Resubmissions

07-07-2023 19:28

230707-x6vx7aah77 10

09-05-2023 07:16

230509-h34zcsgf4w 8

27-03-2023 11:00

230327-m3yjssdb46 10

25-03-2023 07:43

230325-jkn1vsdh4z 8

25-02-2023 11:28

230225-nldnqsda92 10

25-02-2023 11:28

230225-nk69nada89 1

25-02-2023 11:24

230225-nh4qrada83 10

15-01-2023 04:46

230115-fd3c5aab55 10

06-12-2022 18:59

221206-xm59taea79 10

Analysis

  • max time kernel
    1114s
  • max time network
    1205s
  • platform
    windows7_x64
  • resource
    win7-20220901-de
  • resource tags

    arch:x64arch:x86image:win7-20220901-delocale:de-deos:windows7-x64systemwindows
  • submitted
    06-12-2022 18:59

General

  • Target

    fucker script.exe

  • Size

    104KB

  • MD5

    db0655efbe0dbdef1df06207f5cb5b5b

  • SHA1

    a8d48d5c0042ce359178d018c0873e8a7c2f27e8

  • SHA256

    52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

  • SHA512

    5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704

  • SSDEEP

    1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs
  • Program crash 1 IoCs
  • Drops file in System32 directory 14 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
  • Modifies registry class 21 IoCs
  • Suspicious behavior: AddClipboardFormatListener 29 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fucker script.exe
    "C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
    1⤵
      PID:1748
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1224 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:2028
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:940
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:275457 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:1268
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:1127428 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:4156
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:6501381 /prefetch:2
        2⤵
        • Suspicious use of SetWindowsHookEx
        PID:4744
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:940 CREDAT:1651721 /prefetch:2
        2⤵
          PID:5032
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 940 -s 2508
          2⤵
          • Program crash
          PID:5308
      • C:\Windows\explorer.exe
        "C:\Windows\explorer.exe"
        1⤵
          PID:288
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe"
          1⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:604
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6f94f50,0x7fef6f94f60,0x7fef6f94f70
            2⤵
              PID:832
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1068 /prefetch:2
              2⤵
                PID:1780
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1324 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:876
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1692 /prefetch:8
                2⤵
                  PID:1760
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
                  2⤵
                    PID:2068
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
                    2⤵
                      PID:2076
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2420 /prefetch:2
                      2⤵
                        PID:2860
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
                        2⤵
                          PID:3228
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:8
                          2⤵
                            PID:6016
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2764 /prefetch:8
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4304
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
                            2⤵
                              PID:5104
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2836 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3332
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
                              2⤵
                                PID:3724
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
                                2⤵
                                  PID:1880
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3520 /prefetch:8
                                  2⤵
                                    PID:5920
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
                                    2⤵
                                      PID:2932
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
                                      2⤵
                                        PID:4652
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=732 /prefetch:8
                                        2⤵
                                          PID:2600
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
                                          2⤵
                                            PID:5340
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1480 /prefetch:8
                                            2⤵
                                              PID:5380
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1748 /prefetch:8
                                              2⤵
                                                PID:5172
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 /prefetch:8
                                                2⤵
                                                  PID:4004
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3488 /prefetch:8
                                                  2⤵
                                                    PID:2112
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
                                                    2⤵
                                                      PID:2456
                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1052,13953447183950383749,5130874251602471754,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
                                                      2⤵
                                                        PID:2476
                                                    • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                      "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                      1⤵
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1288
                                                      • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                                                        "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                        2⤵
                                                          PID:716
                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious use of FindShellTrayWindow
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2236
                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:275457 /prefetch:2
                                                          2⤵
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2656
                                                      • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                        "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                        1⤵
                                                        • Accesses Microsoft Outlook profiles
                                                        • Drops file in System32 directory
                                                        • Drops file in Windows directory
                                                        • Modifies Internet Explorer settings
                                                        • Suspicious behavior: AddClipboardFormatListener
                                                        • Suspicious use of SetWindowsHookEx
                                                        • outlook_win_path
                                                        PID:2244
                                                      • C:\Windows\system32\calc.exe
                                                        "C:\Windows\system32\calc.exe"
                                                        1⤵
                                                          PID:2260
                                                        • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                          "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                          1⤵
                                                          • Suspicious behavior: AddClipboardFormatListener
                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                          • Suspicious use of FindShellTrayWindow
                                                          • Suspicious use of SendNotifyMessage
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2340
                                                        • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                          "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                          1⤵
                                                            PID:2380
                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                            "C:\Program Files\Internet Explorer\iexplore.exe"
                                                            1⤵
                                                            • Modifies Internet Explorer settings
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2404
                                                            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2404 CREDAT:275457 /prefetch:2
                                                              2⤵
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2820
                                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                            "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                            1⤵
                                                            • Suspicious behavior: AddClipboardFormatListener
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2420
                                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                            "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                            1⤵
                                                            • Suspicious behavior: AddClipboardFormatListener
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2516
                                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                            "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                            1⤵
                                                            • Suspicious behavior: AddClipboardFormatListener
                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                            • Suspicious use of FindShellTrayWindow
                                                            • Suspicious use of SendNotifyMessage
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2620
                                                          • C:\Windows\system32\calc.exe
                                                            "C:\Windows\system32\calc.exe"
                                                            1⤵
                                                              PID:2872
                                                            • C:\Windows\system32\calc.exe
                                                              "C:\Windows\system32\calc.exe"
                                                              1⤵
                                                                PID:2940
                                                              • C:\Windows\system32\calc.exe
                                                                "C:\Windows\system32\calc.exe"
                                                                1⤵
                                                                  PID:2956
                                                                • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                  "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                  1⤵
                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                  • Suspicious use of FindShellTrayWindow
                                                                  • Suspicious use of SendNotifyMessage
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2972
                                                                • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                  1⤵
                                                                    PID:3036
                                                                  • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                    "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                    1⤵
                                                                      PID:3052
                                                                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                      "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                      1⤵
                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                      • Suspicious use of FindShellTrayWindow
