Analysis

  • max time kernel
    166s
  • max time network
    181s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    23/12/2021, 13:28

General

  • Target

    505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe

  • Size

    7.4MB

  • MD5

    75d915c4258d104ae9cbeaf3e4f6070a

  • SHA1

    dfb15bc0f3bfbf3ce6db50f7fab7f27218d2b3e2

  • SHA256

    505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d

  • SHA512

    4b69ba74e1c5cebcb8d4d44f083e532d7fca2d3b03d589afc3f76efd99bd93434b6269c8afce383ea18a61193a9fbbeecd68329bffd32d34d10f3fc1ec7fc922

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 10 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 39 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe
    "C:\Users\Admin\AppData\Local\Temp\505f245edc689a2530dac91a3a340131cc850aa5bc18319eca1f9b2614cd816d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3728
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS845CE226\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:588
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:872
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2648
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1268
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1500
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Thu012dabb74f235.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012dabb74f235.exe
            Thu012dabb74f235.exe
            5⤵
            • Executes dropped EXE
            • Checks SCSI registry key(s)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            PID:940
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Thu01d09b231f9424582.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:600
          • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01d09b231f9424582.exe
            Thu01d09b231f9424582.exe
            5⤵
            • Executes dropped EXE
            PID:4004
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\System32\msiexec.exe" -Y .\ScIxVO.XLP
              6⤵
              • Loads dropped DLL
              PID:4356
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Thu014d73a06a76eb966.exe
          4⤵
            PID:3672
            • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014d73a06a76eb966.exe
              Thu014d73a06a76eb966.exe
              5⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3332
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                6⤵
                  PID:4928
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /f /im chrome.exe
                    7⤵
                    • Kills process with taskkill
                    PID:4592
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Thu015101b6b1a49.exe
              4⤵
                PID:2896
                • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu015101b6b1a49.exe
                  Thu015101b6b1a49.exe
                  5⤵
                  • Executes dropped EXE
                  PID:3088
                  • C:\Windows\SysWOW64\regsvr32.exe
                    "C:\Windows\System32\regsvr32.exe" -u .\meE3RM.036 /s
                    6⤵
                    • Loads dropped DLL
                    PID:1996
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c Thu012951243e343.exe
                4⤵
                  PID:3200
                  • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe
                    Thu012951243e343.exe
                    5⤵
                    • Executes dropped EXE
                    PID:1688
                    • C:\Users\Admin\AppData\Local\Temp\is-NBBBG.tmp\Thu012951243e343.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-NBBBG.tmp\Thu012951243e343.tmp" /SL5="$200D4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe"
                      6⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:1512
                      • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe" /SILENT
                        7⤵
                        • Executes dropped EXE
                        PID:3856
                        • C:\Users\Admin\AppData\Local\Temp\is-4QPQH.tmp\Thu012951243e343.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-4QPQH.tmp\Thu012951243e343.tmp" /SL5="$10214,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu012951243e343.exe" /SILENT
                          8⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Drops file in Program Files directory
                          • Suspicious use of FindShellTrayWindow
                          PID:1760
                          • C:\Users\Admin\AppData\Local\Temp\is-45EUT.tmp\windllhost.exe
                            "C:\Users\Admin\AppData\Local\Temp\is-45EUT.tmp\windllhost.exe" 77
                            9⤵
                            • Executes dropped EXE
                            PID:4648
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c Thu018a118270396e.exe
                  4⤵
                    PID:3212
                    • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu018a118270396e.exe
                      Thu018a118270396e.exe
                      5⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2952
                      • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:3996
                        • C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe
                          "C:\Users\Admin\AppData\Local\Temp\myamrnewfile.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:4176
                        • C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe
                          "C:\Users\Admin\AppData\Local\Temp\RobCleanerInstll31827.exe"
                          7⤵
                          • Executes dropped EXE
                          PID:4256
                          • C:\Users\Admin\AppData\Local\54120af6-ecdb-4a05-88dd-ef727407a05d.exe
                            "C:\Users\Admin\AppData\Local\54120af6-ecdb-4a05-88dd-ef727407a05d.exe"
                            8⤵
                            • Executes dropped EXE
                            PID:4892
                          • C:\Users\Admin\AppData\Local\b34988ff-e4ee-413b-8a4f-a17e07d95102.exe
                            "C:\Users\Admin\AppData\Local\b34988ff-e4ee-413b-8a4f-a17e07d95102.exe"
                            8⤵
                            • Executes dropped EXE
