Overview

overview

10

Static

static

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

8

ﱞﱞﱞ�...ฺฺ

windows10_x64

10

ﱞﱞﱞ�...ฺฺ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows10_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

8

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

ﱞﱞﱞ�...ﱞﱞ

windows7_x64

10

Resubmissions

12-11-2024 01:29

241112-bwgrxs1gnf 10

08-07-2021 12:18

210708-8z6d5h8z2n 10

06-07-2021 17:53

210706-g6we6sa7sa 10

19-06-2021 18:17

210619-vr8bj2dzfn 10

17-06-2021 21:39

210617-a9cvlnmrbx 10

11-06-2021 17:26

210611-wvab1yw2tj 10

08-06-2021 06:47

210608-qrbpch3y46 10

08-06-2021 06:47

210608-64tndgm1ln 10

05-06-2021 18:40

210605-cd6qpr55sx 10

04-06-2021 11:56

210604-5c416rs3ns 10

Analysis

  • max time kernel
    39s
  • max time network
    60s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-05-2021 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    keygen-step-4d.exe

  • Size

    4.6MB

  • MD5

    563107b1df2a00f4ec868acd9e08a205

  • SHA1

    9cb9c91d66292f5317aa50d92e38834861e9c9b7

  • SHA256

    bf2bd257dde4921ce83c7c1303fafe7f9f81e53c2775d3c373ced482b22eb8a9

  • SHA512

    99a8d247fa435c4cd95be7bc64c7dd6e382371f3a3c160aac3995fd705e4fd3f6622c23784a4ae3457c87536347d15eda3f08aa616450778a99376df540d74d1

