Resubmissions
01/02/2022, 09:10
220201-k4279scee5 1015/01/2022, 13:42
220115-qztyzsefhn 1012/01/2022, 12:30
220112-ppk3nacfbl 1010/01/2022, 10:49
220110-mwsd7sebe3 1007/01/2022, 20:35
220107-zc2jzsdaeq 1007/01/2022, 10:05
220107-l4rxzacba8 1006/01/2022, 22:46
220106-2qch5abff5 1006/01/2022, 19:07
220106-xsnxqabhfl 1006/01/2022, 15:26
220106-svedvabda5 1006/01/2022, 15:25
220106-st3p2sbgcq 10Analysis
-
max time kernel
390s -
max time network
409s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
01/02/2022, 09:10
Static task
static1
Behavioral task
behavioral1
Sample
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
Resource
win10-en-20211208
General
-
Target
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
-
Size
339KB
-
MD5
b75726b4b619811b4c50d917822a4083
-
SHA1
ed8b418d7357609ce03c4f7123c0bb711b9d227d
-
SHA256
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf
-
SHA512
59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 4776 created 4616 4776 WerFault.exe 129 PID 2988 created 4884 2988 WerFault.exe 135 PID 2008 created 4396 2008 WerFault.exe 143 PID 1292 created 3088 1292 WerFault.exe 171 -
Disables Task Manager via registry modification
-
Executes dropped EXE 6 IoCs
pid Process 4616 Main-Pass--1234--setup.exe 4884 Main-Pass--1234--setup.exe 3052 000.exe 4908 666.exe 4372 1003.exe 2012 09F04A5D9E.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\International\Geo\Nation 666.exe -
Deletes itself 1 IoCs
pid Process 3036 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 4908 666.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*09F04A5D9E = "C:\\Users\\Admin\\AppData\\Roaming\\09F04A5D9E.exe" 09F04A5D9E.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\09F04A5D9E = "C:\\Users\\Admin\\AppData\\Roaming\\09F04A5D9E.exe" 1003.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce 1003.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*09F04A5D9E = "C:\\Users\\Admin\\AppData\\Roaming\\09F04A5D9E.exe" 1003.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\09F04A5D9E = "C:\\Users\\Admin\\AppData\\Roaming\\09F04A5D9E.exe" 09F04A5D9E.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: 000.exe File opened (read-only) \??\H: 000.exe File opened (read-only) \??\J: 000.exe File opened (read-only) \??\K: 000.exe File opened (read-only) \??\N: 000.exe File opened (read-only) \??\B: 000.exe File opened (read-only) \??\L: 000.exe File opened (read-only) \??\R: 000.exe File opened (read-only) \??\T: 000.exe File opened (read-only) \??\M: 000.exe File opened (read-only) \??\S: 000.exe File opened (read-only) \??\U: 000.exe File opened (read-only) \??\W: 000.exe File opened (read-only) \??\A: 000.exe File opened (read-only) \??\E: 000.exe File opened (read-only) \??\G: 000.exe File opened (read-only) \??\I: 000.exe File opened (read-only) \??\V: 000.exe File opened (read-only) \??\X: 000.exe File opened (read-only) \??\Y: 000.exe File opened (read-only) \??\F: 000.exe File opened (read-only) \??\O: 000.exe File opened (read-only) \??\P: 000.exe File opened (read-only) \??\Q: 000.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0" 000.exe -
Program crash 6 IoCs
pid pid_target Process procid_target 4680 4616 WerFault.exe 129 4776 4616 WerFault.exe 129 4904 4884 WerFault.exe 135 2988 4884 WerFault.exe 135 2008 4396 WerFault.exe 143 1292 3088 WerFault.exe 171 -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper 000.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2592 set thread context of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri taskmgr.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe File created C:\Windows\rescache\_merged\3720402701\1659841449.pri Process not Found File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri SecHealthUI.exe File created C:\Windows\rescache\_merged\4272278488\30062976.pri Process not Found File created C:\Windows\rescache\_merged\3720402701\1659841449.pri MicrosoftEdge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 10 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 64 IoCs
pid Process 4472 taskkill.exe 4400 taskkill.exe 3116 taskkill.exe 4772 taskkill.exe 4528 taskkill.exe 1556 taskkill.exe 4200 taskkill.exe 3780 taskkill.exe 5040 taskkill.exe 2264 taskkill.exe 4232 taskkill.exe 4964 taskkill.exe 904 taskkill.exe 4256 taskkill.exe 4528 taskkill.exe 1172 taskkill.exe 4112 taskkill.exe 1728 taskkill.exe 4296 taskkill.exe 4292 taskkill.exe 4772 taskkill.exe 5040 taskkill.exe 8 taskkill.exe 4612 taskkill.exe 716 taskkill.exe 4528 taskkill.exe 4240 taskkill.exe 2812 taskkill.exe 4712 taskkill.exe 3068 taskkill.exe 4368 taskkill.exe 4508 taskkill.exe 2524 taskkill.exe 952 taskkill.exe 2888 taskkill.exe 4496 taskkill.exe 3156 taskkill.exe 3028 taskkill.exe 4952 taskkill.exe 2708 taskkill.exe 4696 taskkill.exe 4364 taskkill.exe 4140 taskkill.exe 3156 taskkill.exe 316 taskkill.exe 4852 taskkill.exe 3512 taskkill.exe 4592 taskkill.exe 2420 taskkill.exe 4400 taskkill.exe 5032 taskkill.exe 5076 taskkill.exe 3780 taskkill.exe 3152 taskkill.exe 4272 taskkill.exe 4592 taskkill.exe 4920 taskkill.exe 4256 taskkill.exe 3680 taskkill.exe 2072 taskkill.exe 4140 taskkill.exe 5028 taskkill.exe 4516 taskkill.exe 1752 taskkill.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Toolbar Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\0\NodeSlot = "4" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{081209ED-FAF1-4E6B-A90A-1C841941779A}" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5a20b75e8716d801 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico" 000.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = bca03f4542ecd701 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = bca03f4542ecd701 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\0 = 4a00310000000000514e290f100030303000380009000400efbe3f54a84d3f54a84d2e000000c706000000000300000000000000000000000000000000000000300030003000000012000000 Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2 Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Process not Found Set value (int) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\0\0\MRUListEx = ffffffff Process not Found Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\1\0\MRUListEx = 00000000ffffffff Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\2\0\0\MRUListEx = 00000000ffffffff Process not Found -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2588 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 2588 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 4004 chrome.exe 4004 chrome.exe 3328 chrome.exe 3328 chrome.exe 1096 taskmgr.exe 1096 taskmgr.exe 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3108 chrome.exe 3108 chrome.exe 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 3036 Process not Found 1236 chrome.exe 1096 taskmgr.exe 4964 taskmgr.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2588 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1096 taskmgr.exe Token: SeSystemProfilePrivilege 1096 taskmgr.exe Token: SeCreateGlobalPrivilege 1096 taskmgr.exe Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found Token: SeCreatePagefilePrivilege 3036 Process not Found Token: SeShutdownPrivilege 3036 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 3328 chrome.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1236 chrome.exe 1236 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 3328 chrome.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1096 taskmgr.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe 1236 chrome.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 4396 SecHealthUI.exe 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3036 Process not Found 3052 000.exe 3052 000.exe 3088 MicrosoftEdge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 2592 wrote to memory of 2588 2592 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 69 PID 3328 wrote to memory of 3376 3328 chrome.exe 71 PID 3328 wrote to memory of 3376 3328 chrome.exe 71 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 3760 3328 chrome.exe 73 PID 3328 wrote to memory of 4004 3328 chrome.exe 74 PID 3328 wrote to memory of 4004 3328 chrome.exe 74 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75 PID 3328 wrote to memory of 3560 3328 chrome.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff26cd4f50,0x7fff26cd4f60,0x7fff26cd4f702⤵PID:3376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵PID:3760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 /prefetch:82⤵PID:3560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:12⤵PID:1292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:1316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:82⤵PID:2040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:82⤵PID:2732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:82⤵PID:3084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1496,16153606271615647508,8671030251805664743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3108
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1096
