Analysis

  • max time kernel
    157s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    23/12/2021, 13:28

General

  • Target

    fe7904eb4e172b980f2bc5f53d13c6e350f9ebb315768c580fac558e46ad6ab0.exe

  • Size

    6.6MB

  • MD5

    5009e4267198fa693a9192883708cb50

  • SHA1

    c9d06bd5307a78531a3c2485212282374cdc3a1e

  • SHA256

    fe7904eb4e172b980f2bc5f53d13c6e350f9ebb315768c580fac558e46ad6ab0

  • SHA512

    e77491e5a26643db0930ad9eae20cd316170e6a4848e60815bc81755ea348b5b756f45ba0187da1ff971f9d8fa346397e6fda90aca151323d8950acf47234ba6

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

vidar

Version

49.2

Botnet

915

C2

https://mstdn.social/@kipriauk9

https://qoto.org/@kipriauk8

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

v3user1

C2

159.69.246.184:13127

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 4 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

  • suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

    suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload

  • suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

    suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)

  • suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

    suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload

  • suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

    suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin

  • Nirsoft 1 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 33 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:868
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2156
    • C:\Users\Admin\AppData\Local\Temp\fe7904eb4e172b980f2bc5f53d13c6e350f9ebb315768c580fac558e46ad6ab0.exe
      "C:\Users\Admin\AppData\Local\Temp\fe7904eb4e172b980f2bc5f53d13c6e350f9ebb315768c580fac558e46ad6ab0.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            4⤵
              PID:1508
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
                5⤵
                  PID:1032
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                4⤵
                  PID:612
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                    5⤵
                      PID:1036
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed22d35f40ff505.exe
                    4⤵
                    • Loads dropped DLL
                    PID:984
                    • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22d35f40ff505.exe
                      Wed22d35f40ff505.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1732
                      • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22d35f40ff505.exe
                        C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22d35f40ff505.exe
                        6⤵
                        • Executes dropped EXE
                        PID:1892
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed227cf84594c1ea5.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1940
                    • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227cf84594c1ea5.exe
                      Wed227cf84594c1ea5.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:620
                      • C:\Users\Admin\AppData\Local\Temp\is-15N55.tmp\Wed227cf84594c1ea5.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-15N55.tmp\Wed227cf84594c1ea5.tmp" /SL5="$101A4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227cf84594c1ea5.exe"
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2084
                        • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227cf84594c1ea5.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227cf84594c1ea5.exe" /SILENT
                          7⤵
                          • Executes dropped EXE
                          PID:2220
                          • C:\Users\Admin\AppData\Local\Temp\is-EPRBG.tmp\Wed227cf84594c1ea5.tmp
                            "C:\Users\Admin\AppData\Local\Temp\is-EPRBG.tmp\Wed227cf84594c1ea5.tmp" /SL5="$201C4,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227cf84594c1ea5.exe" /SILENT
                            8⤵
                            • Executes dropped EXE
                            • Drops file in Program Files directory
                            • Suspicious use of FindShellTrayWindow
                            PID:2392
                            • C:\Users\Admin\AppData\Local\Temp\is-L2F2A.tmp\windllhost.exe
                              "C:\Users\Admin\AppData\Local\Temp\is-L2F2A.tmp\windllhost.exe" 77
                              9⤵
                              • Executes dropped EXE
                              • Suspicious behavior: GetForegroundWindowSpam
                              PID:2192
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed2211cd6008.exe
                    4⤵
                    • Loads dropped DLL
                    • Suspicious use of WriteProcessMemory
                    PID:1620
                    • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed2211cd6008.exe
                      Wed2211cd6008.exe
                      5⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Loads dropped DLL
                      PID:1716
                      • C:\Users\Admin\Pictures\Adobe Films\TjptAMEIKnbAUT5bASz3LRUL.exe
                        "C:\Users\Admin\Pictures\Adobe Films\TjptAMEIKnbAUT5bASz3LRUL.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2840
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1520
                        6⤵
                        • Program crash
                        PID:2936
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed22cf3a6ba0d3.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1748
                    • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22cf3a6ba0d3.exe
                      Wed22cf3a6ba0d3.exe
                      5⤵
                      • Executes dropped EXE
                      • Checks computer location settings
                      • Loads dropped DLL
                      PID:1516
                      • C:\Users\Admin\Pictures\Adobe Films\Ze_6b1TnoxIrDWhYLg6hcU_v.exe
                        "C:\Users\Admin\Pictures\Adobe Films\Ze_6b1TnoxIrDWhYLg6hcU_v.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2508
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1016
                        6⤵
                        • Program crash
                        PID:2416
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Wed22596faf97465d38.exe /mixtwo
                    4⤵
                    • Loads dropped DLL
                    PID:540
                    • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22596faf97465d38.exe
                      Wed22596faf97465d38.exe /mixtwo
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      PID:892
                      • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22596faf97465d38.exe
                        Wed22596faf97465d38.exe /mixtwo
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1060
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\System32\cmd.exe" /c taskkill /im "Wed22596faf97465d38.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22596faf97465d38.exe" & exit
                          7⤵
                            PID:2296
                            • C:\Windows\SysWOW64\taskkill.exe
                              taskkill /im "Wed22596faf97465d38.exe" /f
                              8⤵
                              • Kills process with taskkill
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2416
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Wed225e927b7865013c.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1564
                      • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed225e927b7865013c.exe
                        Wed225e927b7865013c.exe
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:572
                        • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed225e927b7865013c.exe
                          "C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed225e927b7865013c.exe" -u
                          6⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:1284
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Wed228c7dd3fe03d3c.exe
                      4⤵
                      • Loads dropped DLL
                      PID:1984
                      • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed228c7dd3fe03d3c.exe
                        Wed228c7dd3fe03d3c.exe
                        5⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1688
                        • C:\Users\Admin\AppData\Local\0778153e-5478-4c44-8cba-505a125cc6b7.exe