Score
10/10
plugxdiscoveryevasionpersistencespywarestealertrojanupx

Malware Config

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Blocklisted process makes network request 20 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 31 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 30 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 8 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 19 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s Themes
    1⤵
      PID:1228
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
      1⤵
        PID:2476
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2688
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Browser
          1⤵
            PID:2808
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2676
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2448
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
            1⤵
              PID:1880
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1424
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1292
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                  1⤵
                    PID:1108
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                    1⤵
                    • Drops file in System32 directory
                    PID:1068
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                    1⤵
                      PID:1012
                    • C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe
                      "C:\Users\Admin\AppData\Local\Temp\keygen-step-4d.exe"
                      1⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:3924
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xiuhuali.exe"
                        2⤵
                        • Executes dropped EXE
                        • Drops file in Program Files directory
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1920
                        • C:\Windows\SysWOW64\rundll32.exe
                          "C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
                          3⤵
                          • Loads dropped DLL
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:2868
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\JoSetp.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2240
                      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
                        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of WriteProcessMemory
                        PID:2712
                        • C:\Users\Admin\AppData\Local\Temp\is-4FVI5.tmp\Install.tmp
                          "C:\Users\Admin\AppData\Local\Temp\is-4FVI5.tmp\Install.tmp" /SL5="$40196,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
                          3⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Suspicious use of WriteProcessMemory
                          PID:184
                          • C:\Users\Admin\AppData\Local\Temp\is-HB45D.tmp\Ultra.exe
                            "C:\Users\Admin\AppData\Local\Temp\is-HB45D.tmp\Ultra.exe" /S /UID=burnerch1
                            4⤵
                            • Drops file in Drivers directory
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Drops file in Program Files directory
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:3844
                            • C:\Program Files\Uninstall Information\FCCHQOLGQZ\ultramediaburner.exe
                              "C:\Program Files\Uninstall Information\FCCHQOLGQZ\ultramediaburner.exe" /VERYSILENT
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3332
                              • C:\Users\Admin\AppData\Local\Temp\is-O1SFT.tmp\ultramediaburner.tmp
                                "C:\Users\Admin\AppData\Local\Temp\is-O1SFT.tmp\ultramediaburner.tmp" /SL5="$301CE,281924,62464,C:\Program Files\Uninstall Information\FCCHQOLGQZ\ultramediaburner.exe" /VERYSILENT
                                6⤵
                                • Executes dropped EXE
                                • Drops file in Program Files directory
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of WriteProcessMemory
                                PID:1316
                                • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                  "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                  7⤵
                                  • Executes dropped EXE
                                  PID:2696
                            • C:\Users\Admin\AppData\Local\Temp\55-4bb25-f6c-73994-9001b4c34003c\Qitucuxyno.exe
                              "C:\Users\Admin\AppData\Local\Temp\55-4bb25-f6c-73994-9001b4c34003c\Qitucuxyno.exe"
                              5⤵
                              • Executes dropped EXE
                              • Checks computer location settings
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4124
                            • C:\Users\Admin\AppData\Local\Temp\ce-a9192-979-128af-8cc676b1f177e\Jyjokicopo.exe
                              "C:\Users\Admin\AppData\Local\Temp\ce-a9192-979-128af-8cc676b1f177e\Jyjokicopo.exe"
                              5⤵
                              • Executes dropped EXE
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4188
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vhpxihes.ice\001.exe & exit
                                6⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4204
                                • C:\Users\Admin\AppData\Local\Temp\vhpxihes.ice\001.exe
                                  C:\Users\Admin\AppData\Local\Temp\vhpxihes.ice\001.exe
                                  7⤵
                                  • Executes dropped EXE
                                  PID:3756
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4tyg34mu.j3q\installer.exe /qn CAMPAIGN="654" & exit
                                6⤵
                                • Suspicious use of WriteProcessMemory
                                PID:4360
                                • C:\Users\Admin\AppData\Local\Temp\4tyg34mu.j3q\installer.exe
                                  C:\Users\Admin\AppData\Local\Temp\4tyg34mu.j3q\installer.exe /qn CAMPAIGN="654"
                                  7⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Enumerates connected drives
                                  • Modifies system certificate store
                                  • Suspicious use of FindShellTrayWindow
                                  PID:3540
                                  • C:\Windows\SysWOW64\msiexec.exe
                                    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\4tyg34mu.j3q\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\4tyg34mu.j3q\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1620814490 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                    8⤵
                                      PID:5664
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vecroqid.inr\hbggg.exe & exit
                                  6⤵
                                    PID:5288
                                    • C:\Users\Admin\AppData\Local\Temp\vecroqid.inr\hbggg.exe
                                      C:\Users\Admin\AppData\Local\Temp\vecroqid.inr\hbggg.exe
                                      7⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      PID:5496
                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        8⤵
                                        • Executes dropped EXE
                                        PID:5772
                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        8⤵
                                          PID:4436
                                    • C:\Windows\System32\cmd.exe
                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uoi4wo2y.tbv\google-game.exe & exit
                                      6⤵
                                        PID:5520
                                        • C:\Users\Admin\AppData\Local\Temp\uoi4wo2y.tbv\google-game.exe
                                          C:\Users\Admin\AppData\Local\Temp\uoi4wo2y.tbv\google-game.exe
                                          7⤵
                                          • Executes dropped EXE
                                          • Checks computer location settings
                                          • Modifies registry class
                                          PID:4120
                                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                                            8⤵
                                            • Loads dropped DLL
                                            PID:4604
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5vwq012x.wc0\huesaa.exe & exit
                                        6⤵
                                          PID:5588
                                          • C:\Users\Admin\AppData\Local\Temp\5vwq012x.wc0\huesaa.exe
                                            C:\Users\Admin\AppData\Local\Temp\5vwq012x.wc0\huesaa.exe
                                            7⤵
                                            • Executes dropped EXE
                                            PID:5408
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              8⤵
                                              • Executes dropped EXE
                                              PID:5604
                                            • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                              C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              8⤵
                                                PID:3260
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ntsjz3ua.w2n\setup.exe & exit
                                            6⤵
                                              PID:6092
                                              • C:\Users\Admin\AppData\Local\Temp\ntsjz3ua.w2n\setup.exe
                                                C:\Users\Admin\AppData\Local\Temp\ntsjz3ua.w2n\setup.exe
                                                7⤵
                                                • Executes dropped EXE
                                                PID:5304
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\ntsjz3ua.w2n\setup.exe"
                                                  8⤵
                                                    PID:4456
                                                    • C:\Windows\SysWOW64\PING.EXE
                                                      ping 1.1.1.1 -n 1 -w 3000