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1236 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff26cd4f50,0x7fff26cd4f60,0x7fff26cd4f702⤵PID:1196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1660 /prefetch:82⤵PID:3288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1552 /prefetch:22⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:12⤵PID:2696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:12⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2368 /prefetch:82⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵PID:904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:82⤵PID:2988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵PID:1368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:82⤵PID:1596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:82⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:12⤵PID:2116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:82⤵PID:2000
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5364 /prefetch:82⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3760 /prefetch:82⤵PID:3008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:82⤵PID:704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:82⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:2568
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:3636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:3440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:12⤵PID:612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2744 /prefetch:12⤵PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:3828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:12⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4388 /prefetch:82⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5892 /prefetch:82⤵PID:396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:1348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6484 /prefetch:82⤵PID:4120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:82⤵PID:4152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:82⤵PID:4216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:82⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3568 /prefetch:82⤵PID:4740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3116 /prefetch:22⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1688 /prefetch:82⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5212 /prefetch:82⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:1928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵PID:5088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 /prefetch:82⤵PID:4900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7120 /prefetch:82⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:4108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7156 /prefetch:82⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵PID:1300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:82⤵PID:3008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,15448403137069124104,11035690966913422785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:82⤵PID:2072
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4348
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap1251:102:7zEvent271041⤵PID:4540
-
C:\Users\Admin\Desktop\Main-Pass--1234--setup.exe"C:\Users\Admin\Desktop\Main-Pass--1234--setup.exe"1⤵
- Executes dropped EXE
PID:4616 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 4202⤵
- Program crash
PID:4680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4616 -s 4362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:4776
-
-
C:\Users\Admin\Desktop\Main-Pass--1234--setup.exe"C:\Users\Admin\Desktop\Main-Pass--1234--setup.exe"1⤵
- Executes dropped EXE
PID:4884 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 3682⤵
- Program crash
PID:4904
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 3882⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:2988
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:4964
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4396 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4396 -s 16602⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵PID:4708
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff26cd4f50,0x7fff26cd4f60,0x7fff26cd4f702⤵PID:4680
-
-
C:\Users\Admin\Desktop\malware-master\malware-master\000\000.exe"C:\Users\Admin\Desktop\malware-master\malware-master\000\000.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""2⤵PID:2828
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
PID:316
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskmgr.exe3⤵PID:4812
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' set FullName='UR NEXT'3⤵PID:5092
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic useraccount where name='Admin' rename 'UR NEXT'3⤵PID:4836
-
-
-
C:\Users\Admin\Desktop\malware-master\malware-master\666\666.exe"C:\Users\Admin\Desktop\malware-master\malware-master\666\666.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵PID:4008
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c dir c2⤵PID:3752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c md VIRUS2⤵PID:816
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:3420
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:3608
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:3688
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:2244
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:3684
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:2252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4964
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:2008
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4368
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4492
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:2612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4532
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:904
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:4472
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4028
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:1752
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:224
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:2292
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4708
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4852
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4060
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:5024
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:5092
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:1172
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4320
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4916
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:3820
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4952
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:2524
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:2264
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4576
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4280
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:3512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4624
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:5028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4476
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4408
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:5080
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:5032
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4112
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4612
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4300
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:5084
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵PID:4068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:3584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4924
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4344
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:8
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:3016
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:3664
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:3116
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4200
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:3216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:5044
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:2512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4496
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:3028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:3248
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4480
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:716
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4028
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4792
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:3948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4852
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4708
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:2260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:5024
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:5092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:2928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:1556
