babadeda | hxxps://avalaunch-app[.]com

Analysis

max time kernel
1231s
max time network
1232s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
04-02-2022 08:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://avalaunch-app.com

Score

10^/10

babadeda remcos crypter loader persistence rat

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe	family_babadeda
C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe	family_babadeda
C:\Users\Admin\AppData\Roaming\MiPony Installer\pg	family_babadeda
behavioral2/memory/3828-162-0x0000000004A00000-0x0000000008A77000-memory.dmp	family_babadeda
behavioral2/memory/3828-164-0x0000000004A00000-0x0000000008A00000-memory.dmp	family_babadeda

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Avalaunch-dApp-2.1.0-installer.exeAvalaunch-dApp-2.1.0-installer.tmpmakecat.exelink.exe

pid process

3692 Avalaunch-dApp-2.1.0-installer.exe
2228 Avalaunch-dApp-2.1.0-installer.tmp
3524 makecat.exe
3828 link.exe
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
3692	Avalaunch-dApp-2.1.0-installer.exe
2228	Avalaunch-dApp-2.1.0-installer.tmp
3524	makecat.exe
3828	link.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Avalaunch-dApp-2.1.0-installer.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Avalaunch-dApp-2.1.0-installer.tmp

Drops startup file 1 IoCs

Processes:

link.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cplinker.lnk link.exe
Loads dropped DLL 6 IoCs

Processes:

link.exe

pid process

3828 link.exe
3828 link.exe
3828 link.exe
3828 link.exe
3828 link.exe
3828 link.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cplinker.lnk	link.exe

pid	process
3828	link.exe
3828	link.exe
3828	link.exe
3828	link.exe
3828	link.exe
3828	link.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

link.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cross Platform Linker = "C:\\Users\\Admin\\AppData\\Roaming\\MiPony Installer\\link.exe"	link.exe

Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotifyIcon.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D537BD1A-859C-11EC-82D0-7AB5AFB0B0FC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2764826428"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30939561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2764826428"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D537BD1C-859C-11EC-82D0-7AB5AFB0B0FC}.dat = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30939561"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

svchost.exeWaaSMedicAgent.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4032"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.026039"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006511"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132886133102269082"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3780"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3836"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.013023"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeAvalaunch-dApp-2.1.0-installer.tmp

pid	process
1940	chrome.exe
1940	chrome.exe
3832	chrome.exe
3832	chrome.exe
696	chrome.exe
696	chrome.exe
3444	chrome.exe
3444	chrome.exe
1436	chrome.exe
1436	chrome.exe
3628	chrome.exe
3628	chrome.exe
2228	Avalaunch-dApp-2.1.0-installer.tmp
2228	Avalaunch-dApp-2.1.0-installer.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

link.exe

pid process

3828 link.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
3832 chrome.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

AUDIODG.EXE

description pid process

Token: 33 560 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 560 AUDIODG.EXE

pid	process
3828	link.exe

description	pid	process
Token: 33	560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	560	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exeAvalaunch-dApp-2.1.0-installer.tmp

pid	process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
2228	Avalaunch-dApp-2.1.0-installer.tmp
3832	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe
3832	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

iexplore.exelink.exe

pid process

3652 iexplore.exe
3652 iexplore.exe
3828 link.exe

pid	process
3652	iexplore.exe
3652	iexplore.exe
3828	link.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 3652 wrote to memory of 1416	3652	iexplore.exe	IEXPLORE.EXE
PID 3652 wrote to memory of 1416	3652	iexplore.exe	IEXPLORE.EXE
PID 3652 wrote to memory of 1416	3652	iexplore.exe	IEXPLORE.EXE
PID 3832 wrote to memory of 3636	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 3636	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2752	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 1940	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 1940	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe
PID 3832 wrote to memory of 2176	3832	chrome.exe	chrome.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://avalaunch-app.com
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3652

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3652 CREDAT:17410 /prefetch:2
2⤵
PID:1416

