Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Anime-Figh...21.exe

windows7_x64

10

Anime-Figh...21.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    164s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27/07/2021, 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anime-Fighters-Simul_763412721.exe

  • Size

    4.8MB

  • MD5

    ab3ad490f762ba671cdee4ecc0f5344d

  • SHA1

    1d9d83af66e77ab20b1ff0bbafbe47522b3d3395

  • SHA256

    b46e0391b8f48919100497997b8088126ef73815147fcc57cb5dc81ad97a226f

  • SHA512

    fd2fe04d536a78428dcb9ee49ab4dd0fd739f30ee1198d8a502200d596edb32095c649433fad38fcf5320a5d852a2ef2109df344f1cb11fd9e25173ac1e62377

Score
10/10
redline230721pokatak1111discoveryinfostealerpersistencespywarestealersuricataupx

Malware Config

Extracted

Family

redline

Botnet

230721

C2

cookiebrokrash.info:80

Extracted

Family

redline

Botnet

pokatak1111

C2

qusenero.xyz:80

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
    suricata
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Blocklisted process makes network request 19 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 27 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in System32 directory 17 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • autoit_exe 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 23 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Simul_763412721.exe
    "C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Simul_763412721.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:752
    • C:\Users\Admin\AppData\Local\Temp\is-2T9NT.tmp\Anime-Fighters-Simul_763412721.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-2T9NT.tmp\Anime-Fighters-Simul_763412721.tmp" /SL5="$70062,4323544,721408,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Simul_763412721.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Program Files (x86)\Est\Aut.exe
        "C:\Program Files (x86)\Est/\Aut.exe" 1e7e5d00b14bf80042c84dafb2bca015
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:544
        • C:\Users\Admin\AppData\Local\Temp\l1eBRPTk\duXzAePlc2dRb.exe
          C:\Users\Admin\AppData\Local\Temp\l1eBRPTk\duXzAePlc2dRb.exe /usthree SUB=1e7e5d00b14bf80042c84dafb2bca015
          4⤵
          • Executes dropped EXE
          PID:3912
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 648
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:1104
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 696
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:4224
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 764
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:4352
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 812
            5⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:4424
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 880
            5⤵
            • Program crash
            PID:4576
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 900
            5⤵
            • Program crash
            PID:4780
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1164
            5⤵
            • Program crash
            PID:5028
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1136
            5⤵
            • Suspicious use of NtCreateProcessExOtherParentProcess
            • Program crash
            PID:5076
        • C:\Users\Admin\AppData\Local\Temp\mXzvlto9\VBxMY1FFKvaTznO.exe
          C:\Users\Admin\AppData\Local\Temp\mXzvlto9\VBxMY1FFKvaTznO.exe /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:3644
          • C:\Users\Admin\AppData\Local\Temp\komarjoba.exe
            C:\Users\Admin\AppData\Local\Temp\komarjoba.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:3344
            • C:\Users\Admin\AppData\Local\Temp\komarjoba.exe
              C:\Users\Admin\AppData\Local\Temp\komarjoba.exe
              6⤵
              • Executes dropped EXE
              PID:4152
          • C:\Users\Admin\AppData\Local\Temp\kamarjoba.exe
            C:\Users\Admin\AppData\Local\Temp\kamarjoba.exe
            5⤵
            • Executes dropped EXE
            PID:4768
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\mXzvlto9\VBxMY1FFKvaTznO.exe & exit
            5⤵
              PID:4988
              • C:\Windows\SysWOW64\PING.EXE
                ping 0
                6⤵
                • Runs ping.exe
                PID:4980
          • C:\Users\Admin\AppData\Local\Temp\P7m7m07B\GpdPwQ7OS6.exe
            C:\Users\Admin\AppData\Local\Temp\P7m7m07B\GpdPwQ7OS6.exe /quiet SILENT=1 AF=606x1e7e5d00b14bf80042c84dafb2bca015
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Enumerates connected drives
            • Modifies system certificate store
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:3444
            • C:\Windows\SysWOW64\msiexec.exe
              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=606x1e7e5d00b14bf80042c84dafb2bca015 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\P7m7m07B\GpdPwQ7OS6.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\P7m7m07B\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1627133728 /quiet SILENT=1 AF=606x1e7e5d00b14bf80042c84dafb2bca015 " AF="606x1e7e5d00b14bf80042c84dafb2bca015" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"
              5⤵
                PID:3364
            • C:\Users\Admin\AppData\Local\Temp\uCUFxMb6\vpn.exe
              C:\Users\Admin\AppData\Local\Temp\uCUFxMb6\vpn.exe /silent /subid=510x1e7e5d00b14bf80042c84dafb2bca015
              4⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2880
              • C:\Users\Admin\AppData\Local\Temp\is-NUIJ8.tmp\vpn.tmp
                "C:\Users\Admin\AppData\Local\Temp\is-NUIJ8.tmp\vpn.tmp" /SL5="$102F8,15170975,270336,C:\Users\Admin\AppData\Local\Temp\uCUFxMb6\vpn.exe" /silent /subid=510x1e7e5d00b14bf80042c84dafb2bca015
                5⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Drops file in Program Files directory
                • Modifies registry class
                • Modifies system certificate store
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of WriteProcessMemory
                PID:1320
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1220
                  • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                    tapinstall.exe remove tap0901