                                                                      • Suspicious use of SendNotifyMessage
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:1628
                                                                    • C:\Windows\system32\calc.exe
                                                                      "C:\Windows\system32\calc.exe"
                                                                      1⤵
                                                                        PID:1044
                                                                      • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                        "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                        1⤵
                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                        • Suspicious use of FindShellTrayWindow
                                                                        • Suspicious use of SendNotifyMessage
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:3236
                                                                      • C:\Windows\system32\calc.exe
                                                                        "C:\Windows\system32\calc.exe"
                                                                        1⤵
                                                                          PID:3244
                                                                        • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                          "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                          1⤵
                                                                          • Suspicious behavior: AddClipboardFormatListener
                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          • Suspicious use of SendNotifyMessage
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:3256
                                                                        • C:\Windows\system32\calc.exe
                                                                          "C:\Windows\system32\calc.exe"
                                                                          1⤵
                                                                            PID:3488
                                                                          • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                            "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                            1⤵
                                                                              PID:3552
                                                                            • C:\Windows\explorer.exe
                                                                              "C:\Windows\explorer.exe"
                                                                              1⤵
                                                                                PID:3588
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                1⤵
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SendNotifyMessage
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3664
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                1⤵
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SendNotifyMessage
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3708
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                1⤵
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SendNotifyMessage
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3716
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                1⤵
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3728
                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                1⤵
                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                • Suspicious use of SendNotifyMessage
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3736
                                                                              • C:\Windows\system32\calc.exe
                                                                                "C:\Windows\system32\calc.exe"
                                                                                1⤵
                                                                                  PID:3748
                                                                                • C:\Windows\system32\calc.exe
                                                                                  "C:\Windows\system32\calc.exe"
                                                                                  1⤵
                                                                                    PID:3792
                                                                                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                    "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                    1⤵
                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of SendNotifyMessage
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:3932
                                                                                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                    "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                    1⤵
                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:3380
                                                                                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                    "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                    1⤵
                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1580
                                                                                  • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                    "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                    1⤵
                                                                                      PID:3612
                                                                                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                      "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                      1⤵
                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:3660
                                                                                    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                      1⤵
                                                                                        PID:3764
                                                                                      • C:\Windows\system32\calc.exe
                                                                                        "C:\Windows\system32\calc.exe"
                                                                                        1⤵
                                                                                          PID:3680
                                                                                        • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                          "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                          1⤵
                                                                                            PID:3364
                                                                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                            "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                            1⤵
                                                                                            • Suspicious behavior: AddClipboardFormatListener
                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:3880
                                                                                          • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                            "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                            1⤵
                                                                                              PID:4132
                                                                                            • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                              "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                              1⤵
                                                                                                PID:4228
                                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                1⤵
                                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:4236
                                                                                              • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                1⤵
                                                                                                  PID:4320
                                                                                                • C:\Windows\system32\calc.exe
                                                                                                  "C:\Windows\system32\calc.exe"
                                                                                                  1⤵
                                                                                                    PID:4328
                                                                                                  • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                    "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                    1⤵
                                                                                                    • Suspicious behavior: AddClipboardFormatListener
                                                                                                    • Suspicious behavior: GetForegroundWindowSpam
                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                    PID:4356
                                                                                                  • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                    "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                    1⤵
                                                                                                      PID:4468
                                                                                                    • C:\Windows\explorer.exe
                                                                                                      "C:\Windows\explorer.exe"
                                                                                                      1⤵
                                                                                                        PID:4516
                                                                                                      • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                        "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                        1⤵
                                                                                                          PID:4572
                                                                                                        • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                          "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                          1⤵
                                                                                                            PID:4596
                                                                                                          • C:\Windows\explorer.exe
                                                                                                            "C:\Windows\explorer.exe"
                                                                                                            1⤵
                                                                                                              PID:4664
                                                                                                            • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                              "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                              1⤵
                                                                                                                PID:4716
                                                                                                              • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                1⤵
                                                                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                                PID:4796
                                                                                                              • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                1⤵