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
- Checks processor information in registry
PID:1304

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9b29af4a956894ebad44787fb9ab1a17 xZyWRlLLnkiYqRNCmyWHng.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffc95ba4f50,0x7ffc95ba4f60,0x7ffc95ba4f70
2⤵
PID:3636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:1
2⤵
PID:556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4288 /prefetch:8
2⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
2⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5156 /prefetch:8
2⤵
PID:1448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:1036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:3252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
PID:3872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5528 /prefetch:8
2⤵
PID:940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:8
2⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:8
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
PID:3344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1592 /prefetch:8
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4828 /prefetch:8
2⤵
PID:736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
2⤵
PID:3900

C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe
"C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe"
2⤵
- Executes dropped EXE
PID:3692

C:\Users\Admin\AppData\Local\Temp\is-0L52F.tmp\Avalaunch-dApp-2.1.0-installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0L52F.tmp\Avalaunch-dApp-2.1.0-installer.tmp" /SL5="$5011C,123570416,887296,C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2228

C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
"C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe"
4⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
"C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=224 /prefetch:8
2⤵
PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1268,12704355752983521526,13344836521076680513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4920 /prefetch:8
2⤵
PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3872

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x468 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0L52F.tmp\Avalaunch-dApp-2.1.0-installer.tmp
MD5
186f049568c683c2597f94ac445d054f

SHA1
b66903ea56214a05ede4f5228813028ba208041a

SHA256
55d0d8353358de375f54cdc67dc1226d809f34771f4b728e2a52a9c22744312c

SHA512
0b9d47c34fddbd7e2d021760ba562971948892a419151e56a5d081f0488b552577e824ce15a625247260da743937d38ccce1df3cc73489c35ecb8c5c0b97297a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0L52F.tmp\Avalaunch-dApp-2.1.0-installer.tmp
MD5
186f049568c683c2597f94ac445d054f

SHA1
b66903ea56214a05ede4f5228813028ba208041a

SHA256
55d0d8353358de375f54cdc67dc1226d809f34771f4b728e2a52a9c22744312c

SHA512
0b9d47c34fddbd7e2d021760ba562971948892a419151e56a5d081f0488b552577e824ce15a625247260da743937d38ccce1df3cc73489c35ecb8c5c0b97297a

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\MSVCP140.dll
MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\VCRUNTIME140.dll
MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\cmswrite.dll
MD5
3aa620a3832249894026a7bcef141947

SHA1
465efee181f8d8288c4a34b0a80e7070f3aa48f7

SHA256
568e680c3ecaa84a76e111054a138d867813b9f65bbdc967c98304d6a0b4cf69

SHA512
a788cdb4cdafbd7b96f5b9e88b72cb57fd18d8ab70e0e166fcdcdd553e1de559a6017535274e09e30d6183c7c9baae58d711820f927a8ed3c3811c6f994809a7

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\cmswrite.dll
MD5
3aa620a3832249894026a7bcef141947

SHA1
465efee181f8d8288c4a34b0a80e7070f3aa48f7

SHA256
568e680c3ecaa84a76e111054a138d867813b9f65bbdc967c98304d6a0b4cf69

SHA512
a788cdb4cdafbd7b96f5b9e88b72cb57fd18d8ab70e0e166fcdcdd553e1de559a6017535274e09e30d6183c7c9baae58d711820f927a8ed3c3811c6f994809a7

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\libwmf2.dll
MD5
830c6fdda9cd0cee12dba51f793eecf8

SHA1
1923f3fb75e5d81a40e0aa3ffe613138fe9402c6

SHA256
695ac459ba83bb3dfeb45294b2d7669b7b032a10c20be8acee337017a62f2099

SHA512
34d2ec03224cca7dc9f77c0ff1d5a9f535944c3f83ac0a8562f467b3099db83ebf678f80c77c5d888a96a1efee65ff8a69ca49e649d2013d7e318662c9fbedd4

