redline | bb2a56b2d08dfd580aa7918d7f1f844959bee7f3b868488c5e2e932c9885ec32

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2115abb3b850a690a74ea252deaa710a.exe
Size

622KB
MD5

2115abb3b850a690a74ea252deaa710a
SHA1

8e42491122339c022ee5c6cac17e547bfabd4e2a
SHA256

bb2a56b2d08dfd580aa7918d7f1f844959bee7f3b868488c5e2e932c9885ec32
SHA512

46e7f52f903591edad5d346312581a4d241c2fa8c2ae0760a2f469946f699475ef6956be71aba55659226d93a48574b59d19760412c2d32590e3a826d9c5757c
SSDEEP

12288:iFQXX1C7b94xV/sJI7nD68b618g6ggEfzDehxTjUZW2H82h:CIOsRnDg

Score

10^/10

redline sectoprat norman2 infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

NORMAN2

45.14.49.184:27587

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/564-5-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/564-5-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Suspicious use of SetThreadContext 39 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 set thread context of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 set thread context of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 set thread context of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 set thread context of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 set thread context of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 set thread context of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 set thread context of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111
PID 2908 set thread context of 1144	2908	2115abb3b850a690a74ea252deaa710a.exe	112
PID 2908 set thread context of 3108	2908	2115abb3b850a690a74ea252deaa710a.exe	114
PID 2908 set thread context of 3280	2908	2115abb3b850a690a74ea252deaa710a.exe	115
PID 2908 set thread context of 3952	2908	2115abb3b850a690a74ea252deaa710a.exe	117
PID 2908 set thread context of 4768	2908	2115abb3b850a690a74ea252deaa710a.exe	120
PID 2908 set thread context of 4564	2908	2115abb3b850a690a74ea252deaa710a.exe	121
PID 2908 set thread context of 820	2908	2115abb3b850a690a74ea252deaa710a.exe	122
PID 2908 set thread context of 2448	2908	2115abb3b850a690a74ea252deaa710a.exe	123
PID 2908 set thread context of 4348	2908	2115abb3b850a690a74ea252deaa710a.exe	127
PID 2908 set thread context of 2424	2908	2115abb3b850a690a74ea252deaa710a.exe	128
PID 2908 set thread context of 3904	2908	2115abb3b850a690a74ea252deaa710a.exe	133
PID 2908 set thread context of 1340	2908	2115abb3b850a690a74ea252deaa710a.exe	134
PID 2908 set thread context of 3084	2908	2115abb3b850a690a74ea252deaa710a.exe	135
PID 2908 set thread context of 2368	2908	2115abb3b850a690a74ea252deaa710a.exe	136
PID 2908 set thread context of 1124	2908	2115abb3b850a690a74ea252deaa710a.exe	138
PID 2908 set thread context of 3404	2908	2115abb3b850a690a74ea252deaa710a.exe	139
PID 2908 set thread context of 2956	2908	2115abb3b850a690a74ea252deaa710a.exe	140
PID 2908 set thread context of 4888	2908	2115abb3b850a690a74ea252deaa710a.exe	141
PID 2908 set thread context of 4032	2908	2115abb3b850a690a74ea252deaa710a.exe	142
PID 2908 set thread context of 2840	2908	2115abb3b850a690a74ea252deaa710a.exe	145
PID 2908 set thread context of 2360	2908	2115abb3b850a690a74ea252deaa710a.exe	146
PID 2908 set thread context of 4584	2908	2115abb3b850a690a74ea252deaa710a.exe	147
PID 2908 set thread context of 5024	2908	2115abb3b850a690a74ea252deaa710a.exe	148
PID 2908 set thread context of 4892	2908	2115abb3b850a690a74ea252deaa710a.exe	149
PID 2908 set thread context of 4852	2908	2115abb3b850a690a74ea252deaa710a.exe	150
PID 2908 set thread context of 1020	2908	2115abb3b850a690a74ea252deaa710a.exe	151
PID 2908 set thread context of 1192	2908	2115abb3b850a690a74ea252deaa710a.exe	152
PID 2908 set thread context of 456	2908	2115abb3b850a690a74ea252deaa710a.exe	153
PID 2908 set thread context of 5240	2908	2115abb3b850a690a74ea252deaa710a.exe	154
PID 2908 set thread context of 5352	2908	2115abb3b850a690a74ea252deaa710a.exe	155
PID 2908 set thread context of 5848	2908	2115abb3b850a690a74ea252deaa710a.exe	162