                                                                                                                  PID:4848
                                                                                                                  • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                                                                                                                    "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                    2⤵
                                                                                                                      PID:4872
                                                                                                                  • C:\Windows\system32\calc.exe
                                                                                                                    "C:\Windows\system32\calc.exe"
                                                                                                                    1⤵
                                                                                                                      PID:4944
                                                                                                                    • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                      "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                      1⤵
                                                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                      PID:5020
                                                                                                                    • C:\Windows\system32\calc.exe
                                                                                                                      "C:\Windows\system32\calc.exe"
                                                                                                                      1⤵
                                                                                                                        PID:5060
                                                                                                                      • C:\Windows\system32\calc.exe
                                                                                                                        "C:\Windows\system32\calc.exe"
                                                                                                                        1⤵
                                                                                                                          PID:5092
                                                                                                                        • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                          "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                          1⤵
                                                                                                                          • Suspicious behavior: AddClipboardFormatListener
                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                          PID:1280
                                                                                                                        • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                          "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                          1⤵
                                                                                                                            PID:1160
                                                                                                                          • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                            "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                            1⤵
                                                                                                                              PID:4404
                                                                                                                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                              "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                              1⤵
                                                                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                                                              PID:1728
                                                                                                                            • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                              "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                              1⤵
                                                                                                                                PID:972
                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                1⤵
                                                                                                                                  PID:4552
                                                                                                                                • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                  1⤵
                                                                                                                                    PID:2188
                                                                                                                                  • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                    "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                    1⤵
                                                                                                                                      PID:4472
                                                                                                                                    • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                      "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                      1⤵
                                                                                                                                        PID:4616
                                                                                                                                      • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                                        "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:4696
                                                                                                                                      • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                                        "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                                        1⤵
                                                                                                                                        • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                        • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                        PID:4736
                                                                                                                                      • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                        "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                        1⤵
                                                                                                                                          PID:4864
                                                                                                                                        • C:\Windows\system32\calc.exe
                                                                                                                                          "C:\Windows\system32\calc.exe"
                                                                                                                                          1⤵
                                                                                                                                            PID:5084
                                                                                                                                          • C:\Windows\system32\calc.exe
                                                                                                                                            "C:\Windows\system32\calc.exe"
                                                                                                                                            1⤵
                                                                                                                                              PID:5008
                                                                                                                                            • C:\Windows\system32\calc.exe
                                                                                                                                              "C:\Windows\system32\calc.exe"
                                                                                                                                              1⤵
                                                                                                                                                PID:4352
                                                                                                                                              • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                                "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                                1⤵
                                                                                                                                                  PID:1904
                                                                                                                                                • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                                  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                                  1⤵
                                                                                                                                                    PID:4708
                                                                                                                                                  • C:\Windows\system32\calc.exe
                                                                                                                                                    "C:\Windows\system32\calc.exe"
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4868
                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                      "C:\Windows\explorer.exe"
                                                                                                                                                      1⤵
                                                                                                                                                        PID:5180
                                                                                                                                                      • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                                                        "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                                                        1⤵
                                                                                                                                                          PID:5364
                                                                                                                                                          • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                                                                                                                                                            "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                                                            2⤵
                                                                                                                                                              PID:5396
                                                                                                                                                          • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                                                            "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                                                            1⤵
                                                                                                                                                            • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                            PID:5460