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:4724
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:3820
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:3700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4284
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:1372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4576
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:3780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4280
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:2216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4784
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:3008
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:1636
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4520
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4460
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:3988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:5060
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:2084
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4612
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:4112
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4980
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:3056
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4068
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4544
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:3152
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4256
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:2380
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4696
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:8
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:3652
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4240
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:3680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4488
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4292
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4200
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4364
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4296
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:3100
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:1648
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:4496
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4512
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:64
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4896
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:5088
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:716
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:4480
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:3892
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:2232
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:628
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4820
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:1352
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4812
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:2812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4268
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:1632
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:1172
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4772
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4456
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵PID:2708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:2804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:5112
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4936
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵PID:2888
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:4288
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4180
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4260
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:3780
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4116
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4624
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4756
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:5040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:820
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:4400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:3772
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4476
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:5032
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4592
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:5080
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵PID:3192
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4804
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:5076
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:1728
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:5084
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:4920
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:3584
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:1652
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4544
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4256
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4308
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:8
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4696
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:2420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:3652
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:3680
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4740
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4200
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4292
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:4964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:1560
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4296
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4500
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4368
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4532
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:3028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:2612
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:4540
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:1300
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:3156
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4028
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:4528
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:3948
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:4680
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:4444
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:3068
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:2260
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵PID:1316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:4836
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:1172
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:3556
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵
- Kills process with taskkill
PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:4916
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵
- Kills process with taskkill
PID:1556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4484
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:1928
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:2740
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:4952
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer.exe2⤵PID:2152
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer.exe3⤵
- Kills process with taskkill
PID:2264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr2⤵PID:1348
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL taskmgr.exe2⤵PID:3512
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr2⤵PID:4744
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr3⤵PID:4140
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f taskmgr.exe2⤵PID:3720
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f taskmgr.exe3⤵PID:4784
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer2⤵PID:4840
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TSKILL explorer.exe2⤵PID:5028
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c TASKKILL /IM /f explorer2⤵PID:3088
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM /f explorer3⤵
- Kills process with taskkill
PID:4400
-
-
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3088 -s 35082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1292
-
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4196
-
C:\Users\Admin\Desktop\malware-master\malware-master\CryptoLocker 2014\1003.exe"C:\Users\Admin\Desktop\malware-master\malware-master\CryptoLocker 2014\1003.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4372 -
C:\Users\Admin\AppData\Roaming\09F04A5D9E.exe"C:\Users\Admin\AppData\Roaming\09F04A5D9E.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2012
-
-
C:\Windows\SYSTEM32\taskkill.exe"taskkill" /F /IM 1003.exe2⤵
- Kills process with taskkill
PID:4256
-
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\6b424736bc0549dda9e54f638e7b909f /t 3424 /p 30521⤵PID:5056