Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win102

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win104

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win105

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win106

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win103

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

win101

windows10_x64

10

Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    1800s
  • max time network
    1797s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    29-04-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4d.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score
10/10
dcratfickerstealerraccoonredlinexmrigdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupx

Malware Config

Extracted

Family

fickerstealer

C2

sodaandcoke.top:80

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • fickerstealer

    Ficker is an infostealer written in Rust and ASM.

    infostealerfickerstealer
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • XMRig Miner Payload 3 IoCs
    miner
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 64 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 19 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 14 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 51 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:284
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Themes
      1⤵
        PID:1256
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2376
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2556
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
          • Modifies registry class
          PID:2660
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2636
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2336
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1944
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1408
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1216
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1100
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:936
                    • C:\Users\Admin\AppData\Roaming\tehwuec
                      C:\Users\Admin\AppData\Roaming\tehwuec
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:6100
                      • C:\Users\Admin\AppData\Roaming\tehwuec
                        C:\Users\Admin\AppData\Roaming\tehwuec
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:4528
                    • C:\Users\Admin\AppData\Roaming\tehwuec
                      C:\Users\Admin\AppData\Roaming\tehwuec
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:4920
                      • C:\Users\Admin\AppData\Roaming\tehwuec
                        C:\Users\Admin\AppData\Roaming\tehwuec
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:364
                    • C:\Users\Admin\AppData\Roaming\tehwuec
                      C:\Users\Admin\AppData\Roaming\tehwuec
                      2⤵
                      • Suspicious use of SetThreadContext
                      PID:4392
                      • C:\Users\Admin\AppData\Roaming\tehwuec
                        C:\Users\Admin\AppData\Roaming\tehwuec
                        3⤵
                        • Loads dropped DLL
                        • Checks SCSI registry key(s)
                        • Suspicious behavior: MapViewOfSection
                        PID:5652
                  • C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
                    "C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
                    1⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:4040
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
                      2⤵
                      • Executes dropped EXE
                      • Drops file in Program Files directory
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:1968
                      • C:\Windows\SysWOW64\rundll32.exe
                        "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                        3⤵
                        • Loads dropped DLL
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4036
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                      2⤵
                      • Executes dropped EXE
                      • Suspicious use of WriteProcessMemory
                      PID:3052
                      • C:\Users\Admin\AppData\Local\Temp\is-KI6L5.tmp\Install.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-KI6L5.tmp\Install.tmp" /SL5="$40134,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                        3⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                        • C:\Users\Admin\AppData\Local\Temp\is-0HF86.tmp\Ultra.exe
                          "C:\Users\Admin\AppData\Local\Temp\is-0HF86.tmp\Ultra.exe" /S /UID=burnerch1
                          4⤵
                          • Drops file in Drivers directory
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Drops file in Program Files directory
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:1276
                          • C:\Program Files\Mozilla Firefox\FIKVYMNWRE\ultramediaburner.exe
                            "C:\Program Files\Mozilla Firefox\FIKVYMNWRE\ultramediaburner.exe" /VERYSILENT
                            5⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:4272
                            • C:\Users\Admin\AppData\Local\Temp\is-SESG3.tmp\ultramediaburner.tmp
                              "C:\Users\Admin\AppData\Local\Temp\is-SESG3.tmp\ultramediaburner.tmp" /SL5="$301DA,281924,62464,C:\Program Files\Mozilla Firefox\FIKVYMNWRE\ultramediaburner.exe" /VERYSILENT
                              6⤵
                              • Executes dropped EXE
                              • Drops file in Program Files directory
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of WriteProcessMemory
                              PID:4304
                              • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                7⤵
                                • Executes dropped EXE
                                PID:4356
                          • C:\Users\Admin\AppData\Local\Temp\12-7aa6c-d4d-b7ba0-ef8c5f3a55eec\Caetepobuhe.exe
                            "C:\Users\Admin\AppData\Local\Temp\12-7aa6c-d4d-b7ba0-ef8c5f3a55eec\Caetepobuhe.exe"
                            5⤵
                            • Executes dropped EXE
                            • Checks computer location settings
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4364
                          • C:\Users\Admin\AppData\Local\Temp\e1-a3c41-029-87bae-fc17277b78f8d\Raekijikaedo.exe
                            "C:\Users\Admin\AppData\Local\Temp\e1-a3c41-029-87bae-fc17277b78f8d\Raekijikaedo.exe"
                            5⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4432
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mfaizbu0.c54\skipper.exe /s & exit
                              6⤵
                              • Suspicious use of WriteProcessMemory
                              PID:5468
                              • C:\Users\Admin\AppData\Local\Temp\mfaizbu0.c54\skipper.exe
                                C:\Users\Admin\AppData\Local\Temp\mfaizbu0.c54\skipper.exe /s
                                7⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:5636
                                • C:\Users\Admin\AppData\Local\Temp\608130462.exe
                                  C:\Users\Admin\AppData\Local\Temp\608130462.exe
                                  8⤵
                                    PID:5652
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                      9⤵
                                        PID:6088
                                    • C:\Users\Admin\AppData\Local\Temp\745609270.exe
                                      C:\Users\Admin\AppData\Local\Temp\745609270.exe
                                      8⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetThreadContext
                                      PID:5012
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                        9⤵
                                          PID:5204
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                          9⤵
                                            PID:1896
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\mfaizbu0.c54\skipper.exe & exit
                                          8⤵
                                            PID:1524
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping 0
                                              9⤵
                                              • Runs ping.exe
                                              PID:3852
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\43np3kud.bpe\001.exe & exit