                                                                                                                                                          • C:\Windows\system32\calc.exe
                                                                                                                                                            "C:\Windows\system32\calc.exe"
                                                                                                                                                            1⤵
                                                                                                                                                              PID:5564
                                                                                                                                                            • C:\Windows\System32\rundll32.exe
                                                                                                                                                              "C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
                                                                                                                                                              1⤵
                                                                                                                                                                PID:5784
                                                                                                                                                              • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                1⤵
                                                                                                                                                                • Modifies Internet Explorer settings
                                                                                                                                                                PID:5804
                                                                                                                                                                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5804 CREDAT:275457 /prefetch:2
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:5132
                                                                                                                                                                • C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
                                                                                                                                                                  "C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
                                                                                                                                                                  1⤵
                                                                                                                                                                    PID:5812
                                                                                                                                                                  • C:\Windows\helppane.exe
                                                                                                                                                                    C:\Windows\helppane.exe -Embedding
                                                                                                                                                                    1⤵
                                                                                                                                                                    • Modifies Internet Explorer settings
                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                    PID:5860
                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                    "C:\Windows\explorer.exe"
                                                                                                                                                                    1⤵
                                                                                                                                                                      PID:5904
                                                                                                                                                                    • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                      "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                      1⤵
                                                                                                                                                                      • Modifies Internet Explorer settings
                                                                                                                                                                      PID:5924
                                                                                                                                                                      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5924 CREDAT:275457 /prefetch:2
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:5348
                                                                                                                                                                      • C:\Program Files\Internet Explorer\iexplore.exe
                                                                                                                                                                        "C:\Program Files\Internet Explorer\iexplore.exe"
                                                                                                                                                                        1⤵
                                                                                                                                                                        • Modifies Internet Explorer settings
                                                                                                                                                                        PID:5972
                                                                                                                                                                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                                                                                                                                                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5972 CREDAT:275457 /prefetch:2
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:5528
                                                                                                                                                                        • C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
                                                                                                                                                                          "C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
                                                                                                                                                                          1⤵
                                                                                                                                                                            PID:5984
                                                                                                                                                                          • C:\Windows\system32\SndVol.exe
                                                                                                                                                                            SndVol.exe -f 7210028 12772
                                                                                                                                                                            1⤵
                                                                                                                                                                              PID:5992
                                                                                                                                                                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                                                                                                                                              "C:\Program Files\VideoLAN\VLC\vlc.exe"
                                                                                                                                                                              1⤵
                                                                                                                                                                              • Suspicious behavior: AddClipboardFormatListener
                                                                                                                                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                              PID:6036
                                                                                                                                                                            • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
                                                                                                                                                                              "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                                                                              1⤵
                                                                                                                                                                                PID:6044
                                                                                                                                                                                • C:\Program Files (x86)\Windows Media Player\setup_wm.exe
                                                                                                                                                                                  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:6096
                                                                                                                                                                                • C:\Windows\system32\calc.exe
                                                                                                                                                                                  "C:\Windows\system32\calc.exe"
                                                                                                                                                                                  1⤵
                                                                                                                                                                                    PID:6116
                                                                                                                                                                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
                                                                                                                                                                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
                                                                                                                                                                                    1⤵
                                                                                                                                                                                    • Drops file in Program Files directory
                                                                                                                                                                                    PID:3568
                                                                                                                                                                                    • C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3568_553378536\ChromeRecovery.exe
                                                                                                                                                                                      "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3568_553378536\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ed220c8e-f4d0-4e1a-a6f1-0014894a8dd3} --system
                                                                                                                                                                                      2⤵
                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                      PID:5820