                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                            PID:4952
                          • C:\Users\Admin\AppData\Local\edb34d35-9c4c-4405-9cdf-fd9159ccf732.exe
                            "C:\Users\Admin\AppData\Local\edb34d35-9c4c-4405-9cdf-fd9159ccf732.exe"
                            8⤵
                            • Executes dropped EXE
                            PID:4160
                            • C:\Users\Admin\AppData\Roaming\8788918.exe
                              "C:\Users\Admin\AppData\Roaming\8788918.exe"
                              9⤵
                                PID:4528
                          • C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe
                            "C:\Users\Admin\AppData\Local\Temp\DisgruntleMezzanines_2021-12-22_21-08.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:4384
                          • C:\Users\Admin\AppData\Local\Temp\inst.exe
                            "C:\Users\Admin\AppData\Local\Temp\inst.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:4508
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu01d121fa6676bc58.exe
                      4⤵
                        PID:3196
                        • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01d121fa6676bc58.exe
                          Thu01d121fa6676bc58.exe
                          5⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks processor information in registry
                          PID:1908
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu0123974f80d835.exe
                        4⤵
                          PID:368
                          • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu0123974f80d835.exe
                            Thu0123974f80d835.exe
                            5⤵
                            • Executes dropped EXE
                            PID:3012
                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                              6⤵
                              • Executes dropped EXE
                              PID:2264
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Thu01ce98a741.exe /mixtwo
                          4⤵
                            PID:2236
                            • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exe
                              Thu01ce98a741.exe /mixtwo
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:2392
                              • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exe
                                Thu01ce98a741.exe /mixtwo
                                6⤵
                                • Executes dropped EXE
                                PID:620
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu01ce98a741.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01ce98a741.exe" & exit
                                  7⤵
                                    PID:4264
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im "Thu01ce98a741.exe" /f
                                      8⤵
                                      • Kills process with taskkill
                                      PID:4488
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Thu014c2c6a2c2649dfc.exe
                              4⤵
                                PID:2968
                                • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exe
                                  Thu014c2c6a2c2649dfc.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1772
                                  • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exe
                                    C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu014c2c6a2c2649dfc.exe
                                    6⤵
                                    • Executes dropped EXE
                                    PID:3168
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Thu01f6404750c.exe
                                4⤵
                                  PID:4060
                                  • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01f6404750c.exe
                                    Thu01f6404750c.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Checks computer location settings
                                    PID:1612
                                    • C:\Users\Admin\Pictures\Adobe Films\n9n8FCXdUOWMRw7SljKrHR5H.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\n9n8FCXdUOWMRw7SljKrHR5H.exe"
                                      6⤵
                                      • Executes dropped EXE
                                      PID:4392
                                    • C:\Users\Admin\Pictures\Adobe Films\J5h1FJZuTQO53Q21fePsad8X.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\J5h1FJZuTQO53Q21fePsad8X.exe"
                                      6⤵
                                        PID:4340
                                      • C:\Users\Admin\Pictures\Adobe Films\fsadlhBhlVJz9vhksbfs7tTn.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\fsadlhBhlVJz9vhksbfs7tTn.exe"
                                        6⤵
                                          PID:4840
                                        • C:\Users\Admin\Pictures\Adobe Films\zO36AgPSg_mVHYPciONd_dEB.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\zO36AgPSg_mVHYPciONd_dEB.exe"
                                          6⤵
                                            PID:4656
                                          • C:\Users\Admin\Pictures\Adobe Films\AvTXQ2BcltWY3dabMfWjLyLa.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\AvTXQ2BcltWY3dabMfWjLyLa.exe"
                                            6⤵
                                              PID:4608
                                            • C:\Users\Admin\Pictures\Adobe Films\XchFeVfPlVggcEeQP8YXbEJt.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\XchFeVfPlVggcEeQP8YXbEJt.exe"
                                              6⤵
                                                PID:4344
                                              • C:\Users\Admin\Pictures\Adobe Films\Wvjgt1pU3NWKkT1GxT5Q6lU9.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\Wvjgt1pU3NWKkT1GxT5Q6lU9.exe"
                                                6⤵
                                                  PID:1260