                                                      9⤵
                                                      • Runs ping.exe
                                                      PID:5916
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ipblsbsj.ug4\askinstall39.exe & exit
                                                6⤵
                                                  PID:184
                                                  • C:\Users\Admin\AppData\Local\Temp\ipblsbsj.ug4\askinstall39.exe
                                                    C:\Users\Admin\AppData\Local\Temp\ipblsbsj.ug4\askinstall39.exe
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:5996
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      cmd.exe /c taskkill /f /im chrome.exe
                                                      8⤵
                                                        PID:4596
                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                          taskkill /f /im chrome.exe
                                                          9⤵
                                                          • Kills process with taskkill
                                                          PID:6080
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rlmseoda.fyx\customer1.exe & exit
                                                    6⤵
                                                      PID:1916
                                                      • C:\Users\Admin\AppData\Local\Temp\rlmseoda.fyx\customer1.exe
                                                        C:\Users\Admin\AppData\Local\Temp\rlmseoda.fyx\customer1.exe
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:5188
                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                          8⤵
                                                          • Executes dropped EXE
                                                          PID:5620
                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                          8⤵
                                                          • Executes dropped EXE
                                                          PID:5904
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lyg5nrcv.gzq\toolspab1.exe & exit
                                                      6⤵
                                                        PID:5480
                                                        • C:\Users\Admin\AppData\Local\Temp\lyg5nrcv.gzq\toolspab1.exe
                                                          C:\Users\Admin\AppData\Local\Temp\lyg5nrcv.gzq\toolspab1.exe
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetThreadContext
                                                          PID:2212
                                                          • C:\Users\Admin\AppData\Local\Temp\lyg5nrcv.gzq\toolspab1.exe
                                                            C:\Users\Admin\AppData\Local\Temp\lyg5nrcv.gzq\toolspab1.exe
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Checks SCSI registry key(s)
                                                            PID:700
                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Modifies system certificate store
                                                • Suspicious use of WriteProcessMemory
                                                PID:4364
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\filee.exe" >> NUL
                                                  3⤵
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4804
                                                  • C:\Windows\SysWOW64\PING.EXE
                                                    ping 127.0.0.1
                                                    4⤵
                                                    • Runs ping.exe
                                                    PID:4448
                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg6_6asg.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                • Checks whether UAC is enabled
                                                PID:4400
                                              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe
                                                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\gaoou.exe"
                                                2⤵
                                                • Executes dropped EXE
                                                PID:3260
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:5172
                                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  3⤵
                                                  • Executes dropped EXE
                                                  PID:5296
                                            • \??\c:\windows\system32\svchost.exe
                                              c:\windows\system32\svchost.exe -k netsvcs -s BITS
                                              1⤵
                                              • Suspicious use of SetThreadContext
                                              • Modifies data under HKEY_USERS
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              PID:2420
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                2⤵
                                                • Checks processor information in registry
                                                • Modifies data under HKEY_USERS
                                                • Modifies registry class
                                                PID:1316
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k SystemNetworkService
                                                2⤵
                                                • Drops file in System32 directory
                                                • Checks processor information in registry
                                                • Modifies data under HKEY_USERS
                                                • Modifies registry class
                                                PID:2104
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                              1⤵
                                              • Drops file in Windows directory
                                              • Modifies Internet Explorer settings
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4660
                                            • C:\Windows\system32\browser_broker.exe
                                              C:\Windows\system32\browser_broker.exe -Embedding
                                              1⤵
                                              • Modifies Internet Explorer settings
                                              PID:4720
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                              • Modifies registry class
                                              • Suspicious behavior: MapViewOfSection
                                              • Suspicious use of SetWindowsHookEx
                                              PID:4976
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                              • Modifies Internet Explorer settings
                                              • Modifies registry class
                                              PID:3992
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                              • Modifies registry class
                                              PID:5024
                                            • C:\Windows\system32\msiexec.exe
                                              C:\Windows\system32\msiexec.exe /V
                                              1⤵
                                              • Enumerates connected drives
                                              • Drops file in Program Files directory
                                              • Drops file in Windows directory
                                              • Modifies data under HKEY_USERS
                                              • Modifies registry class
                                              PID:5488
                                              • C:\Windows\syswow64\MsiExec.exe
                                                C:\Windows\syswow64\MsiExec.exe -Embedding 679EE7712F6F8ED00CED685CAB9BA30A C
                                                2⤵
                                                • Loads dropped DLL
                                                PID:5780
                                              • C:\Windows\syswow64\MsiExec.exe
                                                C:\Windows\syswow64\MsiExec.exe -Embedding AF0239D45FBEEC9A6BDD3BCEE0459AA2
                                                2⤵
                                                • Blocklisted process makes network request
                                                • Loads dropped DLL
                                                PID:5872
                                                • C:\Windows\SysWOW64\taskkill.exe
                                                  "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                  3⤵
                                                  • Kills process with taskkill
                                                  PID:5128
                                              • C:\Windows\syswow64\MsiExec.exe
                                                C:\Windows\syswow64\MsiExec.exe -Embedding 01223CDCE703CF1D9E09587A0EE896DF E Global\MSI0000
                                                2⤵
                                                • Loads dropped DLL
                                                PID:5648
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                              • Modifies registry class
                                              PID:5640
                                            • C:\Windows\system32\DllHost.exe
                                              C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                              1⤵
                                              • Executes dropped EXE
                                              PID:4436
                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                              1⤵
                                                PID:2876
                                              • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                1⤵
                                                  PID:4492