                                                                                                                                                                                  Network

                                                                                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                                                                                  Replay Monitor

                                                                                                                                                                                  Loading Replay Monitor...

                                                                                                                                                                                  Downloads

                                                                                                                                                                                  • C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3568_553378536\ChromeRecovery.exe

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    253KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    49ac3c96d270702a27b4895e4ce1f42a

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    55b90405f1e1b72143c64113e8bc65608dd3fd76

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    61KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    fc4666cbca561e864e7fdf883a9e6661

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    3187dfa78907b4e3028d1ce4e555a90d

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    2365d62f545750692cd55f9e48bad5cf9a14a6f0

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    8f744e999a644789ae090c556095cb0f5fb16824a20e70ba535a0d11208b3a5c

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    9e998111335ca5aefbea4663f42b908384c1fd435ce40debff5d4a56cfcdc591f5f1b12a690bb9a3b3542f2b3099431e1883e278c8aabf1562a0ea44ec9f7692

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    52cb76a5d9deb0e6414e974c55d40a7e

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    1bd7a8504d16eeea17b4b81ece7908b2e92a430f

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    67f692a88d509c2cf03eac0e486cd17052ad54d374ba135193c71044d1bf64d4

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    05d87f25fff8a26bab9b25cb05408d4d598cd0328e66a26b79dc1f0ea6858727d3e0a6d96757755e65645b63804ed1b44130623cee529837c580ab63d2c53631

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    c4bbf74b2610c702d4984f190a50b383

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    0a1c433ef05145dafeb736881a3fe8fef1c1823e

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    be130c6c54ccfcce89d6127d085a3f8d9bb30436bab5e210c5390546d166d175

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    43291d4517e8ea95affde65d7d9b72b196cd8fc6d991d5466da8c457daea799efcd42c2363312d67110590e6c65d6d1bd4c50380ff6c9969f0376df11ba60a17

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    48d076fd4cf76750bcac40a6dd52fed2

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    369815d08acc4a8cf2ca6f012209461478ca8fbc

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    344037f7e94ef68bc79637b17bac6a2a9eedc8f8848a34103615cb378a85b39d

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    76854077a187834d70674ce4bbddabc53079c443262940c39142a4a3c1e8a3b0030ed54a4cfa0a20ef47425af3f9957e49a5f9cd284276c1f4f67934a56639c3

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    c6d384683f217daa88f8ba673daeb4f4

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    3aaa9ac6965d86f66acaacff141b4fa7b8c57e35

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    36a55b73b8a8ee40e8b14e603f050f8282c104e5b0c5469f75f1e6e54917a26c

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    11bb14fbdd37f5106be80f8c56de36ebb108243e0fe4f1acaea01129fcf6901799fcbe917e3fac790d1b26a3d5711baa765692baadecc3fd782bb372f1e24c56