                                        6⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:5864
                                        • C:\Users\Admin\AppData\Local\Temp\43np3kud.bpe\001.exe
                                          C:\Users\Admin\AppData\Local\Temp\43np3kud.bpe\001.exe
                                          7⤵
                                          • Executes dropped EXE
                                          PID:5988
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\okehbwec.4bw\gpooe.exe & exit
                                        6⤵
                                          PID:6132
                                          • C:\Users\Admin\AppData\Local\Temp\okehbwec.4bw\gpooe.exe
                                            C:\Users\Admin\AppData\Local\Temp\okehbwec.4bw\gpooe.exe
                                            7⤵
                                            • Executes dropped EXE
                                            • Adds Run key to start application
                                            PID:4200
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              8⤵
                                              • Executes dropped EXE
                                              PID:896
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              8⤵
                                                PID:4676
                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                8⤵
                                                • Executes dropped EXE
                                                PID:5256
                                              • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                8⤵
                                                • Executes dropped EXE
                                                PID:4268
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\c3ntgz55.lnt\google-game.exe & exit
                                            6⤵
                                              PID:5128
                                              • C:\Users\Admin\AppData\Local\Temp\c3ntgz55.lnt\google-game.exe
                                                C:\Users\Admin\AppData\Local\Temp\c3ntgz55.lnt\google-game.exe
                                                7⤵
                                                • Executes dropped EXE
                                                • Drops file in Program Files directory
                                                • Suspicious use of SetWindowsHookEx
                                                PID:5592
                                                • C:\Windows\SysWOW64\rundll32.exe
                                                  "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                                                  8⤵
                                                  • Loads dropped DLL
                                                  PID:5944
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fzv2rv51.irz\md1_1eaf.exe & exit
                                              6⤵
                                                PID:2596
                                                • C:\Users\Admin\AppData\Local\Temp\fzv2rv51.irz\md1_1eaf.exe
                                                  C:\Users\Admin\AppData\Local\Temp\fzv2rv51.irz\md1_1eaf.exe
                                                  7⤵
                                                  • Executes dropped EXE
                                                  • Checks whether UAC is enabled
                                                  PID:5200
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pvr1p3ou.pne\HookSetp.exe /silent & exit
                                                6⤵
                                                  PID:3224
                                                  • C:\Users\Admin\AppData\Local\Temp\pvr1p3ou.pne\HookSetp.exe
                                                    C:\Users\Admin\AppData\Local\Temp\pvr1p3ou.pne\HookSetp.exe /silent
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:5772
                                                    • C:\Users\Admin\AppData\Roaming\8378503.exe
                                                      "C:\Users\Admin\AppData\Roaming\8378503.exe"
                                                      8⤵
                                                      • Executes dropped EXE
                                                      PID:5128
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tvav2l1z.okt\BBCbrowser.exe /VERYSILENT & exit
                                                  6⤵
                                                    PID:5812
                                                    • C:\Users\Admin\AppData\Local\Temp\tvav2l1z.okt\BBCbrowser.exe
                                                      C:\Users\Admin\AppData\Local\Temp\tvav2l1z.okt\BBCbrowser.exe /VERYSILENT
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetThreadContext
                                                      PID:6028
                                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                        8⤵
                                                          PID:5696
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s4o0mh4s.bky\md2_2efs.exe & exit
                                                      6⤵
                                                        PID:4780
                                                        • C:\Users\Admin\AppData\Local\Temp\s4o0mh4s.bky\md2_2efs.exe
                                                          C:\Users\Admin\AppData\Local\Temp\s4o0mh4s.bky\md2_2efs.exe
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Checks whether UAC is enabled
                                                          PID:4984
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\o2e3hjb4.msm\askinstall39.exe & exit
                                                        6⤵
                                                          PID:2520
                                                          • C:\Users\Admin\AppData\Local\Temp\o2e3hjb4.msm\askinstall39.exe
                                                            C:\Users\Admin\AppData\Local\Temp\o2e3hjb4.msm\askinstall39.exe
                                                            7⤵
                                                            • Executes dropped EXE
                                                            PID:5380
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              cmd.exe /c taskkill /f /im chrome.exe
                                                              8⤵
                                                                PID:5960
                                                                • C:\Windows\SysWOW64\taskkill.exe
                                                                  taskkill /f /im chrome.exe
                                                                  9⤵
                                                                  • Kills process with taskkill
                                                                  PID:4124
                                                          • C:\Windows\System32\cmd.exe
                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jeby0ju4.kld\y1.exe & exit
                                                            6⤵
                                                              PID:5404
                                                              • C:\Users\Admin\AppData\Local\Temp\jeby0ju4.kld\y1.exe
                                                                C:\Users\Admin\AppData\Local\Temp\jeby0ju4.kld\y1.exe
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:4956
                                                                • C:\Users\Admin\AppData\Local\Temp\wff0kXk2MC.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\wff0kXk2MC.exe"
                                                                  8⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies system certificate store
                                                                  PID:5972
                                                                  • C:\Users\Admin\AppData\Roaming\1619679181646.exe
                                                                    "C:\Users\Admin\AppData\Roaming\1619679181646.exe" /sjson "C:\Users\Admin\AppData\Roaming\1619679181646.txt"
                                                                    9⤵
                                                                    • Executes dropped EXE
                                                                    PID:4896
