Analysis

  • max time kernel
    43s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25/12/2021, 19:11

General

  • Target

    819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe

  • Size

    6.2MB

  • MD5

    034469917307c8de1a984ac9fb025166

  • SHA1

    a5ad1cb9bdbe68d25d4809e86abc1f8717e5582e

  • SHA256

    819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0

  • SHA512

    f965845a9ee4eb187dd909bc1210e4239b8748f41976ef0dfa9523dedf58c673985cb202ea79402446fe50247cd683a95cfc8c48c1720fe887469bf6195ebaf4

Malware Config

Extracted

Family

socelars

C2

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

redline

Botnet

ANI

C2

45.142.215.47:27643

Extracted

Family

redline

Botnet

janera

C2

65.108.20.195:6774

Extracted

Family

redline

Botnet

matthew2009

C2

213.166.69.181:64650

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 11 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 20 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 10 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe
    "C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS0723C316\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2232
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3376
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1656
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c Thu13a7cef837ebe31b.exe
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13a7cef837ebe31b.exe
            Thu13a7cef837ebe31b.exe
            5⤵
            • Executes dropped EXE
            PID:2420
            • C:\Users\Admin\Pictures\Adobe Films\9KIN69wJR7AKohFOKaFWAy76.exe
              "C:\Users\Admin\Pictures\Adobe Films\9KIN69wJR7AKohFOKaFWAy76.exe"
              6⤵
                PID:5044
              • C:\Users\Admin\Pictures\Adobe Films\6Wtiauv9WCjJKOGx4igD2Jmd.exe
                "C:\Users\Admin\Pictures\Adobe Films\6Wtiauv9WCjJKOGx4igD2Jmd.exe"
                6⤵
                  PID:4500
                • C:\Users\Admin\Pictures\Adobe Films\VVfR9XYWSW3P76nFiCI6tgkA.exe
                  "C:\Users\Admin\Pictures\Adobe Films\VVfR9XYWSW3P76nFiCI6tgkA.exe"
                  6⤵
                    PID:4488
                    • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                      "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                      7⤵
                        PID:4724
                      • C:\Program Files (x86)\Company\NewProduct\rtst1039.exe
                        "C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"
                        7⤵
                          PID:2660
                        • C:\Program Files (x86)\Company\NewProduct\inst2.exe
                          "C:\Program Files (x86)\Company\NewProduct\inst2.exe"
                          7⤵
                            PID:4676
                        • C:\Users\Admin\Pictures\Adobe Films\yt8oCnbhHAwaBZcjsBUqGzFq.exe
                          "C:\Users\Admin\Pictures\Adobe Films\yt8oCnbhHAwaBZcjsBUqGzFq.exe"
                          6⤵
                            PID:4400
                          • C:\Users\Admin\Pictures\Adobe Films\AiL5fgZ1TlyroxJdJ7LFcIkf.exe
                            "C:\Users\Admin\Pictures\Adobe Films\AiL5fgZ1TlyroxJdJ7LFcIkf.exe"
                            6⤵
                              PID:4476
                            • C:\Users\Admin\Pictures\Adobe Films\BNNXORXyasSW5XvokTUvozMc.exe
                              "C:\Users\Admin\Pictures\Adobe Films\BNNXORXyasSW5XvokTUvozMc.exe"
                              6⤵
                                PID:2956
                              • C:\Users\Admin\Pictures\Adobe Films\iFVz9HRIit_90nJPXaXu3zvc.exe
                                "C:\Users\Admin\Pictures\Adobe Films\iFVz9HRIit_90nJPXaXu3zvc.exe"
                                6⤵
                                  PID:4428
                                • C:\Users\Admin\Pictures\Adobe Films\fwJCjRXBkFejOvSm2bSqOLvH.exe
                                  "C:\Users\Admin\Pictures\Adobe Films\fwJCjRXBkFejOvSm2bSqOLvH.exe"
                                  6⤵
                                    PID:4416
                                  • C:\Users\Admin\Pictures\Adobe Films\Y_ka9fgsy7AFnZgsCRTic9Iq.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\Y_ka9fgsy7AFnZgsCRTic9Iq.exe"
                                    6⤵
                                      PID:4464
                                    • C:\Users\Admin\Pictures\Adobe Films\NwaViJo787Bz6ClmC7Nk4hhe.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\NwaViJo787Bz6ClmC7Nk4hhe.exe"
                                      6⤵
                                        PID:4460
                                      • C:\Users\Admin\Pictures\Adobe Films\kh5J2xJvTayCm0cDmOtWpVNw.exe
                                        "C:\Users\Admin\Pictures\Adobe Films\kh5J2xJvTayCm0cDmOtWpVNw.exe"
                                        6⤵
                                          PID:4448
                                        • C:\Users\Admin\Pictures\Adobe Films\dAUJZGXkDgiPWmzfDyZjzr44.exe
                                          "C:\Users\Admin\Pictures\Adobe Films\dAUJZGXkDgiPWmzfDyZjzr44.exe"
                                          6⤵
                                            PID:4444
                                          • C:\Users\Admin\Pictures\Adobe Films\4sWAqp8isdfp14bSF_MNGERz.exe
                                            "C:\Users\Admin\Pictures\Adobe Films\4sWAqp8isdfp14bSF_MNGERz.exe"
                                            6⤵
                                              PID:4424
                                            • C:\Users\Admin\Pictures\Adobe Films\9pwScL3GdiOKr0hg2JE_rJPn.exe
                                              "C:\Users\Admin\Pictures\Adobe Films\9pwScL3GdiOKr0hg2JE_rJPn.exe"
                                              6⤵
                                                PID:4388
                                              • C:\Users\Admin\Pictures\Adobe Films\5b79NzT_Yjfs_q6bpDXJfurt.exe
                                                "C:\Users\Admin\Pictures\Adobe Films\5b79NzT_Yjfs_q6bpDXJfurt.exe"
                                                6⤵
                                                  PID:4376
                                                • C:\Users\Admin\Pictures\Adobe Films\RbfyXHqO2tzvS9HX5UL2FDnG.exe
                                                  "C:\Users\Admin\Pictures\Adobe Films\RbfyXHqO2tzvS9HX5UL2FDnG.exe"
                                                  6⤵
                                                    PID:4372