                                                • C:\Users\Admin\Pictures\Adobe Films\Ov0953KfTAoJ3gawul5YF6QV.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\Ov0953KfTAoJ3gawul5YF6QV.exe"
                                                  6⤵
                                                    PID:3228
                                                  • C:\Users\Admin\Pictures\Adobe Films\HO5u8ky03L_5jjoL0rQclym9.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\HO5u8ky03L_5jjoL0rQclym9.exe"
                                                    6⤵
                                                      PID:1812
                                                    • C:\Users\Admin\Pictures\Adobe Films\kWeNCFDHYDl5eSgyzy3pEcvh.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\kWeNCFDHYDl5eSgyzy3pEcvh.exe"
                                                      6⤵
                                                        PID:1988
                                                      • C:\Users\Admin\Pictures\Adobe Films\S2StLBAaX9OE4aBj6isgAuir.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\S2StLBAaX9OE4aBj6isgAuir.exe"
                                                        6⤵
                                                          PID:4680
                                                        • C:\Users\Admin\Pictures\Adobe Films\vg_RwI42FPCyl6B6GmEIuuko.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\vg_RwI42FPCyl6B6GmEIuuko.exe"
                                                          6⤵
                                                            PID:4640
                                                          • C:\Users\Admin\Pictures\Adobe Films\ntHDIvX3oiWJicLCkULEwEyv.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\ntHDIvX3oiWJicLCkULEwEyv.exe"
                                                            6⤵
                                                              PID:1076
                                                            • C:\Users\Admin\Pictures\Adobe Films\orFlJWxeN2z_AjOjtyzTDVfz.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\orFlJWxeN2z_AjOjtyzTDVfz.exe"
                                                              6⤵
                                                                PID:2552
                                                              • C:\Users\Admin\Pictures\Adobe Films\J18ADQ90kURJclOc7EJuYrEv.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\J18ADQ90kURJclOc7EJuYrEv.exe"
                                                                6⤵
                                                                  PID:4280
                                                                • C:\Users\Admin\Pictures\Adobe Films\T8CHfyTKCygP5OiWEu1f1TCY.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\T8CHfyTKCygP5OiWEu1f1TCY.exe"
                                                                  6⤵
                                                                    PID:5084
                                                                  • C:\Users\Admin\Pictures\Adobe Films\82bg_JRrBvNNQWxrUZD7JlyQ.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\82bg_JRrBvNNQWxrUZD7JlyQ.exe"
                                                                    6⤵
                                                                      PID:2160
                                                                    • C:\Users\Admin\Pictures\Adobe Films\AUkyrg0ibSUC2C8jF77Wku6k.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\AUkyrg0ibSUC2C8jF77Wku6k.exe"
                                                                      6⤵
                                                                        PID:3864
                                                                      • C:\Users\Admin\Pictures\Adobe Films\MVaeXpPX7zTuszsu_9u1QHRc.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\MVaeXpPX7zTuszsu_9u1QHRc.exe"
                                                                        6⤵
                                                                          PID:2696
                                                                        • C:\Users\Admin\Pictures\Adobe Films\PFfIJyjMSs8s4SYICE_wAG0v.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\PFfIJyjMSs8s4SYICE_wAG0v.exe"
                                                                          6⤵
                                                                            PID:3300
                                                                          • C:\Users\Admin\Pictures\Adobe Films\ABfOdMXZWSPXsQn_Rv8F0hhp.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\ABfOdMXZWSPXsQn_Rv8F0hhp.exe"
                                                                            6⤵
                                                                              PID:64
                                                                            • C:\Users\Admin\Pictures\Adobe Films\nUNqun_MwD40ezPWPcDO0atB.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\nUNqun_MwD40ezPWPcDO0atB.exe"
                                                                              6⤵
                                                                                PID:2112
                                                                              • C:\Users\Admin\Pictures\Adobe Films\qWoNYHH5fU_qubPANjXFcJOx.exe
                                                                                "C:\Users\Admin\Pictures\Adobe Films\qWoNYHH5fU_qubPANjXFcJOx.exe"
                                                                                6⤵
                                                                                  PID:2412
                                                                                • C:\Users\Admin\Pictures\Adobe Films\WuqzU0lbSYqcEgG8tshZnh0O.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\WuqzU0lbSYqcEgG8tshZnh0O.exe"
                                                                                  6⤵
                                                                                    PID:1188
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\3F7chUuhqWTBo8wwRPKj5nEO.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\3F7chUuhqWTBo8wwRPKj5nEO.exe"
                                                                                    6⤵