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\wff0kXk2MC.exe"
                                                                    9⤵
                                                                      PID:1300
                                                                      • C:\Windows\SysWOW64\PING.EXE
                                                                        ping 127.0.0.1 -n 3
                                                                        10⤵
                                                                        • Runs ping.exe
                                                                        PID:4992
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\jeby0ju4.kld\y1.exe"
                                                                    8⤵
                                                                      PID:5868
                                                                      • C:\Windows\System32\Conhost.exe
                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        9⤵
                                                                        • Executes dropped EXE
                                                                        PID:4676
                                                                      • C:\Windows\SysWOW64\timeout.exe
                                                                        timeout /T 10 /NOBREAK
                                                                        9⤵
                                                                        • Delays execution with timeout.exe
                                                                        PID:4800
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pmm2red4.viy\jvppp.exe & exit
                                                                  6⤵
                                                                    PID:5216
                                                                    • C:\Users\Admin\AppData\Local\Temp\pmm2red4.viy\jvppp.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\pmm2red4.viy\jvppp.exe
                                                                      7⤵
                                                                      • Executes dropped EXE
                                                                      PID:3876
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        8⤵
                                                                        • Executes dropped EXE
                                                                        PID:5264
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        8⤵
                                                                        • Executes dropped EXE
                                                                        PID:4688
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        8⤵
                                                                        • Executes dropped EXE
                                                                        PID:5532
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        8⤵
                                                                        • Executes dropped EXE
                                                                        PID:1520
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tqnic5m2.zpm\GcleanerWW.exe /mixone & exit
                                                                    6⤵
                                                                      PID:3052
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fk4ii1vr.spd\toolspab1.exe & exit
                                                                      6⤵
                                                                        PID:5384
                                                                        • C:\Users\Admin\AppData\Local\Temp\fk4ii1vr.spd\toolspab1.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\fk4ii1vr.spd\toolspab1.exe
                                                                          7⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:5284
                                                                          • C:\Users\Admin\AppData\Local\Temp\fk4ii1vr.spd\toolspab1.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\fk4ii1vr.spd\toolspab1.exe
                                                                            8⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Checks SCSI registry key(s)
                                                                            • Suspicious behavior: MapViewOfSection
                                                                            PID:4684
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\22dkz404.iqr\005.exe & exit
                                                                        6⤵
                                                                          PID:6140
                                                                          • C:\Users\Admin\AppData\Local\Temp\22dkz404.iqr\005.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\22dkz404.iqr\005.exe
                                                                            7⤵
                                                                            • Executes dropped EXE
                                                                            PID:5364
                                                                • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  • Modifies data under HKEY_USERS
                                                                  • Modifies system certificate store
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:4560
                                                                  • C:\Users\Admin\AppData\Roaming\6E5F.tmp.exe
                                                                    "C:\Users\Admin\AppData\Roaming\6E5F.tmp.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:6000
                                                                    • C:\Users\Admin\AppData\Roaming\6E5F.tmp.exe
                                                                      "C:\Users\Admin\AppData\Roaming\6E5F.tmp.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:1276
                                                                  • C:\Users\Admin\AppData\Roaming\7277.tmp.exe
                                                                    "C:\Users\Admin\AppData\Roaming\7277.tmp.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:4396
                                                                    • C:\Windows\system32\msiexec.exe
                                                                      -P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w9412@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
                                                                      4⤵
                                                                        PID:4764
                                                                      • C:\Windows\system32\msiexec.exe
                                                                        -o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w15876 --cpu-max-threads-hint 50 -r 9999
                                                                        4⤵
                                                                        • Blocklisted process makes network request
                                                                        PID:4252
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                                      3⤵
                                                                        PID:5416
                                                                        • C:\Windows\SysWOW64\PING.EXE
                                                                          ping 127.0.0.1
                                                                          4⤵
                                                                          • Runs ping.exe
                                                                          PID:5996
                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Checks whether UAC is enabled
                                                                      PID:5952
                                                                    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      PID:5916
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        PID:5408
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        PID:5212
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        3⤵
                                                                        • Executes dropped EXE