                                                  • C:\Users\Admin\Pictures\Adobe Films\2gMOK10z2l64lXCc5tyNiEfR.exe
                                                    "C:\Users\Admin\Pictures\Adobe Films\2gMOK10z2l64lXCc5tyNiEfR.exe"
                                                    6⤵
                                                      PID:3856
                                                    • C:\Users\Admin\Pictures\Adobe Films\eQDP6jhPkHeNvEXFwiVG0RL2.exe
                                                      "C:\Users\Admin\Pictures\Adobe Films\eQDP6jhPkHeNvEXFwiVG0RL2.exe"
                                                      6⤵
                                                        PID:4348
                                                      • C:\Users\Admin\Pictures\Adobe Films\HZINPOIZFEAxD5fkPWHFAms8.exe
                                                        "C:\Users\Admin\Pictures\Adobe Films\HZINPOIZFEAxD5fkPWHFAms8.exe"
                                                        6⤵
                                                          PID:4336
                                                        • C:\Users\Admin\Pictures\Adobe Films\4tyrzcjyU8NQewDfDRn9h1cw.exe
                                                          "C:\Users\Admin\Pictures\Adobe Films\4tyrzcjyU8NQewDfDRn9h1cw.exe"
                                                          6⤵
                                                            PID:4332
                                                          • C:\Users\Admin\Pictures\Adobe Films\YTY9xH9NIuNzyJWryvpunZwj.exe
                                                            "C:\Users\Admin\Pictures\Adobe Films\YTY9xH9NIuNzyJWryvpunZwj.exe"
                                                            6⤵
                                                              PID:4800
                                                            • C:\Users\Admin\Pictures\Adobe Films\vIiQCoLaAuKFThK158GcH1jF.exe
                                                              "C:\Users\Admin\Pictures\Adobe Films\vIiQCoLaAuKFThK158GcH1jF.exe"
                                                              6⤵
                                                                PID:4776
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 400
                                                                  7⤵
                                                                  • Program crash
                                                                  PID:3160
                                                              • C:\Users\Admin\Pictures\Adobe Films\5cQ30vu3dSzxHQU5J7980Cnw.exe
                                                                "C:\Users\Admin\Pictures\Adobe Films\5cQ30vu3dSzxHQU5J7980Cnw.exe"
                                                                6⤵
                                                                  PID:608
                                                                • C:\Users\Admin\Pictures\Adobe Films\WqbVqWp3IL3NUIIiowU6wD2F.exe
                                                                  "C:\Users\Admin\Pictures\Adobe Films\WqbVqWp3IL3NUIIiowU6wD2F.exe"
                                                                  6⤵
                                                                    PID:404
                                                                  • C:\Users\Admin\Pictures\Adobe Films\mfT4nsQlu4wX1PJ9Ptjuj7CZ.exe
                                                                    "C:\Users\Admin\Pictures\Adobe Films\mfT4nsQlu4wX1PJ9Ptjuj7CZ.exe"
                                                                    6⤵
                                                                      PID:4748
                                                                    • C:\Users\Admin\Pictures\Adobe Films\CXC7HNS4nhmjB7HsnsDNk3H6.exe
                                                                      "C:\Users\Admin\Pictures\Adobe Films\CXC7HNS4nhmjB7HsnsDNk3H6.exe"
                                                                      6⤵
                                                                        PID:4732
                                                                      • C:\Users\Admin\Pictures\Adobe Films\EVVs5dVOjZcEMJp2pUt05APX.exe
                                                                        "C:\Users\Admin\Pictures\Adobe Films\EVVs5dVOjZcEMJp2pUt05APX.exe"
                                                                        6⤵
                                                                          PID:4716
                                                                        • C:\Users\Admin\Pictures\Adobe Films\_N3hQPhPklwj7yoy_i0GRfLp.exe
                                                                          "C:\Users\Admin\Pictures\Adobe Films\_N3hQPhPklwj7yoy_i0GRfLp.exe"
                                                                          6⤵
                                                                            PID:4652
                                                                          • C:\Users\Admin\Pictures\Adobe Films\ob_DkBa7yHu8fVcLaD47nHlp.exe
                                                                            "C:\Users\Admin\Pictures\Adobe Films\ob_DkBa7yHu8fVcLaD47nHlp.exe"
                                                                            6⤵
                                                                              PID:4700
                                                                            • C:\Users\Admin\Pictures\Adobe Films\Yf7NHzPdgiYWjjEXwOvfOpRx.exe
                                                                              "C:\Users\Admin\Pictures\Adobe Films\Yf7NHzPdgiYWjjEXwOvfOpRx.exe"
                                                                              6⤵
                                                                                PID:4692
                                                                                • C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
                                                                                  "C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
                                                                                  7⤵
                                                                                    PID:4188
                                                                                • C:\Users\Admin\Pictures\Adobe Films\o96Ze6RM53cC9sIzrOREwYaB.exe
                                                                                  "C:\Users\Admin\Pictures\Adobe Films\o96Ze6RM53cC9sIzrOREwYaB.exe"
                                                                                  6⤵