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • memory/184-199-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/1012-317-0x0000027139230000-0x00000271392A0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1012-149-0x0000027138B90000-0x0000027138C00000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1068-178-0x00000197E5400000-0x00000197E5470000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1108-176-0x0000029CE2E70000-0x0000029CE2EE0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1228-184-0x0000026CE1290000-0x0000026CE1300000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1292-186-0x00000214047E0000-0x0000021404850000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1316-148-0x0000028EAEB80000-0x0000028EAEBF0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1316-216-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/1424-180-0x00000233CEDD0000-0x00000233CEE40000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/1880-182-0x00000299FFD00000-0x00000299FFD70000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2104-213-0x00000270D3750000-0x00000270D379B000-memory.dmp

                                                  Filesize

                                                  300KB

                                                  Download

                                                • memory/2104-277-0x00000270D5F90000-0x00000270D6095000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/2104-214-0x00000270D3A40000-0x00000270D3AB0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2240-147-0x0000000000720000-0x0000000000721000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2240-141-0x00000000022A0000-0x00000000022BC000-memory.dmp

                                                  Filesize

                                                  112KB

                                                  Download

                                                • memory/2240-153-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2240-133-0x0000000000710000-0x0000000000711000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2240-126-0x00000000002C0000-0x00000000002C1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2420-132-0x0000027DAE2A0000-0x0000027DAE310000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2420-303-0x0000027DAE330000-0x0000027DAE37B000-memory.dmp

                                                  Filesize

                                                  300KB

                                                  Download

                                                • memory/2420-306-0x0000027DAE600000-0x0000027DAE670000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2448-174-0x000001ACC4B40000-0x000001ACC4BB0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2448-327-0x000001ACC5140000-0x000001ACC51B0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2476-172-0x000002CF88170000-0x000002CF881E0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2476-324-0x000002CF88240000-0x000002CF882B0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2676-188-0x000001EE98270000-0x000001EE982E0000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2688-190-0x000001DEE71D0000-0x000001DEE7240000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2696-226-0x0000000002E10000-0x0000000002E12000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2696-241-0x0000000002E15000-0x0000000002E17000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2696-234-0x0000000002E14000-0x0000000002E15000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2696-232-0x0000000002E12000-0x0000000002E14000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2712-193-0x0000000000400000-0x000000000042B000-memory.dmp

                                                  Filesize

                                                  172KB

                                                  Download

                                                • memory/2808-311-0x0000017902A20000-0x0000017902A90000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2808-136-0x0000017902410000-0x000001790245B000-memory.dmp

                                                  Filesize

                                                  300KB

                                                  Download

                                                • memory/2808-143-0x0000017902600000-0x0000017902670000-memory.dmp

                                                  Filesize

                                                  448KB

                                                  Download

                                                • memory/2868-131-0x0000000004E50000-0x0000000004EAC000-memory.dmp

                                                  Filesize

                                                  368KB

                                                  Download

                                                • memory/2868-129-0x0000000004C8D000-0x0000000004D8E000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/3332-209-0x0000000000400000-0x0000000000416000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/3756-249-0x00000000001F0000-0x0000000000200000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/3756-250-0x0000000000A50000-0x0000000000A62000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/3844-203-0x0000000002D20000-0x0000000002D22000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/4124-227-0x0000000002160000-0x0000000002162000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/4188-231-0x00000000009E0000-0x00000000009E2000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/4188-233-0x00000000009E2000-0x00000000009E4000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/4188-243-0x00000000009E5000-0x00000000009E6000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/4364-238-0x0000000000E60000-0x0000000000E6D000-memory.dmp

                                                  Filesize

                                                  52KB

                                                  Download

                                                • memory/4400-315-0x00000000036F0000-0x0000000003700000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/4400-302-0x0000000003550000-0x0000000003560000-memory.dmp

                                                  Filesize

                                                  64KB

                                                  Download

                                                • memory/4604-320-0x0000000004840000-0x000000000489C000-memory.dmp

                                                  Filesize

                                                  368KB

                                                  Download

                                                • memory/4604-300-0x00000000046D7000-0x00000000047D8000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download