                                                                        PID:3996
                                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                        3⤵
                                                                          PID:1976
                                                                    • \??\c:\windows\system32\svchost.exe
                                                                      c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                                                      1⤵
                                                                      • Suspicious use of SetThreadContext
                                                                      • Modifies data under HKEY_USERS
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:1796
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                        2⤵
                                                                        • Checks processor information in registry
                                                                        • Modifies data under HKEY_USERS
                                                                        • Modifies registry class
                                                                        PID:2644
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                                        2⤵
                                                                        • Checks processor information in registry
                                                                        PID:4156
                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                      1⤵
                                                                      • Drops file in Windows directory
                                                                      • Modifies Internet Explorer settings
                                                                      • Modifies registry class
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:4932
                                                                    • C:\Windows\system32\browser_broker.exe
                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                      1⤵
                                                                        PID:4980
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:5236
                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                        1⤵
                                                                        • Modifies Internet Explorer settings
                                                                        • Modifies registry class
                                                                        PID:5568
                                                                      • C:\Users\Admin\AppData\Local\Temp\8780.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\8780.exe
                                                                        1⤵
                                                                          PID:4868
                                                                        • C:\Users\Admin\AppData\Local\Temp\89D3.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\89D3.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5008
                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                          1⤵
                                                                          • Drops file in Windows directory
                                                                          • Modifies registry class
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5484
                                                                        • C:\Windows\system32\browser_broker.exe
                                                                          C:\Windows\system32\browser_broker.exe -Embedding
                                                                          1⤵
                                                                          • Modifies Internet Explorer settings
                                                                          PID:4424
                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                          1⤵
                                                                          • Modifies registry class
                                                                          • Suspicious behavior: MapViewOfSection
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:4952
                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                          1⤵
                                                                          • Modifies registry class
                                                                          PID:3980
                                                                        • C:\Users\Admin\AppData\Local\Temp\9F31.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\9F31.exe
                                                                          1⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of SetThreadContext
                                                                          PID:5652
                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                            cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\9F31.exe"
                                                                            2⤵
                                                                              PID:5640
                                                                              • C:\Windows\SysWOW64\timeout.exe
                                                                                timeout /T 10 /NOBREAK
                                                                                3⤵
                                                                                • Delays execution with timeout.exe
                                                                                • Modifies Internet Explorer settings
                                                                                PID:4980
                                                                          • C:\Users\Admin\AppData\Local\Temp\D584.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\D584.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:4420
                                                                          • C:\Users\Admin\AppData\Local\Temp\E16C.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\E16C.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:4288
                                                                          • C:\Users\Admin\AppData\Local\Temp\E7A7.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\E7A7.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            PID:5612
                                                                          • C:\Users\Admin\AppData\Local\Temp\F14C.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\F14C.exe
                                                                            1⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            PID:2400
                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                              cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F14C.exe"
                                                                              2⤵
                                                                                PID:4940
                                                                                • C:\Windows\SysWOW64\timeout.exe
                                                                                  timeout /T 10 /NOBREAK
                                                                                  3⤵
                                                                                  • Delays execution with timeout.exe
                                                                                  PID:4564
                                                                            • C:\Users\Admin\AppData\Local\Temp\F499.exe
                                                                              C:\Users\Admin\AppData\Local\Temp\F499.exe
                                                                              1⤵
                                                                              • Executes dropped EXE
                                                                              • Windows security modification
                                                                              • Suspicious use of SetThreadContext
                                                                              PID:4280