                                                                                    PID:4680
                                                                                  • C:\Users\Admin\Pictures\Adobe Films\9TffQJMn9lcuykQU8UJ3vHoI.exe
                                                                                    "C:\Users\Admin\Pictures\Adobe Films\9TffQJMn9lcuykQU8UJ3vHoI.exe"
                                                                                    6⤵
                                                                                      PID:4664
                                                                                    • C:\Users\Admin\Pictures\Adobe Films\dWdYhNyMaGywMJUPwSb5D_ba.exe
                                                                                      "C:\Users\Admin\Pictures\Adobe Films\dWdYhNyMaGywMJUPwSb5D_ba.exe"
                                                                                      6⤵
                                                                                        PID:4644
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS5DE.tmp\Install.exe
                                                                                          .\Install.exe
                                                                                          7⤵
                                                                                            PID:4752
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Thu1333d0a5c4.exe
                                                                                      4⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:1272
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1333d0a5c4.exe
                                                                                        Thu1333d0a5c4.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:1496
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Thu135c06033a9903.exe
                                                                                      4⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:2116
                                                                                      • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu135c06033a9903.exe
                                                                                        Thu135c06033a9903.exe
                                                                                        5⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:1424
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c Thu139a4667a4bcc.exe
                                                                                      4⤵
                                                                                        PID:1320
                                                                                        • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu139a4667a4bcc.exe
                                                                                          Thu139a4667a4bcc.exe
                                                                                          5⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:1800
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            cmd.exe /c taskkill /f /im chrome.exe
                                                                                            6⤵
                                                                                              PID:1772
                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                taskkill /f /im chrome.exe
                                                                                                7⤵
                                                                                                • Kills process with taskkill
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2200
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1712
                                                                                              6⤵
                                                                                              • Program crash
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              PID:2088
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c Thu13c4f61c88e.exe
                                                                                          4⤵
                                                                                            PID:1144
                                                                                            • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13c4f61c88e.exe
                                                                                              Thu13c4f61c88e.exe
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:2528
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c Thu13057255b6f0.exe
                                                                                            4⤵
                                                                                              PID:2080
                                                                                              • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13057255b6f0.exe
                                                                                                Thu13057255b6f0.exe
                                                                                                5⤵
                                                                                                • Executes dropped EXE
                                                                                                • Checks BIOS information in registry
                                                                                                • Checks whether UAC is enabled
                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                PID:2260
                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c Thu13b4c97dc09be.exe
                                                                                              4⤵
                                                                                                PID:1428
                                                                                                • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13b4c97dc09be.exe
                                                                                                  Thu13b4c97dc09be.exe
                                                                                                  5⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2264