                          "C:\Users\Admin\AppData\Local\0778153e-5478-4c44-8cba-505a125cc6b7.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:1940
                        • C:\Users\Admin\AppData\Local\f24dffe7-9828-4d93-9c37-24808a50d35b.exe
                          "C:\Users\Admin\AppData\Local\f24dffe7-9828-4d93-9c37-24808a50d35b.exe"
                          6⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:1344
                        • C:\Users\Admin\AppData\Local\8b545243-4bb8-4deb-a8ca-5a4ebea06d51.exe
                          "C:\Users\Admin\AppData\Local\8b545243-4bb8-4deb-a8ca-5a4ebea06d51.exe"
                          6⤵
                          • Executes dropped EXE
                          PID:2296
                          • C:\Users\Admin\AppData\Roaming\5128258.exe
                            "C:\Users\Admin\AppData\Roaming\5128258.exe"
                            7⤵
                            • Executes dropped EXE
                            PID:2360
                            • C:\Windows\SysWOW64\control.exe
                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                              8⤵
                                PID:3036
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\ZO8YMp.CPL",
                                  9⤵
                                    PID:2480
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Wed221ba60be731843eb.exe
                          4⤵
                            PID:1928
                            • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed221ba60be731843eb.exe
                              Wed221ba60be731843eb.exe
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2480
                              • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed221ba60be731843eb.exe
                                C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed221ba60be731843eb.exe
                                6⤵
                                • Executes dropped EXE
                                PID:1624
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c Wed229ddeb1056.exe
                            4⤵
                            • Loads dropped DLL
                            PID:1152
                            • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed229ddeb1056.exe
                              Wed229ddeb1056.exe
                              5⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Modifies system certificate store
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1828
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c taskkill /f /im chrome.exe
                                6⤵
                                  PID:2472
                                  • C:\Windows\SysWOW64\taskkill.exe
                                    taskkill /f /im chrome.exe
                                    7⤵
                                    • Kills process with taskkill
                                    PID:2120
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed22274472def3fb3.exe
                              4⤵
                              • Loads dropped DLL
                              PID:1796
                              • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22274472def3fb3.exe
                                Wed22274472def3fb3.exe
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious behavior: MapViewOfSection
                                PID:316
                            • C:\Windows\SysWOW64\cmd.exe
                              C:\Windows\system32\cmd.exe /c Wed22b57237bfc4.exe
                              4⤵
                              • Loads dropped DLL
                              PID:1800
                              • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22b57237bfc4.exe
                                Wed22b57237bfc4.exe
                                5⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks processor information in registry
                                PID:1756
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im Wed22b57237bfc4.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22b57237bfc4.exe" & del C:\ProgramData\*.dll & exit
                                  6⤵
                                    PID:2800
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im Wed22b57237bfc4.exe /f
                                      7⤵
                                      • Kills process with taskkill
                                      PID:2220
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 6
                                      7⤵
                                      • Delays execution with timeout.exe
                                      PID:2524
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Wed22ebb29f35f.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1752
                                • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22ebb29f35f.exe
                                  Wed22ebb29f35f.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1656
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Wed22c842df8d53.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1244
                                • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22c842df8d53.exe
                                  Wed22c842df8d53.exe
                                  5⤵
                                  • Executes dropped EXE
                                  PID:884
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2808
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2836
                                  • C:\Windows\system32\WerFault.exe
                                    C:\Windows\system32\WerFault.exe -u -p 884 -s 444
                                    6⤵
                                    • Program crash
                                    PID:804
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Wed227b5897db78e.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1452
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Wed22195b0576da.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1692
                        • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed22195b0576da.exe
                          Wed22195b0576da.exe
                          1⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          PID:968
                          • C:\Windows\SysWOW64\control.exe
                            "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                            2⤵
                              PID:2540
                              • C:\Windows\SysWOW64\rundll32.exe
                                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                3⤵
                                  PID:2676
                                  • C:\Windows\system32\RunDll32.exe
                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                    4⤵
                                      PID:2832
                              • C:\Users\Admin\AppData\Local\Temp\7zSCA1C1E56\Wed227b5897db78e.exe
                                Wed227b5897db78e.exe
                                1⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                PID:848
                                • C:\Windows\SysWOW64\control.exe
                                  "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                  2⤵
                                    PID:3028
                                    • C:\Windows\SysWOW64\rundll32.exe
                                      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                      3⤵
                                        PID:2104
                                        • C:\Windows\system32\RunDll32.exe
                                          C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                          4⤵
                                            PID:2436
                                            • C:\Windows\SysWOW64\rundll32.exe
                                              "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\W3QEGZJP.cpL",
                                              5⤵
                                                PID:2704
                                      • C:\Windows\system32\rundll32.exe
                                        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:3000
                                        • C:\Windows\SysWOW64\rundll32.exe
                                          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                          2⤵
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3012