                                                                              • C:\Users\Admin\AppData\Local\Temp\6a284c08-55c9-4312-a64a-bfd5d7eeb3c9\AdvancedRun.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\6a284c08-55c9-4312-a64a-bfd5d7eeb3c9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6a284c08-55c9-4312-a64a-bfd5d7eeb3c9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                2⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:4868
                                                                                • C:\Users\Admin\AppData\Local\Temp\6a284c08-55c9-4312-a64a-bfd5d7eeb3c9\AdvancedRun.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\6a284c08-55c9-4312-a64a-bfd5d7eeb3c9\AdvancedRun.exe" /SpecialRun 4101d8 4868
                                                                                  3⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:6064
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\F499.exe" -Force
                                                                                2⤵
                                                                                  PID:4876
                                                                                • C:\Users\Admin\AppData\Local\Temp\F499.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\F499.exe"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:5588
                                                                              • C:\Users\Admin\AppData\Local\Temp\FBCE.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\FBCE.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:5092
                                                                                • C:\Users\Admin\AppData\Local\Temp\FBCE.exe
                                                                                  "{path}"
                                                                                  2⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:5184
                                                                              • C:\Users\Admin\AppData\Local\Temp\4B8.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\4B8.exe
                                                                                1⤵
                                                                                  PID:5588
                                                                                • C:\Windows\SysWOW64\explorer.exe
                                                                                  C:\Windows\SysWOW64\explorer.exe
                                                                                  1⤵
                                                                                    PID:4320
                                                                                  • C:\Windows\explorer.exe
                                                                                    C:\Windows\explorer.exe
                                                                                    1⤵
                                                                                      PID:5604
                                                                                    • C:\Windows\SysWOW64\explorer.exe
                                                                                      C:\Windows\SysWOW64\explorer.exe
                                                                                      1⤵
                                                                                        PID:376
                                                                                      • C:\Windows\explorer.exe
                                                                                        C:\Windows\explorer.exe
                                                                                        1⤵
                                                                                        • Suspicious behavior: MapViewOfSection
                                                                                        PID:4228
                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                                        1⤵
                                                                                          PID:5428
                                                                                        • C:\Windows\explorer.exe
                                                                                          C:\Windows\explorer.exe
                                                                                          1⤵
                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                          PID:4256
                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                          1⤵
                                                                                            PID:4884
                                                                                          • C:\Windows\explorer.exe
                                                                                            C:\Windows\explorer.exe
                                                                                            1⤵
                                                                                            • Suspicious behavior: MapViewOfSection
                                                                                            PID:5556
                                                                                          • C:\Windows\SysWOW64\explorer.exe
                                                                                            C:\Windows\SysWOW64\explorer.exe
                                                                                            1⤵
                                                                                              PID:5800
                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                              1⤵
                                                                                              • Drops file in Windows directory
                                                                                              • Modifies registry class
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:5920
                                                                                            • C:\Windows\system32\browser_broker.exe
                                                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                                                              1⤵
                                                                                              • Modifies Internet Explorer settings
                                                                                              PID:5716
                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                              1⤵
                                                                                              • Modifies registry class
                                                                                              • Suspicious behavior: MapViewOfSection
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:5012
                                                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                              1⤵
                                                                                                PID:5404
                                                                                                • C:\Windows\system32\WerFault.exe
                                                                                                  C:\Windows\system32\WerFault.exe -u -p 5404 -s 1296
                                                                                                  2⤵
                                                                                                  • Program crash
                                                                                                  • Checks processor information in registry
                                                                                                  • Enumerates system info in registry
                                                                                                  PID:3944
                                                                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                                1⤵
                                                                                                • Modifies registry class
                                                                                                PID:1208

