe7dae8.exe
                                  Thu04fb797f99fe7dae8.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:1704
                                  • C:\Windows\SysWOW64\control.exe
                                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",
                                    6⤵
                                      PID:1544
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\c33Ko.Cpl",
                                        7⤵
                                          PID:2424
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Thu04865988bc.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1932
                                    • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04865988bc.exe
                                      Thu04865988bc.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Checks processor information in registry
                                      PID:652
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c taskkill /im Thu04865988bc.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04865988bc.exe" & del C:\ProgramData\*.dll & exit
                                        6⤵
                                          PID:2152
                                          • C:\Windows\SysWOW64\taskkill.exe
                                            taskkill /im Thu04865988bc.exe /f
                                            7⤵
                                            • Kills process with taskkill
                                            PID:2436
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout /t 6
                                            7⤵
                                            • Delays execution with timeout.exe
                                            PID:1996
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Thu046f48ffab4707f.exe
                                      4⤵
                                      • Loads dropped DLL
                                      PID:1904
                                      • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu046f48ffab4707f.exe
                                        Thu046f48ffab4707f.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Modifies system certificate store
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1988
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /c taskkill /f /im chrome.exe
                                          6⤵
                                            PID:2612
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /f /im chrome.exe
                                              7⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2772
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu04115bb33998ce.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:896
                                        • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu04115bb33998ce.exe
                                          Thu04115bb33998ce.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Checks SCSI registry key(s)
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          PID:1600
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Thu0460219468fd5c220.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1764
                                        • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0460219468fd5c220.exe
                                          Thu0460219468fd5c220.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1944
                                          • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0460219468fd5c220.exe
                                            C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0460219468fd5c220.exe
                                            6⤵
                                            • Executes dropped EXE
                                            PID:1020
                                          • C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0460219468fd5c220.exe
                                            C:\Users\Admin\AppData\Local\Temp\7zSCC15B4F5\Thu0460219468fd5c220.exe
                                            6⤵
                                              PID:2644
                                  • C:\Windows\system32\rundll32.exe
                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                    1⤵
                                    • Process spawned unexpected child process
                                    PID:2600
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                      2⤵
                                      • Modifies registry class
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2884

                                  Network

                                        MITRE ATT&CK Enterprise v6

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/288-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/652-257-0x00000000008C0000-0x0000000000995000-memory.dmp

                                          Filesize

                                          852KB

                                        • memory/652-256-0x0000000000330000-0x00000000003AC000-memory.dmp

                                          Filesize

                                          496KB

                                        • memory/652-258-0x0000000000400000-0x00000000008B2000-memory.dmp

                                          Filesize

                                          4.7MB

                                        • memory/868-281-0x0000000000EA0000-0x0000000000F12000-memory.dmp

                                          Filesize

                                          456KB

                                        • memory/868-280-0x00000000007A0000-0x00000000007ED000-memory.dmp

                                          Filesize

                                          308KB

                                        • memory/996-233-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                          Filesize

                                          12.3MB

                                        • memory/996-239-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                          Filesize

                                          12.3MB

                                        • memory/996-252-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                          Filesize

                                          12.3MB

                                        • memory/1032-286-0x0000000003E00000-0x0000000003F4E000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/1080-223-0x0000000000320000-0x000000000036A000-memory.dmp

                                          Filesize

                                          296KB

                                        • memory/1080-225-0x0000000000320000-0x000000000036A000-memory.dmp

                                          Filesize

                                          296KB

                                        • memory/1080-238-0x00000000002C0000-0x00000000002C6000-memory.dmp

                                          Filesize

                                          24KB

                                        • memory/1080-247-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1080-248-0x00000000002D0000-0x0000000000306000-memory.dmp

                                          Filesize

                                          216KB

                                        • memory/1080-264-0x0000000000300000-0x0000000000306000-memory.dmp

                                          Filesize

                                          24KB

                                        • memory/1296-218-0x0000000000400000-0x0000000000455000-memory.dmp

                                          Filesize

                                          340KB

                                        • memory/1320-92-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                          Filesize

                                          152KB

                                        • memory/1320-97-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1320-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                          Filesize

                                          572KB

                                        • memory/1320-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1320-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                          Filesize

                                          100KB

                                        • memory/1320-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                          Filesize

                                          152KB

                                        • memory/1320-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                          Filesize

                                          572KB

                                        • memory/1320-95-0x0000000064940000-0x0000000064959000-memory.dmp

                                          Filesize

                                          100KB

                                        • memory/1320-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1320-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                          Filesize

                                          572KB

                                        • memory/1320-89-0x0000000064940000-0x0000000064959000-memory.dmp

                                          Filesize

                                          100KB

                                        • memory/1320-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                          Filesize