                                      Network

                                            MITRE ATT&CK Enterprise v6

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • memory/316-219-0x0000000000400000-0x00000000004C9000-memory.dmp

                                              Filesize

                                              804KB

                                            • memory/316-218-0x0000000000230000-0x00000000002F9000-memory.dmp

                                              Filesize

                                              804KB

                                            • memory/316-216-0x0000000000970000-0x0000000000981000-memory.dmp

                                              Filesize

                                              68KB

                                            • memory/620-215-0x0000000000400000-0x00000000004CC000-memory.dmp

                                              Filesize

                                              816KB

                                            • memory/868-276-0x0000000001420000-0x000000000146D000-memory.dmp

                                              Filesize

                                              308KB

                                            • memory/868-277-0x00000000026A0000-0x0000000002712000-memory.dmp

                                              Filesize

                                              456KB

                                            • memory/1032-273-0x0000000001ED0000-0x0000000002B1A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1032-259-0x0000000001ED0000-0x0000000002B1A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1032-252-0x0000000001ED0000-0x0000000002B1A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1036-253-0x0000000001EF0000-0x0000000002B3A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1036-260-0x0000000001EF0000-0x0000000002B3A000-memory.dmp

                                              Filesize

                                              12.3MB

                                            • memory/1060-197-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/1060-183-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/1060-160-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/1060-162-0x0000000000400000-0x0000000000450000-memory.dmp

                                              Filesize

                                              320KB

                                            • memory/1136-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/1136-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/1136-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/1136-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/1136-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/1136-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/1136-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/1136-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/1136-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                              Filesize

                                              100KB

                                            • memory/1136-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                              Filesize

                                              152KB

                                            • memory/1136-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/1136-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                              Filesize

                                              572KB

                                            • memory/1136-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                              Filesize

                                              152KB

                                            • memory/1136-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/1136-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                              Filesize

                                              1.5MB

                                            • memory/1208-235-0x00000000029E0000-0x00000000029F6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/1344-327-0x00000000001F0000-0x0000000000235000-memory.dmp