                                                                                      PID:2116
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\M6NbF4C5nySHoddknH0LTDsX.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\M6NbF4C5nySHoddknH0LTDsX.exe"
                                                                                      6⤵
                                                                                        PID:3980
                                                                                      • C:\Users\Admin\Pictures\Adobe Films\MpdKjanU_QGwsyaQxFx2wG80.exe
                                                                                        "C:\Users\Admin\Pictures\Adobe Films\MpdKjanU_QGwsyaQxFx2wG80.exe"
                                                                                        6⤵
                                                                                          PID:1472
                                                                                        • C:\Users\Admin\Pictures\Adobe Films\QklOhKUL2HYSGwMeDK6plEVT.exe
                                                                                          "C:\Users\Admin\Pictures\Adobe Films\QklOhKUL2HYSGwMeDK6plEVT.exe"
                                                                                          6⤵
                                                                                            PID:4988
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c Thu01962e07748d83.exe
                                                                                        4⤵
                                                                                          PID:2832
                                                                                          • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01962e07748d83.exe
                                                                                            Thu01962e07748d83.exe
                                                                                            5⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:1972
                                                                                            • C:\Users\Admin\AppData\Local\d0a819c5-b8aa-4d62-966b-d4a3fc042da9.exe
                                                                                              "C:\Users\Admin\AppData\Local\d0a819c5-b8aa-4d62-966b-d4a3fc042da9.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4028
                                                                                            • C:\Users\Admin\AppData\Local\9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe
                                                                                              "C:\Users\Admin\AppData\Local\9bc718db-cc5b-4698-9672-50fcf3eb97fc.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                              PID:2772
                                                                                            • C:\Users\Admin\AppData\Local\6e2c8763-1beb-4954-b812-78e6820d1899.exe
                                                                                              "C:\Users\Admin\AppData\Local\6e2c8763-1beb-4954-b812-78e6820d1899.exe"
                                                                                              6⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1196
                                                                                              • C:\Users\Admin\AppData\Roaming\4013528.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\4013528.exe"
                                                                                                7⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2952
                                                                                                • C:\Windows\SysWOW64\control.exe
                                                                                                  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                                                                                  8⤵
                                                                                                    PID:4064
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Thu01881e99136f4a24e.exe
                                                                                            4⤵
                                                                                              PID:2108
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01881e99136f4a24e.exe
                                                                                                Thu01881e99136f4a24e.exe
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2436
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c Thu01731c67595.exe
                                                                                              4⤵
                                                                                                PID:1536
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exe
                                                                                                  Thu01731c67595.exe
                                                                                                  5⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:3232
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01731c67595.exe" -u
                                                                                                    6⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:2636
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c Thu01e094f5aa082baec.exe
                                                                                                4⤵
                                                                                                  PID:2428
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exe
                                                                                                    Thu01e094f5aa082baec.exe
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3992
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zS845CE226\Thu01e094f5aa082baec.exe
                                                                                                      6⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1584