                                          572KB

                                        • memory/1320-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1320-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                          Filesize

                                          100KB

                                        • memory/1320-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                          Filesize

                                          1.5MB

                                        • memory/1412-259-0x0000000002B00000-0x0000000002B16000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/1540-266-0x0000000000A40000-0x0000000000A41000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1540-270-0x0000000000290000-0x0000000000291000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1540-222-0x0000000001330000-0x00000000013BC000-memory.dmp

                                          Filesize

                                          560KB

                                        • memory/1540-220-0x0000000001330000-0x00000000013BC000-memory.dmp

                                          Filesize

                                          560KB

                                        • memory/1580-237-0x0000000001F71000-0x0000000001F72000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1580-224-0x0000000001F70000-0x0000000001F71000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1580-249-0x0000000001F72000-0x0000000001F74000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1600-253-0x0000000000240000-0x0000000000248000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1600-254-0x0000000000250000-0x0000000000259000-memory.dmp

                                          Filesize

                                          36KB

                                        • memory/1600-255-0x0000000000400000-0x000000000083F000-memory.dmp

                                          Filesize

                                          4.2MB

                                        • memory/1612-327-0x0000000000190000-0x00000000001AB000-memory.dmp

                                          Filesize

                                          108KB

                                        • memory/1612-332-0x00000000032A0000-0x00000000033A5000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/1612-328-0x0000000001C50000-0x0000000001C79000-memory.dmp

                                          Filesize

                                          164KB

                                        • memory/1612-282-0x00000000004B0000-0x0000000000522000-memory.dmp

                                          Filesize

                                          456KB

                                        • memory/1636-184-0x0000000000400000-0x0000000000450000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1636-183-0x0000000000400000-0x0000000000450000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1636-202-0x0000000000400000-0x0000000000450000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1636-188-0x0000000000400000-0x0000000000450000-memory.dmp

                                          Filesize

                                          320KB

                                        • memory/1668-215-0x0000000000400000-0x00000000004CC000-memory.dmp

                                          Filesize

                                          816KB

                                        • memory/1684-213-0x0000000000C50000-0x0000000000C58000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1684-214-0x0000000000C50000-0x0000000000C58000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/1684-272-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

                                          Filesize

                                          8KB

                                        • memory/1832-311-0x0000000004080000-0x00000000041CE000-memory.dmp

                                          Filesize

                                          1.3MB

                                        • memory/1944-271-0x00000000004C0000-0x00000000004C1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1944-219-0x0000000000060000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          560KB

                                        • memory/1944-268-0x00000000009E0000-0x00000000009E1000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/1944-221-0x0000000000060000-0x00000000000EC000-memory.dmp

                                          Filesize

                                          560KB

                                        • memory/2124-235-0x0000000000270000-0x0000000000271000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2196-232-0x0000000000400000-0x000000000047C000-memory.dmp

                                          Filesize

                                          496KB

                                        • memory/2348-244-0x0000000000400000-0x00000000004CC000-memory.dmp

                                          Filesize

                                          816KB

                                        • memory/2424-295-0x0000000000180000-0x0000000000181000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2424-303-0x000000002DB60000-0x000000002DC16000-memory.dmp

                                          Filesize

                                          728KB

                                        • memory/2424-302-0x000000002D980000-0x000000002DA97000-memory.dmp

                                          Filesize

                                          1.1MB

                                        • memory/2468-250-0x0000000000270000-0x0000000000271000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2500-294-0x0000000001120000-0x000000000116C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/2500-296-0x0000000000370000-0x0000000000376000-memory.dmp

                                          Filesize

                                          24KB

                                        • memory/2500-293-0x0000000001120000-0x000000000116C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/2500-308-0x0000000000640000-0x000000000068E000-memory.dmp

                                          Filesize

                                          312KB

                                        • memory/2688-301-0x00000000000A0000-0x00000000000E5000-memory.dmp

                                          Filesize

                                          276KB

                                        • memory/2884-279-0x0000000000250000-0x00000000002AD000-memory.dmp

                                          Filesize

                                          372KB

                                        • memory/2884-278-0x0000000001FF0000-0x00000000020F1000-memory.dmp

                                          Filesize

                                          1.0MB

                                        • memory/2960-312-0x0000000001200000-0x0000000001234000-memory.dmp

                                          Filesize

                                          208KB

                                        • memory/2960-316-0x0000000004A40000-0x0000000004A41000-memory.dmp

                                          Filesize

                                          4KB

                                        • memory/2960-314-0x0000000000540000-0x0000000000546000-memory.dmp

                                          Filesize

                                          24KB

                                        • memory/2960-313-0x0000000001200000-0x0000000001234000-memory.dmp

                                          Filesize

                                          208KB