                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c Thu1331399915bc.exe
                                                                                                4⤵
                                                                                                  PID:60
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1331399915bc.exe
                                                                                                    Thu1331399915bc.exe
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:3808
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 1436
                                                                                                      6⤵
                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                      • Program crash
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:3008
                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 596
                                                                                                  4⤵
                                                                                                  • Program crash
                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3852
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  C:\Windows\system32\cmd.exe /c Thu1357848a7d8b.exe
                                                                                                  4⤵
                                                                                                    PID:2032
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    C:\Windows\system32\cmd.exe /c Thu13e038722ba1359cc.exe
                                                                                                    4⤵
                                                                                                      PID:1692
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      C:\Windows\system32\cmd.exe /c Thu131d30b4ff3be.exe
                                                                                                      4⤵
                                                                                                        PID:2736
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Thu137fba5c145.exe
                                                                                                        4⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:2712
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c Thu131b8cfbf6991de.exe /mixone
                                                                                                        4⤵
                                                                                                          PID:1348
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          C:\Windows\system32\cmd.exe /c Thu132d3beffccd.exe
                                                                                                          4⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:1420
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu1357848a7d8b.exe
                                                                                                    Thu1357848a7d8b.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1296
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu131d30b4ff3be.exe
                                                                                                    Thu131d30b4ff3be.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Checks SCSI registry key(s)
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:3856
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-5JAQB.tmp\Thu135c06033a9903.tmp
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-5JAQB.tmp\Thu135c06033a9903.tmp" /SL5="$30084,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu135c06033a9903.exe"
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Loads dropped DLL
                                                                                                    PID:3188
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu13e038722ba1359cc.exe
                                                                                                    Thu13e038722ba1359cc.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:3028
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu131b8cfbf6991de.exe
                                                                                                    Thu131b8cfbf6991de.exe /mixone
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:3228
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 660
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4412
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 676
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4504
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 680
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4596
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 812
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4648
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 844
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      PID:4752
                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 900
                                                                                                      2⤵
                                                                                                      • Program crash
                                                                                                      PID:4948
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exe
                                                                                                    Thu137fba5c145.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1380
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu137fba5c145.exe
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:2024
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe
                                                                                                    Thu132d3beffccd.exe
                                                                                                    1⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1316
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1292
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe
                                                                                                      C:\Users\Admin\AppData\Local\Temp\7zS0723C316\Thu132d3beffccd.exe
                                                                                                      2⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:1640