                                              Filesize

                                              276KB

                                            • memory/1656-247-0x000000001AFD0000-0x000000001AFD2000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1656-203-0x00000000010C0000-0x00000000010C8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1656-204-0x00000000010C0000-0x00000000010C8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/1688-240-0x0000000000240000-0x0000000000276000-memory.dmp

                                              Filesize

                                              216KB

                                            • memory/1688-187-0x00000000001A0000-0x00000000001EA000-memory.dmp

                                              Filesize

                                              296KB

                                            • memory/1688-254-0x0000000000220000-0x0000000000226000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/1688-188-0x00000000001A0000-0x00000000001EA000-memory.dmp

                                              Filesize

                                              296KB

                                            • memory/1688-54-0x0000000076151000-0x0000000076153000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1688-224-0x0000000000210000-0x0000000000216000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/1688-234-0x000000001AD50000-0x000000001AD52000-memory.dmp

                                              Filesize

                                              8KB

                                            • memory/1716-328-0x0000000003D90000-0x0000000003EDE000-memory.dmp

                                              Filesize

                                              1.3MB

                                            • memory/1732-222-0x00000000012B0000-0x000000000133C000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/1732-264-0x0000000000380000-0x0000000000381000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1732-262-0x00000000050A0000-0x00000000050A1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/1732-223-0x00000000012B0000-0x000000000133C000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/1756-232-0x0000000000400000-0x0000000000534000-memory.dmp

                                              Filesize

                                              1.2MB

                                            • memory/1756-227-0x00000000002A0000-0x000000000031C000-memory.dmp

                                              Filesize

                                              496KB

                                            • memory/1756-231-0x0000000002050000-0x0000000002125000-memory.dmp

                                              Filesize

                                              852KB

                                            • memory/1892-309-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/1892-310-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/1940-292-0x0000000001380000-0x00000000013CC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/1940-296-0x0000000001380000-0x00000000013CC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/1940-313-0x00000000002D0000-0x00000000002D6000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/1940-316-0x00000000003E0000-0x000000000042E000-memory.dmp

                                              Filesize

                                              312KB

                                            • memory/1940-325-0x00000000005B0000-0x00000000005B6000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/2084-221-0x0000000000260000-0x0000000000261000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2104-283-0x0000000000410000-0x00000000004CC000-memory.dmp

                                              Filesize

                                              752KB

                                            • memory/2104-282-0x0000000000190000-0x0000000000191000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2104-284-0x000000002D7B0000-0x000000002D869000-memory.dmp

                                              Filesize

                                              740KB

                                            • memory/2156-335-0x0000000001D00000-0x0000000001D29000-memory.dmp

                                              Filesize

                                              164KB

                                            • memory/2156-336-0x00000000031C0000-0x00000000032C5000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/2156-334-0x0000000001C20000-0x0000000001C3B000-memory.dmp

                                              Filesize

                                              108KB

                                            • memory/2156-278-0x0000000000480000-0x00000000004F2000-memory.dmp

                                              Filesize

                                              456KB

                                            • memory/2220-233-0x0000000000400000-0x00000000004CC000-memory.dmp

                                              Filesize

                                              816KB

                                            • memory/2296-337-0x0000000004870000-0x0000000004871000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2296-333-0x0000000000520000-0x0000000000526000-memory.dmp

                                              Filesize

                                              24KB

                                            • memory/2296-332-0x0000000000950000-0x0000000000984000-memory.dmp

                                              Filesize

                                              208KB

                                            • memory/2296-331-0x0000000000950000-0x0000000000984000-memory.dmp

                                              Filesize

                                              208KB

                                            • memory/2392-244-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2480-245-0x00000000003B0000-0x000000000043C000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/2480-263-0x0000000000380000-0x0000000000381000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2480-246-0x00000000003B0000-0x000000000043C000-memory.dmp

                                              Filesize

                                              560KB

                                            • memory/2480-261-0x00000000007C0000-0x00000000007C1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2704-315-0x00000000001A0000-0x00000000001A1000-memory.dmp

                                              Filesize

                                              4KB

                                            • memory/2808-258-0x0000000000400000-0x0000000000455000-memory.dmp

                                              Filesize

                                              340KB

                                            • memory/3012-274-0x0000000000AF0000-0x0000000000BF1000-memory.dmp

                                              Filesize

                                              1.0MB

                                            • memory/3012-275-0x0000000000820000-0x000000000087D000-memory.dmp

                                              Filesize

                                              372KB