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    ec918f28c0ca4b02390d40ea3c164a52

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    a81beffe134519299c7d70811ffd666e6ced4578

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    8633ecb6b7c5350dfd0e166aa2926f946a6d996973b6520a81d34a4c6519e8d5

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    3bf0536cff2c9df716ba9f5fb924053ca1983282d04d8ba1e11458f617558397057e4ca2bdc7e977ecf2ca59aa18117cda307c0acd3fe57b90babfd7332c9205

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    93a5c95b3132187a4075f6a141f056c5

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    d3841f5cd9230138870d87398e70ef27b09df0bb

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    b64044c48899bce22075335b4859656a13938a2fea9cfb63f935495d080b688f

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    f36066f5bca28ad8dea046144940df682e6d475a062e0cd31260fdc62f759507f9abea4a0420a4472eefab9504f8b76bda137f46ac7fab75c8dec1046c0f4a39

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    14584567d53da5883c607f074f1959cd

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    638220f6d768f8885ee643bc8fcf2db807d229bb

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    e633a98ac36d2eab3bc16dabc8aec75d413979a3424b0c9ef9ac59e64c65dacc

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    5eb07cf07e37d1f5dacaafac0213d3c502021895fb458a66da5cd965710393103ae3622f1d16d81667c9d5c9ffee252245ea0aa0aad7234715107243901d217f

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    428e348bf28bbccef61f641255f9bff5

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    7c04e9079df997ca5691ae8f8bdf9cfaee463abe

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    889903ba3194717263fc7617b45aedd139d8625aebf521e1ee923b58cc55b6f3

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    dbb569f491dc417b80a354dbd27df163677d0217f8969f1b5b38a5ffe5f2f226dc89838fa17478392405ba1789e32022c5131e955bae3c05916fefdcd8b5b4eb

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    ed52482551826dade905d5e93a83d694

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    2a4f547bea82d6492d3dd40cb9c84b5dd1be7f2d

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    945b37f5d230580421e719c357db71e458ddbe100aa9e6d3a72a0cc6d1a9ca2a

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    187a0b320325a76480e6451b9dec28be007549fdaf2f68455669075058dc7381a8a0fb30545c7b59f17e341c878a49f4be161e9e8fbf12f596b39aa4bf0ced5b

                                                                                                                                                                                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    342B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    c2ef5881cf311a5a02972797b3188200

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    1ad493ad4a600f9346895faf8aa50b2a450aea26

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    3739dc09a7990a105b901ff8c0ce4b8fd2c4063672f6a278cc4765f8eb8e9680

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    d9c42411bf20b72dc34dd868775b604643c33606c69ef8c659c005ae89ca307a8f81bf8559092b24168c88408165375faaef17cb3a79ab95136d5a5300354886

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    141KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    ea1c1ffd3ea54d1fb117bfdbb3569c60

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    10958b0f690ae8f5240e1528b1ccffff28a33272

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26F06181-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    3KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    786146e22086a6d149f2a77f1985e73a

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    94c6eafb18e4788e8de17cccf20183e29fcb0d1d

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    a93669b3479c774ccfa3e1100bb99055371014030f10556b9f395970e83a3642

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    78bc6fc2b6557e783c258bc40ff0c86c100bd1541da296261bf1545c202dae2ca542112e7e2aa2ba48f3c6e7bc1da36162a73a99762251dcd62b8eb8b3bffbac

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26F06181-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    5KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    b1fd0e0e01f45d70839d2d092d5c463e

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    0bded40c46004d50070da8c00526d6499e3bf1f6

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    06bb659e6742b00002695c5a787c2cb1b5d6937c1c358faa12d2697ca06f2198

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    1825397e9a5712f034c2209d3c0384235914f6faddafdc903e0465b7ca03d561cbc0c82c1d38583d6d1d7661746ff28d13d60c19bb505892d56ae22119ab5543

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26FC4861-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    5KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    1e0e9f41351d7157ca22dcdfbea243de