                                                                                          Network

                                                                                                MITRE ATT&CK Enterprise v6

                                                                                                Replay Monitor

                                                                                                Loading Replay Monitor...

                                                                                                Downloads

                                                                                                • memory/588-174-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/588-137-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/588-173-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/588-135-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/588-178-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/588-140-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/588-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/588-136-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                  Filesize

                                                                                                  572KB

                                                                                                • memory/588-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/588-180-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                  Filesize

                                                                                                  100KB

                                                                                                • memory/588-139-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.5MB

                                                                                                • memory/588-142-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                  Filesize

                                                                                                  152KB

                                                                                                • memory/620-242-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/620-237-0x0000000000400000-0x0000000000450000-memory.dmp

                                                                                                  Filesize

                                                                                                  320KB

                                                                                                • memory/940-287-0x0000000000890000-0x00000000009DA000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                • memory/940-279-0x0000000000030000-0x0000000000038000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/940-282-0x0000000000400000-0x000000000083F000-memory.dmp

                                                                                                  Filesize

                                                                                                  4.2MB

                                                                                                • memory/1196-316-0x0000000000ED0000-0x0000000000F04000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                • memory/1196-319-0x0000000000ED0000-0x0000000000F04000-memory.dmp

                                                                                                  Filesize

                                                                                                  208KB

                                                                                                • memory/1500-459-0x00000000034F0000-0x00000000034F1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1500-225-0x00000000075B0000-0x00000000075B1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1500-239-0x0000000007BF0000-0x0000000008218000-memory.dmp

                                                                                                  Filesize

                                                                                                  6.2MB

                                                                                                • memory/1500-217-0x00000000052F0000-0x0000000005326000-memory.dmp

                                                                                                  Filesize

                                                                                                  216KB

                                                                                                • memory/1500-268-0x0000000007A50000-0x0000000007A72000-memory.dmp

                                                                                                  Filesize

                                                                                                  136KB

                                                                                                • memory/1500-272-0x00000000083D0000-0x0000000008436000-memory.dmp

                                                                                                  Filesize

                                                                                                  408KB

                                                                                                • memory/1500-229-0x00000000075B2000-0x00000000075B3000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1500-277-0x0000000008440000-0x0000000008790000-memory.dmp

                                                                                                  Filesize

                                                                                                  3.3MB

                                                                                                • memory/1500-168-0x00000000034F0000-0x00000000034F1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1500-165-0x00000000034F0000-0x00000000034F1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1500-270-0x00000000082F0000-0x0000000008356000-memory.dmp

                                                                                                  Filesize

                                                                                                  408KB

                                                                                                • memory/1512-258-0x0000000000690000-0x000000000073E000-memory.dmp

                                                                                                  Filesize

                                                                                                  696KB

                                                                                                • memory/1584-303-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1584-314-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1584-317-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/1688-231-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                  Filesize

                                                                                                  816KB

                                                                                                • memory/1760-285-0x00000000023E0000-0x00000000023E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1772-247-0x00000000057C0000-0x0000000005836000-memory.dmp

                                                                                                  Filesize

                                                                                                  472KB

                                                                                                • memory/1772-284-0x0000000006090000-0x000000000658E000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.0MB

                                                                                                • memory/1772-255-0x0000000005840000-0x0000000005841000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1772-220-0x0000000000F50000-0x0000000000FDC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/1772-256-0x0000000005720000-0x0000000005721000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/1772-254-0x00000000057A0000-0x00000000057BE000-memory.dmp

