Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    25/12/2021, 21:22

General

  • Target

    a82b499dee9c2863b1f9991585e12291.exe

  • Size

    6.3MB

  • MD5

    a82b499dee9c2863b1f9991585e12291

  • SHA1

    52c930ed813c9d7a592e1bb2e912c20dcf063bf2

  • SHA256

    bcfa6e6fb8a5b32e164fd8a7b49d448e65482fae38fe17e48cc35cb6427a360e

  • SHA512

    52c483347e652464da73110286cb81e01c5fb2ac9ba3ba38293f95f5a39d8dbd5706a196371fba07171fb77f52d055c0cee575a6d7debbe8f4bb5321a5b9e35f

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

redline

Botnet

userv1

C2

159.69.246.184:13127

Extracted

Family

redline

Botnet

media22ns

C2

65.108.69.168:13293

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 7 IoCs
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 3 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 5 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 30 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 15 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:860
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:2512
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          PID:1116
      • C:\Users\Admin\AppData\Local\Temp\a82b499dee9c2863b1f9991585e12291.exe
        "C:\Users\Admin\AppData\Local\Temp\a82b499dee9c2863b1f9991585e12291.exe"
        1⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1084
        • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\setup_install.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1820
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1604
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1632
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:992
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu097902373d066d7a.exe
            3⤵
            • Loads dropped DLL
            PID:2040
            • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu097902373d066d7a.exe
              Thu097902373d066d7a.exe
              4⤵
              • Executes dropped EXE
              PID:1676
              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                5⤵
                • Executes dropped EXE
                PID:2308
              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2432
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c Thu09da317d75c68.exe
            3⤵
            • Loads dropped DLL
            PID:1524
            • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09da317d75c68.exe
              Thu09da317d75c68.exe
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:1584
              • C:\Windows\SysWOW64\control.exe
                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                5⤵
                  PID:2256
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                    6⤵
                      PID:2284
                      • C:\Windows\system32\RunDll32.exe
                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                        7⤵
                          PID:2848
                          • C:\Windows\SysWOW64\rundll32.exe
                            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                            8⤵
                              PID:2148
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu09280ea08f6.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1480
                    • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09280ea08f6.exe
                      Thu09280ea08f6.exe
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1824
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09280ea08f6.exe
                        C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09280ea08f6.exe
                        5⤵
                        • Executes dropped EXE
                        PID:2680
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu09813b41886381b3.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1436
                    • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09813b41886381b3.exe
                      Thu09813b41886381b3.exe
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:480
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09813b41886381b3.exe
                        "C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09813b41886381b3.exe" -u
                        5⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1912
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu09e1aa1424.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1452
                    • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09e1aa1424.exe
                      Thu09e1aa1424.exe
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Modifies system certificate store
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1704
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 1120
                        5⤵
                        • Program crash
                        • Suspicious behavior: GetForegroundWindowSpam
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2672
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c Thu09284c81371.exe
                    3⤵
                    • Loads dropped DLL
                    PID:1636
                    • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09284c81371.exe
                      Thu09284c81371.exe
                      4⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Checks processor information in registry
                      PID:1356
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im Thu09284c81371.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09284c81371.exe" & del C:\ProgramData\*.dll & exit
                        5⤵
                          PID:604
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im Thu09284c81371.exe /f
                            6⤵
                            • Kills process with taskkill
                            PID:2536
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 6
                            6⤵
                            • Delays execution with timeout.exe
                            PID:888
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu09d383b370e81ac13.exe
                      3⤵
                      • Loads dropped DLL
                      PID:1728
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09d383b370e81ac13.exe
                        Thu09d383b370e81ac13.exe
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:1048
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu098e6c1c066.exe
                      3⤵
                      • Loads dropped DLL
                      PID:2044
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu098e6c1c066.exe
                        Thu098e6c1c066.exe
                        4⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1968
                        • C:\Users\Admin\Pictures\Adobe Films\J88Oiw7Sf1RkUOdoylbSDrSd.exe
                          "C:\Users\Admin\Pictures\Adobe Films\J88Oiw7Sf1RkUOdoylbSDrSd.exe"
                          5⤵
                          • Executes dropped EXE
                          PID:2836
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1540
                          5⤵
                          • Program crash
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2520
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu090d5088a23.exe
                      3⤵
                      • Loads dropped DLL
                      PID:900
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu090d5088a23.exe
                        Thu090d5088a23.exe
                        4⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:268