                                                                                                  Network

                                                                                                        MITRE ATT&CK Enterprise v6

                                                                                                        Replay Monitor

                                                                                                        Loading Replay Monitor...

                                                                                                        Downloads

                                                                                                        • memory/1296-229-0x0000000001140000-0x0000000001146000-memory.dmp

                                                                                                          Filesize

                                                                                                          24KB

                                                                                                        • memory/1296-221-0x0000000000CF0000-0x0000000000D22000-memory.dmp

                                                                                                          Filesize

                                                                                                          200KB

                                                                                                        • memory/1296-222-0x0000000000CF0000-0x0000000000D22000-memory.dmp

                                                                                                          Filesize

                                                                                                          200KB

                                                                                                        • memory/1296-235-0x0000000001570000-0x0000000001572000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/1316-218-0x0000000000E60000-0x0000000000ED4000-memory.dmp

                                                                                                          Filesize

                                                                                                          464KB

                                                                                                        • memory/1316-237-0x00000000031F0000-0x000000000320E000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                        • memory/1316-246-0x0000000005CD0000-0x00000000061CE000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.0MB

                                                                                                        • memory/1316-238-0x00000000057C0000-0x00000000057C1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1316-213-0x0000000000E60000-0x0000000000ED4000-memory.dmp

                                                                                                          Filesize

                                                                                                          464KB

                                                                                                        • memory/1316-224-0x00000000056A0000-0x0000000005716000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/1380-239-0x0000000005430000-0x0000000005431000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1380-225-0x0000000005230000-0x00000000052A6000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/1380-211-0x00000000009D0000-0x0000000000A46000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/1380-245-0x0000000005940000-0x0000000005E3E000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.0MB

                                                                                                        • memory/1380-215-0x00000000009D0000-0x0000000000A46000-memory.dmp

                                                                                                          Filesize

                                                                                                          472KB

                                                                                                        • memory/1380-236-0x00000000051B0000-0x00000000051CE000-memory.dmp

                                                                                                          Filesize

                                                                                                          120KB

                                                                                                        • memory/1424-208-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                          Filesize

                                                                                                          436KB

                                                                                                        • memory/1640-283-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/1656-252-0x0000000007500000-0x0000000007850000-memory.dmp

                                                                                                          Filesize

                                                                                                          3.3MB

                                                                                                        • memory/1656-249-0x0000000006C90000-0x0000000006CF6000-memory.dmp

                                                                                                          Filesize

                                                                                                          408KB

                                                                                                        • memory/1656-292-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1656-233-0x0000000006792000-0x0000000006793000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1656-228-0x0000000006790000-0x0000000006791000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1656-241-0x0000000006BF0000-0x0000000006C12000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/1656-248-0x0000000006D60000-0x0000000006DC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          408KB

                                                                                                        • memory/1656-206-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1656-210-0x0000000000760000-0x0000000000761000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/1656-223-0x0000000006DD0000-0x00000000073F8000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.2MB

                                                                                                        • memory/1656-220-0x0000000004500000-0x0000000004536000-memory.dmp

                                                                                                          Filesize

                                                                                                          216KB

                                                                                                        • memory/1656-274-0x0000000007A10000-0x0000000007A5B000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/1656-269-0x0000000006D20000-0x0000000006D3C000-memory.dmp

                                                                                                          Filesize

                                                                                                          112KB

                                                                                                        • memory/2024-257-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/2024-278-0x0000000005490000-0x00000000054CE000-memory.dmp

                                                                                                          Filesize

                                                                                                          248KB

                                                                                                        • memory/2024-267-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/2024-273-0x0000000005430000-0x0000000005442000-memory.dmp

                                                                                                          Filesize

                                                                                                          72KB

                                                                                                        • memory/2024-275-0x0000000005560000-0x000000000566A000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.0MB

                                                                                                        • memory/2024-265-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                          Filesize

                                                                                                          136KB

                                                                                                        • memory/2024-271-0x00000000059E0000-0x0000000005FE6000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/2232-134-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                        • memory/2232-139-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                        • memory/2232-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                        • memory/2232-143-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                                                          Filesize