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\libwmf2.dll
MD5
830c6fdda9cd0cee12dba51f793eecf8

SHA1
1923f3fb75e5d81a40e0aa3ffe613138fe9402c6

SHA256
695ac459ba83bb3dfeb45294b2d7669b7b032a10c20be8acee337017a62f2099

SHA512
34d2ec03224cca7dc9f77c0ff1d5a9f535944c3f83ac0a8562f467b3099db83ebf678f80c77c5d888a96a1efee65ff8a69ca49e649d2013d7e318662c9fbedd4

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
MD5
e1e23f21b223a052c39e8c67acd38105

SHA1
7f0e0baf554412a45fb10b04b0b159394f0cf3ab

SHA256
f1261751289ad124a521bad5bcab76826f70b9d4686a48b9f5b3523415004cf1

SHA512
d6191bdaecefe06589676c2fe54bbb2ed68e79b62f931fd3d2257e2fe1089c89508e6c09c88257f039c581200dc1b709bfff85e9de767ab5f7555765e2ca6958

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\link.exe
MD5
e1e23f21b223a052c39e8c67acd38105

SHA1
7f0e0baf554412a45fb10b04b0b159394f0cf3ab

SHA256
f1261751289ad124a521bad5bcab76826f70b9d4686a48b9f5b3523415004cf1

SHA512
d6191bdaecefe06589676c2fe54bbb2ed68e79b62f931fd3d2257e2fe1089c89508e6c09c88257f039c581200dc1b709bfff85e9de767ab5f7555765e2ca6958

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
MD5
8fa639e29c7d1e7a1bd0d493354df226

SHA1
3ad3203b18dec68815f084f28bb956f0e1f8b9fe

SHA256
9177d32598d86cbe839d9a64e7654a76c2f33a91fb01186ecaed1f9e98292438

SHA512
4d0bb6ccbc53bd4c9fca04bac51814a6064df2d954bf260ec24eadad61226fbea4ab569b0c2f9ba3c046284e12051a653be534aa6556d6849bff172e2c73f626

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\makecat.exe
MD5
8fa639e29c7d1e7a1bd0d493354df226

SHA1
3ad3203b18dec68815f084f28bb956f0e1f8b9fe

SHA256
9177d32598d86cbe839d9a64e7654a76c2f33a91fb01186ecaed1f9e98292438

SHA512
4d0bb6ccbc53bd4c9fca04bac51814a6064df2d954bf260ec24eadad61226fbea4ab569b0c2f9ba3c046284e12051a653be534aa6556d6849bff172e2c73f626

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\msvcp140.dll
MD5
1d8c79f293ca86e8857149fb4efe4452

SHA1
7474e7a5cb9c79c4b99fdf9fb50ef3011bef7e8f

SHA256
c09b126e7d4c1e6efb3ffcda2358252ce37383572c78e56ca97497a7f7c793e4

SHA512
83c4d842d4b07ba5cec559b6cd1c22ab8201941a667e7b173c405d2fc8862f7e5d9703e14bd7a1babd75165c30e1a2c95f9d1648f318340ea5e2b145d54919b1

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\pg
MD5
d759799c9fab5a28a2c8b5eda93c5546

SHA1
aeefd53b64901005cd5fb6d3be7c8192fa505772

SHA256
8e6ae6f2c0c1dbe9b9fa315206b824ba9d72c337fec6d22763beb5d15c68c7d1

SHA512
8aa394ca09ba9e9893d29e44ee709042b207ba025bc8b5b102f53d74e48c806213dda8ef74ea8085ad69deec712db34b107ab448d2eb0d80fa43723ac5718c34

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\tbbmalloc.dll
MD5
b61a9ee5a6c3c7a4d8b2944bee989250

SHA1
b3268110ebe8d565847a34340987465c7394989b

SHA256
c51fc91e9b7c855b691217dea5bc72fdf0c567f76deb204a80a0f7f50a885694

SHA512
83224db6dbf8c7e1a2939126f3bdd8c110d9efde08e2243d22dcbed30d58c3730c319cc8424fd155728236cf0d4cf4d0f7c79e713df9eb840dad1a4013aac1bf