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu09b4267b2e4.exe
                      3⤵
                      • Loads dropped DLL
                      PID:1008
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09b4267b2e4.exe
                        Thu09b4267b2e4.exe
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1228
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu09dcf557d3d060f.exe
                      3⤵
                      • Loads dropped DLL
                      PID:628
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09dcf557d3d060f.exe
                        Thu09dcf557d3d060f.exe
                        4⤵
                        • Executes dropped EXE
                        • Checks computer location settings
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        PID:736
                        • C:\Users\Admin\Pictures\Adobe Films\FVZZzcivibn35tVjPQXA988H.exe
                          "C:\Users\Admin\Pictures\Adobe Films\FVZZzcivibn35tVjPQXA988H.exe"
                          5⤵
                          • Executes dropped EXE
                          PID:2816
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1556
                          5⤵
                          • Program crash
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3012
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c Thu09db0c7d9e965e.exe
                      3⤵
                      • Loads dropped DLL
                      PID:1012
                      • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09db0c7d9e965e.exe
                        Thu09db0c7d9e965e.exe
                        4⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1708
                        • C:\Users\Admin\AppData\Local\d1a88fd9-5e0e-47ff-bf56-186b4899ff55.exe
                          "C:\Users\Admin\AppData\Local\d1a88fd9-5e0e-47ff-bf56-186b4899ff55.exe"
                          5⤵
                          • Executes dropped EXE
                          PID:2480
                        • C:\Users\Admin\AppData\Local\ea951cfd-afd2-47ba-8610-fe6e3058b466.exe
                          "C:\Users\Admin\AppData\Local\ea951cfd-afd2-47ba-8610-fe6e3058b466.exe"
                          5⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          PID:2532
                          • C:\Users\Admin\AppData\Roaming\69554800\6988469369884693.exe
                            "C:\Users\Admin\AppData\Roaming\69554800\6988469369884693.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:1100
                        • C:\Users\Admin\AppData\Local\215bdf58-794e-462c-a1bc-2387c9939deb.exe
                          "C:\Users\Admin\AppData\Local\215bdf58-794e-462c-a1bc-2387c9939deb.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          PID:1476
                          • C:\Program Files\Internet Explorer\iexplore.exe
                            "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=215bdf58-794e-462c-a1bc-2387c9939deb.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
                            6⤵
                            • Modifies Internet Explorer settings
                            • Suspicious use of SetWindowsHookEx
                            PID:1012
                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:2
                              7⤵
                              • Modifies Internet Explorer settings
                              PID:520
                        • C:\Users\Admin\AppData\Local\b22edd37-a434-4a68-8c80-ac1b6d7203b9.exe
                          "C:\Users\Admin\AppData\Local\b22edd37-a434-4a68-8c80-ac1b6d7203b9.exe"
                          5⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2104
                          • C:\Users\Admin\AppData\Roaming\151246.exe
                            "C:\Users\Admin\AppData\Roaming\151246.exe"
                            6⤵
                            • Executes dropped EXE
                            PID:2608
                            • C:\Windows\SysWOW64\msiexec.exe
                              "C:\Windows\System32\msiexec.exe" /y .\LeVEJ.Q
                              7⤵
                                PID:2368
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu09d363d30d3bc2c.exe
                        3⤵
                        • Loads dropped DLL
                        PID:652
                        • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09d363d30d3bc2c.exe
                          Thu09d363d30d3bc2c.exe
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          • Suspicious use of AdjustPrivilegeToken
                          PID:988
                          • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09d363d30d3bc2c.exe
                            C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu09d363d30d3bc2c.exe
                            5⤵
                            • Executes dropped EXE
                            PID:2664
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c Thu091431ade7b72e2.exe /mixtwo
                        3⤵
                        • Loads dropped DLL
                        PID:1924
                        • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu091431ade7b72e2.exe
                          Thu091431ade7b72e2.exe /mixtwo
                          4⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of SetThreadContext
                          PID:844
                          • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu091431ade7b72e2.exe
                            Thu091431ade7b72e2.exe /mixtwo
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:480
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu091431ade7b72e2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu091431ade7b72e2.exe" & exit
                              6⤵
                                PID:2508
                                • C:\Windows\SysWOW64\taskkill.exe
                                  taskkill /im "Thu091431ade7b72e2.exe" /f
                                  7⤵
                                  • Kills process with taskkill
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2328
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c Thu093fc976065980.exe
                          3⤵
                          • Loads dropped DLL
                          PID:1720
                          • C:\Users\Admin\AppData\Local\Temp\7zSC34436B5\Thu093fc976065980.exe
                            Thu093fc976065980.exe
                            4⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:328
                            • C:\Windows\SysWOW64\control.exe
                              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                              5⤵
                                PID:2076
                                • C:\Windows\SysWOW64\rundll32.exe
                                  "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                                  6⤵
                                  • Loads dropped DLL
                                  PID:2140
                                  • C:\Windows\system32\RunDll32.exe
                                    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                                    7⤵
                                      PID:2148
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\NG3RY.CPL",
                                        8⤵
                                          PID:2184
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            PID:1592
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              PID:2132