                                                                                                  Filesize

                                                                                                  120KB

                                                                                                • memory/1772-227-0x0000000000F50000-0x0000000000FDC000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/1908-286-0x0000000000400000-0x00000000008B2000-memory.dmp

                                                                                                  Filesize

                                                                                                  4.7MB

                                                                                                • memory/1908-280-0x0000000000C00000-0x0000000000C7C000-memory.dmp

                                                                                                  Filesize

                                                                                                  496KB

                                                                                                • memory/1908-288-0x0000000000E00000-0x0000000000ED5000-memory.dmp

                                                                                                  Filesize

                                                                                                  852KB

                                                                                                • memory/1972-230-0x0000000000330000-0x000000000037A000-memory.dmp

                                                                                                  Filesize

                                                                                                  296KB

                                                                                                • memory/1972-252-0x0000000000A90000-0x0000000000AC6000-memory.dmp

                                                                                                  Filesize

                                                                                                  216KB

                                                                                                • memory/1972-250-0x000000001B050000-0x000000001B052000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/1972-243-0x0000000000790000-0x0000000000796000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1972-274-0x00000000007A0000-0x00000000007A6000-memory.dmp

                                                                                                  Filesize

                                                                                                  24KB

                                                                                                • memory/1972-226-0x0000000000330000-0x000000000037A000-memory.dmp

                                                                                                  Filesize

                                                                                                  296KB

                                                                                                • memory/1996-468-0x000000002FC70000-0x000000002FD0C000-memory.dmp

                                                                                                  Filesize

                                                                                                  624KB

                                                                                                • memory/1996-467-0x000000002FC70000-0x000000002FD0C000-memory.dmp

                                                                                                  Filesize

                                                                                                  624KB

                                                                                                • memory/1996-466-0x000000002FBB0000-0x000000002FC61000-memory.dmp

                                                                                                  Filesize

                                                                                                  708KB

                                                                                                • memory/1996-323-0x0000000004B40000-0x000000002F569000-memory.dmp

                                                                                                  Filesize

                                                                                                  682.2MB

                                                                                                • memory/2264-264-0x0000000000400000-0x0000000000455000-memory.dmp

                                                                                                  Filesize

                                                                                                  340KB

                                                                                                • memory/2648-233-0x00000000053A2000-0x00000000053A3000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2648-460-0x0000000004E20000-0x0000000004E21000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2648-160-0x0000000004E20000-0x0000000004E21000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2648-271-0x0000000008170000-0x00000000081D6000-memory.dmp

                                                                                                  Filesize

                                                                                                  408KB

                                                                                                • memory/2648-269-0x0000000008090000-0x00000000080F6000-memory.dmp

                                                                                                  Filesize

                                                                                                  408KB

                                                                                                • memory/2648-278-0x00000000081E0000-0x0000000008530000-memory.dmp

                                                                                                  Filesize

                                                                                                  3.3MB

                                                                                                • memory/2648-238-0x0000000007A00000-0x0000000008028000-memory.dmp

                                                                                                  Filesize

                                                                                                  6.2MB

                                                                                                • memory/2648-164-0x0000000004E20000-0x0000000004E21000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2648-267-0x0000000008060000-0x0000000008082000-memory.dmp

                                                                                                  Filesize

                                                                                                  136KB

                                                                                                • memory/2648-232-0x00000000053A0000-0x00000000053A1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2648-218-0x0000000005270000-0x00000000052A6000-memory.dmp

                                                                                                  Filesize

                                                                                                  216KB

                                                                                                • memory/2696-485-0x0000000000340000-0x0000000000341000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2696-487-0x0000000000340000-0x0000000000341000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2772-327-0x0000000070CD0000-0x0000000070D50000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                • memory/2772-313-0x0000000074860000-0x0000000074A22000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.8MB

                                                                                                • memory/2772-383-0x0000000075020000-0x00000000755A4000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.5MB