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    912bfc5f15b6bc402d0aed61ee39f13216c0ff43

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    6ac376b2442ff62103db85d7b63f67b2ccf813522d9d9fe5b9801df8da785fda

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    9effa63bc396abda82444602d87c2979ada95a1330026e299ff01e87084bd8bc8251a355a535d2e8f27137140ec331ce3ce4e8a7172a2dc98d8cc54a1b323db9

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{26FC4861-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    5KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    8ad988bb143440808f9521797bae44a6

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    698367660ed26e3c6fb4a7c7a5d80092f69ff59e

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    ff875ed84a87016964048aa8b2b81d772a6b82f9872cf5fcd55f33cc492e6b04

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    627abc2bc1a57c67cfb020c3360eaf723ac09437f672b0abd5d106a871d4c664963b1548e7ddec6ace50c2de41fe37a9e4dd8bb0cf4c3279c7b61d6610e71a5d

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EA2AC61-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    3KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    91bb7af93071e9fef12e2bfac70cf222

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    ab25121e76f59df249372804b61261d7cf7a3865

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    da8e9179e9b95a557fc08a58e7121db04638c3d948f0c3d7c8b3632ea2616b3e

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    20df9c9b01e1534d6eae4dd454e3a9e75cd817e83baa2e15d2fa5a186be623b681f40a551c0522fbccf20e3ff2366114a5bc609d10fef544fc87232975320f47

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EBEE6F1-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    4KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    c1dd7dac9b22e6c2f8905b0c304c7b28

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    1a4059928e37fd07f9d3cb9d909b11ea3ea514a7

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    4dfcb2d76017bdb7a1991a1b08b333e7155985691d5c421f41b0d154d3ba684b

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    dec1837b0521db5abd671040da6554acf5e2c81c2d196a105479b508b41bb07f0674e40d60b95c944bc5a608dd50652ddc0a84df97b5c700e2ea82f7da14ae1a

                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4EBEE6F1-7598-11ED-A1C0-5684FCD0D2EE}.dat

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    5KB

                                                                                                                                                                                    MD5

                                                                                                                                                                                    ab20d1b2e425724e75fe13707ba5499f

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    34b73347c051e525fb4fdd4a0a4b2123f5bfbfa9

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    eedc529cea6360958d0cf2ac0befd27588c2b400e6e1127e7d81f0908deb98c9

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    77febc36f31995d8cec48a1d549f430e21634c3dde4e9fd3ece7e20f43fcc899bcf5f6692793348477e5f68f491c5f6f47752d89fb0bb92061265c61fe2dfdc5

                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7IX31I5X.txt

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    603B

                                                                                                                                                                                    MD5

                                                                                                                                                                                    848031124390263a55f408cede01d5fb

                                                                                                                                                                                    SHA1

                                                                                                                                                                                    5c3ec327fd66c378be3a9f1550ca1c24d827f680

                                                                                                                                                                                    SHA256

                                                                                                                                                                                    83c54feac06c90530a7bfff0ff94ce4c02eaeb33935b801aa27fd2b56fceb611

                                                                                                                                                                                    SHA512

                                                                                                                                                                                    24db39400ec06ee8e9866abed6ed46f1286c39fe8c01d71574f876272758538f7028159b4de21f3dee87c996bdf30329c05cdc2180912f89d2ef33976bf0e928

                                                                                                                                                                                  • memory/288-54-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/1288-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB

                                                                                                                                                                                  • memory/2244-69-0x000000006A4D1000-0x000000006A4D4000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    12KB

                                                                                                                                                                                  • memory/2244-96-0x000000007202D000-0x0000000072038000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    44KB

                                                                                                                                                                                  • memory/2244-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    64KB

                                                                                                                                                                                  • memory/2244-67-0x000000007202D000-0x0000000072038000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    44KB

                                                                                                                                                                                  • memory/2244-60-0x0000000071041000-0x0000000071043000-memory.dmp

                                                                                                                                                                                    Filesize

                                                                                                                                                                                    8KB