                          Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/480-222-0x0000000000400000-0x0000000000450000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/480-219-0x0000000000400000-0x0000000000450000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/480-214-0x0000000000400000-0x0000000000450000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/480-213-0x0000000000400000-0x0000000000450000-memory.dmp

                                  Filesize

                                  320KB

                                • memory/736-254-0x0000000003D50000-0x0000000003E9E000-memory.dmp

                                  Filesize

                                  1.3MB

                                • memory/860-309-0x0000000002040000-0x00000000020B2000-memory.dmp

                                  Filesize

                                  456KB

                                • memory/860-302-0x00000000007B0000-0x00000000007FD000-memory.dmp

                                  Filesize

                                  308KB

                                • memory/988-192-0x0000000000B00000-0x0000000000B8C000-memory.dmp

                                  Filesize

                                  560KB

                                • memory/988-194-0x0000000000B00000-0x0000000000B8C000-memory.dmp

                                  Filesize

                                  560KB

                                • memory/988-241-0x0000000000E20000-0x0000000000E21000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/988-247-0x0000000000510000-0x000000000059C000-memory.dmp

                                  Filesize

                                  560KB

                                • memory/992-225-0x00000000020F0000-0x0000000002D3A000-memory.dmp

                                  Filesize

                                  12.3MB

                                • memory/992-223-0x00000000020F0000-0x0000000002D3A000-memory.dmp

                                  Filesize

                                  12.3MB

                                • memory/1048-212-0x0000000000400000-0x00000000004CC000-memory.dmp

                                  Filesize

                                  816KB

                                • memory/1084-54-0x00000000763B1000-0x00000000763B3000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/1116-320-0x0000000000470000-0x00000000004E2000-memory.dmp

                                  Filesize

                                  456KB

                                • memory/1228-209-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1228-206-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

                                  Filesize

                                  32KB

                                • memory/1228-236-0x000000001B200000-0x000000001B202000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/1476-310-0x0000000000960000-0x0000000000B2D000-memory.dmp

                                  Filesize

                                  1.8MB

                                • memory/1604-227-0x0000000000641000-0x0000000000642000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1604-224-0x0000000000640000-0x0000000000641000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1604-246-0x0000000000642000-0x0000000000644000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/1708-237-0x0000000000140000-0x0000000000146000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/1708-250-0x000000001B130000-0x000000001B132000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/1708-210-0x0000000000170000-0x000000000018C000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/1708-205-0x0000000000170000-0x000000000018C000-memory.dmp