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\tbbmalloc.dll
MD5
b61a9ee5a6c3c7a4d8b2944bee989250

SHA1
b3268110ebe8d565847a34340987465c7394989b

SHA256
c51fc91e9b7c855b691217dea5bc72fdf0c567f76deb204a80a0f7f50a885694

SHA512
83224db6dbf8c7e1a2939126f3bdd8c110d9efde08e2243d22dcbed30d58c3730c319cc8424fd155728236cf0d4cf4d0f7c79e713df9eb840dad1a4013aac1bf

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\vcruntime140.dll
MD5
b77eeaeaf5f8493189b89852f3a7a712

SHA1
c40cf51c2eadb070a570b969b0525dc3fb684339

SHA256
b7c13f8519340257ba6ae3129afce961f137e394dde3e4e41971b9f912355f5e

SHA512
a09a1b60c9605969a30f99d3f6215d4bf923759b4057ba0a5375559234f17d47555a84268e340ffc9ad07e03d11f40dd1f3fb5da108d11eb7f7933b7d87f2de3

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\wmfobserve.dll
MD5
5eb5c4fcc56dacb39450926293183153

SHA1
eb9558f47af92c962e10f8a43b6e4e8b87c1be24

SHA256
b819b42c75a35760c8ac5cd8dbfe0814c440098ca0b891a2e2f415f0b61ce844

SHA512
840962c61768d4e62b3d5bcb4c29039d455cb41c8bfcc1651306f12d3dce42735adfeacde7d7f97c501b3276042bd645f4a81a9f1779a81d1b147149898bd5ac

Download Submit
C:\Users\Admin\AppData\Roaming\MiPony Installer\wmfobserve.dll
MD5
5eb5c4fcc56dacb39450926293183153

SHA1
eb9558f47af92c962e10f8a43b6e4e8b87c1be24

SHA256
b819b42c75a35760c8ac5cd8dbfe0814c440098ca0b891a2e2f415f0b61ce844

SHA512
840962c61768d4e62b3d5bcb4c29039d455cb41c8bfcc1651306f12d3dce42735adfeacde7d7f97c501b3276042bd645f4a81a9f1779a81d1b147149898bd5ac

Download Submit
C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe
MD5
448166ffa55d2d5fbf0cfaefb21826f6

SHA1
e946af3ab6614f0b20515a3fa8b5a73210e8932d

SHA256
a69ac6cbe1ce50215d3f6df173f38bb3f9de174d32c87afbb7146662214b570b

SHA512
d9147720d3e691091c8a376776429eee992ab7a1b656109b091892483200b71606242dff085ca705807f081703ac7d182150f631a657c6a2d568b67b9bb32d55

Download Submit
C:\Users\Admin\Downloads\Avalaunch-dApp-2.1.0-installer.exe
MD5
448166ffa55d2d5fbf0cfaefb21826f6

SHA1
e946af3ab6614f0b20515a3fa8b5a73210e8932d

SHA256
a69ac6cbe1ce50215d3f6df173f38bb3f9de174d32c87afbb7146662214b570b

SHA512
d9147720d3e691091c8a376776429eee992ab7a1b656109b091892483200b71606242dff085ca705807f081703ac7d182150f631a657c6a2d568b67b9bb32d55

Download Submit
\??\pipe\crashpad_3832_PKUBLHFJTPQMRPKS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2228-144-0x0000000002320000-0x0000000002460000-memory.dmp

Filesize
1.2MB

Download
memory/2228-143-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/3692-139-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3828-162-0x0000000004A00000-0x0000000008A77000-memory.dmp

Filesize
64.5MB

Download
memory/3828-164-0x0000000004A00000-0x0000000008A00000-memory.dmp

Filesize
64.0MB

Download