                                                                                              Network

                                                                                              MITRE ATT&CK Enterprise v6

                                                                                              Replay Monitor

                                                                                              Loading Replay Monitor...

                                                                                              Downloads

                                                                                              • memory/284-175-0x000001E9D2720000-0x000001E9D2790000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/936-189-0x000001FCFCFD0000-0x000001FCFD040000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/936-314-0x000001FCFD6B0000-0x000001FCFD720000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1100-310-0x0000022791C10000-0x0000022791C80000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1100-187-0x0000022791B30000-0x0000022791BA0000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1216-170-0x00000219A3B00000-0x00000219A3B70000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1256-164-0x000001CB5A8D0000-0x000001CB5A940000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1276-203-0x0000000001160000-0x0000000001162000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/1276-280-0x0000000000400000-0x0000000000447000-memory.dmp

                                                                                                Filesize

                                                                                                284KB

                                                                                                Download

                                                                                              • memory/1276-275-0x0000000000400000-0x0000000000447000-memory.dmp

                                                                                                Filesize

                                                                                                284KB

                                                                                                Download

                                                                                              • memory/1408-152-0x000002490C840000-0x000002490C8B0000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1796-157-0x000002E8050A0000-0x000002E805110000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/1796-153-0x000002E804FE0000-0x000002E80502B000-memory.dmp

                                                                                                Filesize

                                                                                                300KB

                                                                                                Download

                                                                                              • memory/1944-158-0x0000021E26FD0000-0x0000021E27040000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2336-183-0x0000022D32210000-0x0000022D32280000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2376-306-0x0000028914810000-0x000002891485B000-memory.dmp

                                                                                                Filesize

                                                                                                300KB

                                                                                                Download

                                                                                              • memory/2376-185-0x0000028914880000-0x00000289148F0000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2376-307-0x0000028914990000-0x0000028914A00000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2556-165-0x000001833F0D0000-0x000001833F140000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2636-176-0x000002BC90080000-0x000002BC900F0000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2644-169-0x0000021F27C70000-0x0000021F27CE0000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2660-180-0x000001D1896C0000-0x000001D189730000-memory.dmp

                                                                                                Filesize

                                                                                                448KB

                                                                                                Download

                                                                                              • memory/2988-148-0x000000000069F000-0x00000000007A0000-memory.dmp

                                                                                                Filesize

                                                                                                1.0MB

                                                                                                Download

                                                                                              • memory/2988-151-0x00000000040C0000-0x000000000411C000-memory.dmp

                                                                                                Filesize

                                                                                                368KB

                                                                                                Download

                                                                                              • memory/2988-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/3052-193-0x0000000000400000-0x000000000042B000-memory.dmp