                                  Filesize

                                  112KB

                                • memory/1744-84-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                • memory/1744-78-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                • memory/1744-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                • memory/1744-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                • memory/1744-87-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                • memory/1744-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                • memory/1744-75-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                • memory/1744-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                • memory/1744-79-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                • memory/1744-80-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                • memory/1744-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                  Filesize

                                  152KB

                                • memory/1744-83-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                • memory/1744-85-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                • memory/1744-86-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                • memory/1744-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                  Filesize

                                  152KB

                                • memory/1824-193-0x0000000000220000-0x00000000002AC000-memory.dmp

                                  Filesize

                                  560KB

                                • memory/1824-196-0x0000000000220000-0x00000000002AC000-memory.dmp

                                  Filesize

                                  560KB

                                • memory/1824-245-0x0000000000490000-0x0000000000491000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1824-240-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/1968-255-0x0000000003D10000-0x0000000003E5E000-memory.dmp

                                  Filesize

                                  1.3MB

                                • memory/2104-307-0x0000000000A10000-0x0000000000A42000-memory.dmp

                                  Filesize

                                  200KB

                                • memory/2104-303-0x0000000000A10000-0x0000000000A42000-memory.dmp

                                  Filesize

                                  200KB

                                • memory/2104-322-0x00000000002D0000-0x00000000002D6000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2104-330-0x0000000000460000-0x0000000000461000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2132-304-0x0000000000860000-0x00000000008BD000-memory.dmp

                                  Filesize

                                  372KB

                                • memory/2132-300-0x00000000008E0000-0x00000000009E1000-memory.dmp

                                  Filesize

                                  1.0MB

                                • memory/2284-252-0x000000002CFF0000-0x000000002D09F000-memory.dmp

                                  Filesize

                                  700KB

                                • memory/2284-239-0x0000000000E90000-0x0000000000F46000-memory.dmp

                                  Filesize

                                  728KB

                                • memory/2284-260-0x000000002D0A0000-0x000000002D13C000-memory.dmp

                                  Filesize

                                  624KB

                                • memory/2284-238-0x0000000000CD0000-0x0000000000D88000-memory.dmp

                                  Filesize

                                  736KB

                                • memory/2308-234-0x0000000000400000-0x0000000000455000-memory.dmp

                                  Filesize

                                  340KB

                                • memory/2432-244-0x0000000000400000-0x000000000047C000-memory.dmp

                                  Filesize

                                  496KB

                                • memory/2480-306-0x00000000012E0000-0x0000000001340000-memory.dmp

                                  Filesize

                                  384KB

                                • memory/2480-336-0x00000000003B0000-0x00000000003B6000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2480-338-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2480-324-0x0000000000390000-0x0000000000396000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2480-333-0x0000000000880000-0x00000000008EA000-memory.dmp

                                  Filesize

                                  424KB

                                • memory/2480-297-0x00000000012E0000-0x0000000001340000-memory.dmp

                                  Filesize

                                  384KB

                                • memory/2520-319-0x0000000000470000-0x0000000000471000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2532-318-0x0000000000390000-0x00000000003B2000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/2532-339-0x0000000000270000-0x0000000000276000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2532-334-0x0000000000260000-0x0000000000278000-memory.dmp

                                  Filesize

                                  96KB

                                • memory/2532-331-0x000000001B050000-0x000000001B052000-memory.dmp

                                  Filesize

                                  8KB

                                • memory/2532-323-0x0000000000250000-0x0000000000256000-memory.dmp

                                  Filesize

                                  24KB

                                • memory/2532-321-0x0000000000390000-0x00000000003B2000-memory.dmp

                                  Filesize

                                  136KB

                                • memory/2664-259-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2664-277-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2664-262-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2664-275-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2664-308-0x0000000002630000-0x0000000002631000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2664-257-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2672-284-0x0000000000340000-0x0000000000341000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2680-278-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2680-261-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/2680-305-0x00000000005C0000-0x00000000005C1000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/2680-276-0x0000000000400000-0x0000000000420000-memory.dmp

                                  Filesize

                                  128KB

                                • memory/3012-283-0x00000000006D0000-0x00000000006F4000-memory.dmp

                                  Filesize

                                  144KB