                    7⤵
                    • Executes dropped EXE
                    • Checks SCSI registry key(s)
                    PID:2272
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2196
                  • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                    tapinstall.exe install OemVista.inf tap0901
                    7⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Windows directory
                    • Checks SCSI registry key(s)
                    • Modifies system certificate store
                    PID:3888
                • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  PID:4888
                • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  PID:912
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3384
        • C:\Windows\system32\msiexec.exe
          C:\Windows\system32\msiexec.exe /V
          1⤵
          • Enumerates connected drives
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding B7868B8D4171B8A7542748BF96B90BF4 C
            2⤵
            • Loads dropped DLL
            PID:2988
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 8617A210B5E580114054B1D8C4CC98DE
            2⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            PID:4204
          • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
            "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
            2⤵
            • Executes dropped EXE
            • Adds Run key to start application
            PID:1284
            • C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
              "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=606x1e7e5d00b14bf80042c84dafb2bca015 -BF=default -uncf=default
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              PID:4372
              • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--Lck7KQ"
                4⤵
                • Executes dropped EXE
                • Checks computer location settings
                • Loads dropped DLL
                PID:4948
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0xd4,0x1ec,0x7ffa7c309ec0,0x7ffa7c309ed0,0x7ffa7c309ee0
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4252
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1524 /prefetch:2
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4208
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --mojo-platform-channel-handle=1936 /prefetch:8
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Modifies system certificate store
                  PID:3080
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --mojo-platform-channel-handle=2172 /prefetch:8
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:1128
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2576 /prefetch:1
                  5⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Loads dropped DLL
                  PID:3432
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1820 /prefetch:2
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:5200
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --mojo-platform-channel-handle=3264 /prefetch:8
                  5⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:5532
                • C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
                  "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,10960690507265387581,2518302523410025710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4948_732689240" --mojo-platform-channel-handle=3180 /prefetch:8
                  5⤵
                  • Executes dropped EXE
                  PID:5592
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_9A38.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
              3⤵
              • Blocklisted process makes network request
              PID:2440
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall
          1⤵
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Suspicious use of WriteProcessMemory
          PID:4176
          • C:\Windows\system32\DrvInst.exe
            DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{46c227b2-6ccd-604a-9324-e56133d64616}\oemvista.inf" "9" "4d14a44ff" "0000000000000170" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"
            2⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:4272
          • C:\Windows\system32\DrvInst.exe
            DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000170"
            2⤵
            • Drops file in Drivers directory
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Checks SCSI registry key(s)
            PID:4492
        • \??\c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
          1⤵
            PID:4560
          • \??\c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
            1⤵
            • Checks SCSI registry key(s)
            • Modifies data under HKEY_USERS
            PID:4552
          • C:\Program Files (x86)\MaskVPN\mask_svc.exe
            "C:\Program Files (x86)\MaskVPN\mask_svc.exe"
            1⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Modifies data under HKEY_USERS
            PID:4392
            • C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
              MaskVPNUpdate.exe /silent
              2⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5668
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
            1⤵
            • Drops file in Windows directory
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:4572
          • C:\Windows\system32\browser_broker.exe
            C:\Windows\system32\browser_broker.exe -Embedding
            1⤵
            • Modifies Internet Explorer settings
            PID:3664
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
            • Modifies registry class
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            PID:4916
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
            • Modifies Internet Explorer settings
            • Modifies registry class
            PID:972
          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
            1⤵
              PID:1868
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:1900
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              PID:4640