                                                                                                          152KB

                                                                                                        • memory/2232-136-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                        • memory/2232-135-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                        • memory/2232-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                        • memory/2232-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                                                          Filesize

                                                                                                          572KB

                                                                                                        • memory/2232-142-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                        • memory/2232-140-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                                                          Filesize

                                                                                                          100KB

                                                                                                        • memory/2232-141-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                        • memory/2232-138-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.5MB

                                                                                                        • memory/2260-242-0x0000000005F40000-0x0000000006546000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/2260-250-0x0000000005930000-0x0000000005F36000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/2260-231-0x0000000077020000-0x00000000771AE000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.6MB

                                                                                                        • memory/2260-234-0x0000000000910000-0x0000000000F72000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.4MB

                                                                                                        • memory/2260-232-0x0000000000910000-0x0000000000F72000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.4MB

                                                                                                        • memory/2260-244-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.0MB

                                                                                                        • memory/2260-243-0x0000000005990000-0x00000000059A2000-memory.dmp

                                                                                                          Filesize

                                                                                                          72KB

                                                                                                        • memory/2260-247-0x0000000005A10000-0x0000000005A4E000-memory.dmp

                                                                                                          Filesize

                                                                                                          248KB

                                                                                                        • memory/2260-251-0x0000000005A50000-0x0000000005A9B000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/2528-260-0x0000000007400000-0x0000000007401000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2528-253-0x0000000002BB0000-0x0000000002CFA000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.3MB

                                                                                                        • memory/2528-266-0x0000000007910000-0x0000000007F16000-memory.dmp

                                                                                                          Filesize

                                                                                                          6.0MB

                                                                                                        • memory/2528-272-0x0000000007260000-0x000000000736A000-memory.dmp

                                                                                                          Filesize

                                                                                                          1.0MB

                                                                                                        • memory/2528-270-0x0000000004C20000-0x0000000004C32000-memory.dmp

                                                                                                          Filesize

                                                                                                          72KB

                                                                                                        • memory/2528-258-0x0000000004B20000-0x0000000004B44000-memory.dmp

                                                                                                          Filesize

                                                                                                          144KB

                                                                                                        • memory/2528-268-0x0000000007403000-0x0000000007404000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2528-277-0x0000000007370000-0x00000000073BB000-memory.dmp

                                                                                                          Filesize

                                                                                                          300KB

                                                                                                        • memory/2528-279-0x0000000007404000-0x0000000007406000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/2528-263-0x0000000007402000-0x0000000007403000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/2528-199-0x0000000002E22000-0x0000000002E45000-memory.dmp

                                                                                                          Filesize

                                                                                                          140KB

                                                                                                        • memory/2528-256-0x0000000007410000-0x000000000790E000-memory.dmp

                                                                                                          Filesize

                                                                                                          5.0MB

                                                                                                        • memory/2528-254-0x0000000000400000-0x0000000002BA2000-memory.dmp

                                                                                                          Filesize

                                                                                                          39.6MB

                                                                                                        • memory/2528-276-0x0000000004C60000-0x0000000004C9E000-memory.dmp

                                                                                                          Filesize

                                                                                                          248KB

                                                                                                        • memory/2528-255-0x0000000004AB0000-0x0000000004AD6000-memory.dmp

                                                                                                          Filesize

                                                                                                          152KB

                                                                                                        • memory/3028-214-0x0000000000F40000-0x0000000000F42000-memory.dmp

                                                                                                          Filesize

                                                                                                          8KB

                                                                                                        • memory/3028-204-0x00000000007A0000-0x00000000007A8000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB

                                                                                                        • memory/3028-203-0x00000000007A0000-0x00000000007A8000-memory.dmp

                                                                                                          Filesize

                                                                                                          32KB

                                                                                                        • memory/3188-240-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                          Filesize

                                                                                                          4KB

                                                                                                        • memory/3228-197-0x0000000000779000-0x00000000007A2000-memory.dmp

                                                                                                          Filesize

                                                                                                          164KB

                                                                                                        • memory/3808-200-0x0000000000749000-0x00000000007C5000-memory.dmp

                                                                                                          Filesize

                                                                                                          496KB