                                                                                                Filesize

                                                                                                172KB

                                                                                                Download

                                                                                              • memory/4036-126-0x0000000000A60000-0x0000000000A61000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4036-128-0x0000000001060000-0x0000000001061000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4036-182-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4036-133-0x0000000001070000-0x000000000108C000-memory.dmp

                                                                                                Filesize

                                                                                                112KB

                                                                                                Download

                                                                                              • memory/4036-139-0x0000000001090000-0x0000000001091000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4156-208-0x000001CB6C170000-0x000001CB6C1E1000-memory.dmp

                                                                                                Filesize

                                                                                                452KB

                                                                                                Download

                                                                                              • memory/4156-207-0x000001CB6BE50000-0x000001CB6BE9B000-memory.dmp

                                                                                                Filesize

                                                                                                300KB

                                                                                                Download

                                                                                              • memory/4252-294-0x0000000140000000-0x000000014070A000-memory.dmp

                                                                                                Filesize

                                                                                                7.0MB

                                                                                                Download

                                                                                              • memory/4252-288-0x000002D8954E0000-0x000002D8954F4000-memory.dmp

                                                                                                Filesize

                                                                                                80KB

                                                                                                Download

                                                                                              • memory/4252-284-0x0000000140000000-0x000000014070A000-memory.dmp

                                                                                                Filesize

                                                                                                7.0MB

                                                                                                Download

                                                                                              • memory/4272-211-0x0000000000400000-0x0000000000416000-memory.dmp

                                                                                                Filesize

                                                                                                88KB

                                                                                                Download

                                                                                              • memory/4304-217-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4356-229-0x0000000002C80000-0x0000000002C82000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4356-233-0x0000000002C82000-0x0000000002C84000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4356-241-0x0000000002C85000-0x0000000002C87000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4356-234-0x0000000002C84000-0x0000000002C85000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4364-230-0x0000000002180000-0x0000000002182000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4432-231-0x00000000008F0000-0x00000000008F2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4432-232-0x00000000008F2000-0x00000000008F4000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/4432-242-0x00000000008F5000-0x00000000008F6000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/4560-278-0x00000000037C0000-0x0000000003808000-memory.dmp

                                                                                                Filesize

                                                                                                288KB

                                                                                                Download

                                                                                              • memory/4560-238-0x0000000000760000-0x000000000076D000-memory.dmp

                                                                                                Filesize

                                                                                                52KB

                                                                                                Download

                                                                                              • memory/4764-283-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                Filesize

                                                                                                3.5MB

                                                                                                Download

                                                                                              • memory/4764-281-0x0000000140000000-0x0000000140383000-memory.dmp

                                                                                                Filesize

                                                                                                3.5MB

                                                                                                Download

                                                                                              • memory/5652-261-0x00000000054F0000-0x00000000054F1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/5652-260-0x0000000002DD0000-0x0000000002DD2000-memory.dmp

                                                                                                Filesize

                                                                                                8KB

                                                                                                Download

                                                                                              • memory/5652-257-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                                                                                Filesize

                                                                                                4KB

                                                                                                Download

                                                                                              • memory/5944-311-0x0000000004730000-0x000000000478C000-memory.dmp

                                                                                                Filesize

                                                                                                368KB

                                                                                                Download

                                                                                              • memory/5944-303-0x000000000484D000-0x000000000494E000-memory.dmp

                                                                                                Filesize

                                                                                                1.0MB

                                                                                                Download

                                                                                              • memory/5988-253-0x00000000005F0000-0x0000000000602000-memory.dmp

                                                                                                Filesize

                                                                                                72KB

                                                                                                Download

                                                                                              • memory/5988-252-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                                                                Filesize

                                                                                                64KB

                                                                                                Download

                                                                                              • memory/6000-279-0x0000000002070000-0x00000000020B4000-memory.dmp

                                                                                                Filesize

                                                                                                272KB

                                                                                                Download