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/544-124-0x00000000045E0000-0x00000000045E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/544-123-0x0000000000400000-0x00000000016FD000-memory.dmp

              Filesize

              19.0MB

              Download

            • memory/752-117-0x0000000000400000-0x00000000004BE000-memory.dmp

              Filesize

              760KB

              Download

            • memory/912-257-0x0000000001820000-0x0000000001821000-memory.dmp

              Filesize

              4KB

              Download

            • memory/912-260-0x00000000017E0000-0x000000000192A000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/912-259-0x0000000000400000-0x00000000015D7000-memory.dmp

              Filesize

              17.8MB

              Download

            • memory/912-258-0x0000000001C40000-0x0000000001C41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1320-156-0x00000000093D0000-0x00000000093D1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1320-142-0x0000000000650000-0x0000000000651000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1320-145-0x0000000007410000-0x00000000076F0000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1320-146-0x0000000000810000-0x0000000000811000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1320-151-0x00000000093E0000-0x00000000093EF000-memory.dmp

              Filesize

              60KB

              Download

            • memory/1320-154-0x0000000009670000-0x0000000009685000-memory.dmp

              Filesize

              84KB

              Download

            • memory/2440-289-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-286-0x0000000007490000-0x0000000007491000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-294-0x00000000085B0000-0x00000000085B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-288-0x0000000006E52000-0x0000000006E53000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-285-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-287-0x0000000006E50000-0x0000000006E51000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-293-0x0000000007F60000-0x0000000007F61000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-292-0x0000000007C10000-0x0000000007C11000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-290-0x0000000007B20000-0x0000000007B21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2440-312-0x0000000006E53000-0x0000000006E54000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2880-136-0x0000000000400000-0x000000000044C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/3344-175-0x0000000005540000-0x0000000005541000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3344-165-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3344-181-0x00000000054E0000-0x00000000054E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3344-187-0x00000000031E0000-0x00000000031E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3344-198-0x0000000005B30000-0x0000000005B31000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3796-119-0x0000000000D70000-0x0000000000D71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3912-160-0x0000000000400000-0x0000000000489000-memory.dmp

              Filesize

              548KB

              Download

            • memory/3912-159-0x00000000020F0000-0x000000000213F000-memory.dmp

              Filesize

              316KB

              Download

            • memory/4152-232-0x00000000053E0000-0x00000000053E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-228-0x00000000058E0000-0x00000000058E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-234-0x00000000056C0000-0x00000000056C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-230-0x00000000053A0000-0x00000000053A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-254-0x0000000006580000-0x0000000006581000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-255-0x0000000006C80000-0x0000000006C81000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-229-0x0000000005340000-0x0000000005341000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4152-233-0x00000000052D0000-0x00000000058D6000-memory.dmp

              Filesize

              6.0MB

              Download

            • memory/4152-224-0x0000000000400000-0x000000000041E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4392-267-0x00000000018A0000-0x00000000018A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4392-270-0x0000000033AB0000-0x0000000033C76000-memory.dmp

              Filesize

              1.8MB

              Download

            • memory/4392-271-0x0000000034440000-0x0000000034598000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4392-272-0x00000000345A0000-0x00000000345F8000-memory.dmp

              Filesize

              352KB

              Download

            • memory/4392-273-0x00000000017E0000-0x000000000192A000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4392-269-0x0000000000400000-0x00000000015D7000-memory.dmp

              Filesize

              17.8MB

              Download

            • memory/4392-268-0x00000000018B0000-0x00000000018B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4768-239-0x0000000002290000-0x00000000022AA000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4768-266-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4768-264-0x0000000006DC0000-0x0000000006DC1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4768-236-0x0000000000790000-0x00000000007AB000-memory.dmp

              Filesize

              108KB

              Download

            • memory/4768-238-0x00000000005C0000-0x000000000070A000-memory.dmp

              Filesize

              1.3MB

              Download

            • memory/4768-240-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/4768-249-0x0000000004B24000-0x0000000004B26000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4768-245-0x0000000004B23000-0x0000000004B24000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4768-243-0x0000000004B22000-0x0000000004B23000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4768-241-0x0000000004B20000-0x0000000004B21000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4888-251-0x00000000001C0000-0x00000000001C1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4888-252-0x0000000000400000-0x00000000015D7000-memory.dmp

              Filesize

              17.8MB

              Download

            • memory/4888-253-0x00000000001B0000-0x00000000001B1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/5668-341-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

              Filesize

              4KB

              Download