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5024	2776	WerFault.exe	104
3168	4348	WerFault.exe	127

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2776	2115abb3b850a690a74ea252deaa710a.exe
4348	2115abb3b850a690a74ea252deaa710a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 564	2908	2115abb3b850a690a74ea252deaa710a.exe	92
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 5060	2908	2115abb3b850a690a74ea252deaa710a.exe	94
PID 2908 wrote to memory of 3972	2908	2115abb3b850a690a74ea252deaa710a.exe	99
PID 2908 wrote to memory of 3972	2908	2115abb3b850a690a74ea252deaa710a.exe	99
PID 2908 wrote to memory of 3972	2908	2115abb3b850a690a74ea252deaa710a.exe	99
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2236	2908	2115abb3b850a690a74ea252deaa710a.exe	101
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 2776	2908	2115abb3b850a690a74ea252deaa710a.exe	104
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 3708	2908	2115abb3b850a690a74ea252deaa710a.exe	105
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4488	2908	2115abb3b850a690a74ea252deaa710a.exe	109
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 4432	2908	2115abb3b850a690a74ea252deaa710a.exe	110
PID 2908 wrote to memory of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111
PID 2908 wrote to memory of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111
PID 2908 wrote to memory of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111
PID 2908 wrote to memory of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111
PID 2908 wrote to memory of 3248	2908	2115abb3b850a690a74ea252deaa710a.exe	111

C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
"C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:564
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:2776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 12
    3⤵
    - Program crash
    PID:5024
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3708
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3248
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3108
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3280
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4768
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:820
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  - Suspicious use of UnmapMainImage
  PID:4348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 12
    3⤵
    - Program crash
    PID:3168
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2424
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4912
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3904
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1340
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2368
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1124
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2956
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4888
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:456
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5240
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5436
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5848
- C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  C:\Users\Admin\AppData\Local\Temp\2115abb3b850a690a74ea252deaa710a.exe
  2⤵
  PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2776 -ip 2776
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4348 -ip 4348
1⤵
PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-21-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/564-9-0x0000000005640000-0x000000000574A000-memory.dmp

Filesize
1.0MB

Download
memory/564-23-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/564-12-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download
memory/564-11-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/564-5-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/564-6-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/564-7-0x0000000005AD0000-0x00000000060E8000-memory.dmp

Filesize
6.1MB

Download
memory/564-8-0x00000000054D0000-0x00000000054E2000-memory.dmp

Filesize
72KB

Download
memory/564-10-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/820-78-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/820-65-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/820-66-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/820-76-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1144-41-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1144-42-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1144-54-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/1144-52-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/1340-85-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/1340-84-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2236-18-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2236-34-0x0000000004FC0000-0x0000000004FD0000-memory.dmp

Filesize
64KB

Download
memory/2236-31-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-75-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-71-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2448-79-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2448-82-0x0000000005060000-0x0000000005070000-memory.dmp

Filesize
64KB

Download
memory/2448-70-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-0-0x0000000000440000-0x00000000004E2000-memory.dmp

Filesize
648KB

Download
memory/2908-19-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2908-1-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-17-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-3-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2908-4-0x0000000004E00000-0x0000000004E1E000-memory.dmp

Filesize
120KB

Download
memory/2908-2-0x0000000004E80000-0x0000000004EF6000-memory.dmp

Filesize
472KB

Download
memory/3108-56-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-46-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3108-47-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/3248-38-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3248-50-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3248-37-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-62-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3280-60-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3280-49-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-24-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3708-36-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3904-81-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-53-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-67-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/3952-64-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4432-45-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4432-33-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-30-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4488-40-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-29-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4488-43-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4564-61-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4564-73-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4564-59-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-69-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/4768-57-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-28-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/5060-25-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-14-0x0000000074930000-0x00000000750E0000-memory.dmp

Filesize
7.7MB

Download
memory/5060-15-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download