                                                                                                • memory/2772-390-0x0000000075820000-0x0000000076B68000-memory.dmp

                                                                                                  Filesize

                                                                                                  19.3MB

                                                                                                • memory/2772-436-0x000000006E0A0000-0x000000006E0EB000-memory.dmp

                                                                                                  Filesize

                                                                                                  300KB

                                                                                                • memory/2772-304-0x0000000001310000-0x0000000001311000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/2772-299-0x00000000009E0000-0x0000000000A59000-memory.dmp

                                                                                                  Filesize

                                                                                                  484KB

                                                                                                • memory/2772-311-0x0000000001100000-0x000000000124A000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                • memory/2772-322-0x0000000077540000-0x0000000077631000-memory.dmp

                                                                                                  Filesize

                                                                                                  964KB

                                                                                                • memory/2952-221-0x0000000000760000-0x0000000000768000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/2952-234-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

                                                                                                  Filesize

                                                                                                  8KB

                                                                                                • memory/2952-203-0x0000000000760000-0x0000000000768000-memory.dmp

                                                                                                  Filesize

                                                                                                  32KB

                                                                                                • memory/3040-289-0x0000000001470000-0x0000000001486000-memory.dmp

                                                                                                  Filesize

                                                                                                  88KB

                                                                                                • memory/3088-224-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3088-213-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3168-301-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3168-318-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3168-315-0x0000000000400000-0x0000000000420000-memory.dmp

                                                                                                  Filesize

                                                                                                  128KB

                                                                                                • memory/3856-266-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                                                                  Filesize

                                                                                                  816KB

                                                                                                • memory/3992-246-0x0000000004C20000-0x0000000004C96000-memory.dmp

                                                                                                  Filesize

                                                                                                  472KB

                                                                                                • memory/3992-253-0x0000000004BF0000-0x0000000004C0E000-memory.dmp

                                                                                                  Filesize

                                                                                                  120KB

                                                                                                • memory/3992-223-0x00000000003A0000-0x000000000042C000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/3992-228-0x00000000003A0000-0x000000000042C000-memory.dmp

                                                                                                  Filesize

                                                                                                  560KB

                                                                                                • memory/3992-283-0x00000000054A0000-0x000000000599E000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.0MB

                                                                                                • memory/3992-248-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3992-249-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/3996-307-0x0000000000C90000-0x0000000000DE0000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                • memory/3996-302-0x0000000000C90000-0x0000000000DE0000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.3MB

                                                                                                • memory/4176-337-0x00000000006C7000-0x00000000006F3000-memory.dmp

                                                                                                  Filesize

                                                                                                  176KB

                                                                                                • memory/4356-355-0x0000000000070000-0x0000000000071000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/4356-358-0x0000000000070000-0x0000000000071000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB

                                                                                                • memory/4952-418-0x0000000077540000-0x0000000077631000-memory.dmp

                                                                                                  Filesize

                                                                                                  964KB

                                                                                                • memory/4952-455-0x000000006E0A0000-0x000000006E0EB000-memory.dmp

                                                                                                  Filesize

                                                                                                  300KB

                                                                                                • memory/4952-444-0x0000000075820000-0x0000000076B68000-memory.dmp

                                                                                                  Filesize

                                                                                                  19.3MB

                                                                                                • memory/4952-439-0x0000000075020000-0x00000000755A4000-memory.dmp

                                                                                                  Filesize

                                                                                                  5.5MB

                                                                                                • memory/4952-422-0x0000000070CD0000-0x0000000070D50000-memory.dmp

                                                                                                  Filesize

                                                                                                  512KB

                                                                                                • memory/4952-410-0x0000000074860000-0x0000000074A22000-memory.dmp

                                                                                                  Filesize

                                                                                                  1.8MB

                                                                                                • memory/4952-401-0x0000000000020000-0x0000000000099000-memory.dmp

                                                                                                  Filesize

                                                                                                  484KB

                                                                                                • memory/4952-402-0x00000000000E0000-0x00000000000E1000-memory.dmp

                                                                                                  Filesize

                                                                                                  4KB