Resubmissions
23-03-2022 12:41
220323-pwrh1sebh9 1023-03-2022 12:40
220323-pwdl6aebh4 1023-03-2022 12:36
220323-pszp8aaegq 10Analysis
-
max time kernel
1162s -
max time network
1112s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
23-03-2022 12:40
General
-
Target
3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76.exe
-
Size
995KB
-
MD5
17f33985f4763acfb314795dd000287a
-
SHA1
24e3a6d5037f18a306ea61f883323df0be119340
-
SHA256
3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76
-
SHA512
4fe53e131792dc5fa45354fad03301c929935bb711a69a3f7d8c937ef3027cbf261c4b1940aebde1df7ef556dd99227c525e2fc9e4d76437ab85f436105df420
Score
10/10
Malware Config
Extracted
Family
formbook
Version
4.1
Campaign
g2e7
Decoy
onlinebankaccess.com
dekannabesetale.com
cevaszakszervezet.com
barok-music.com
civitanova.info
projectpeaks.tech
orderoaxacarestaurant.com
lazatee.com
mufduds.com
ivyfitfun.com
justtwotrade.com
dnvkcpe.com
ecomnabe.com
digitalcourse.biz
placemonthwaylife.biz
redfoxbet.info
realitysweetz.com
angyhouse.com
bapqnm.com
parsmicron.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies system executable filetype association 2 TTPs 7 IoCs
-
Registers COM server for autorun 1 TTPs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Formbook Payload 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 3 IoCs
-
Executes dropped EXE 61 IoCs
-
Modifies extensions of user files 20 IoCs
Ransomware generally changes the extension on encrypted files.
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 19 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 7 IoCs
-
Checks for any installed AV software in registry 1 TTPs 12 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 64 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 13 IoCs
-
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 16 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 55 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 27 IoCs
-
Runs net.exe
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: LoadsDriver 64 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76.exe"C:\Users\Admin\AppData\Local\Temp\3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76.exe"C:\Users\Admin\AppData\Local\Temp\3e3ccb3b130c86bb2d82a52f8a7e191efa9499577ba0a3d3f335d5a1e1597b76.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffbd4a4f50,0x7fffbd4a4f60,0x7fffbd4a4f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1880 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2332 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4904 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5176 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5068 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4960 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3720 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4240 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2660 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2408 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3820 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1424 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6212 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6552 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6468 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3148 /prefetch:82⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 /prefetch:82⤵
- Loads dropped DLL
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\HWiNFO-7-2 (1).txt2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\99.279.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=TNvCslloTCd9kkXMt4nEy56zVdVV8L+IooDPgAfc --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=99.279.200 --initial-client-data=0x250,0x254,0x258,0x1fc,0x25c,0x7ff763da25a0,0x7ff763da25b0,0x7ff763da25c03⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2968_FMQKHBOSDNZFMJAE" --sandboxed-process-id=2 --init-done-notifier=728 --sandbox-mojo-pipe-token=1010625075974955445 --mojo-platform-channel-handle=680 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\99.279.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2968_FMQKHBOSDNZFMJAE" --sandboxed-process-id=3 --init-done-notifier=928 --sandbox-mojo-pipe-token=10617094192714294273 --mojo-platform-channel-handle=9243⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6676 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6712 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:82⤵
- Loads dropped DLL
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1488,6150840500719823658,15460364395700223506,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:82⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap19566:116:7zEvent319921⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\FileSetups1.exe"C:\Users\Admin\Desktop\FileSetups1.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffbd4a4f50,0x7fffbd4a4f60,0x7fffbd4a4f702⤵
-
C:\Users\Admin\Desktop\keygen_5-mktW1.exe"C:\Users\Admin\Desktop\keygen_5-mktW1.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-1AIJ6.tmp\keygen_5-mktW1.tmp"C:\Users\Admin\AppData\Local\Temp\is-1AIJ6.tmp\keygen_5-mktW1.tmp" /SL5="$12026A,1567776,780800,C:\Users\Admin\Desktop\keygen_5-mktW1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-7VE5C.tmp\prod0.exe"C:\Users\Admin\AppData\Local\Temp\is-7VE5C.tmp\prod0.exe" /silent3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nsgD027.tmp\RAVAntivirus-installer.exe"C:\Users\Admin\AppData\Local\Temp\nsgD027.tmp\RAVAntivirus-installer.exe" "C:\Users\Admin\AppData\Local\Temp\is-7VE5C.tmp\prod0.exe" /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\RAVAntivirus\AntivirusInstaller.exe"C:\Program Files\RAVAntivirus\AntivirusInstaller.exe" /install5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\rundll32.exe"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\RAVAntivirus\x64\ReasonCamFilter.inf6⤵
- Adds Run key to start application
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r7⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o8⤵
-
C:\Windows\SYSTEM32\fltmc.exe"fltmc.exe" load ReasonCamFilter6⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\rundll32.exe"c:\windows\system32\rundll32.exe" setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Program Files\RAVAntivirus\x64\rsKernelEngine.inf6⤵
- Adds Run key to start application
-
C:\Windows\system32\runonce.exe"C:\Windows\system32\runonce.exe" -r7⤵
- Checks processor information in registry
-
C:\Windows\System32\grpconv.exe"C:\Windows\System32\grpconv.exe" -o8⤵
-
C:\Windows\SYSTEM32\wevtutil.exe"wevtutil" im C:\Program Files\RAVAntivirus\x64\rsKernelEngineEvents.xml6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\fltmc.exe"fltmc.exe" load rsKernelEngine6⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵
-
C:\Windows\system32\wevtutil.exe"C:\Windows\system32\wevtutil.exe" im C:\Program Files\RAVAntivirus\elam\evntdrv.xml6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\RAVAntivirus\rsEngineSvc.exe"C:\Program Files\RAVAntivirus\rsEngineSvc.exe" -i6⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\RAVAntivirus\rsClientSvc.exe"C:\Program Files\RAVAntivirus\rsClientSvc.exe" -i6⤵
- Executes dropped EXE
-
C:\Program Files\RAVAntivirus\x64\rsSyncSvc.exe"C:\Program Files\RAVAntivirus\x64\rsSyncSvc.exe" -i -rpn:RAVAntivirus -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v1/live6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7VE5C.tmp\prod1_extract\saBSI.exe"C:\Users\Admin\AppData\Local\Temp\is-7VE5C.tmp\prod1_extract\saBSI.exe" /affid 91105 PaidDistribution=true3⤵
- Executes dropped EXE
- Modifies system certificate store
-
C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe"C:\ProgramData\McAfee\WebAdvisor\saBSI\saBSI.exe" /install /affid 91105 PaidDistribution=true saBsiVersion=4.1.1.663 /no_self_update4⤵
- Executes dropped EXE
-
C:\ProgramData\McAfee\WebAdvisor\saBSI\installer.exe"C:\ProgramData\McAfee\WebAdvisor\saBSI\\installer.exe" /setOem:Affid=91105 /s /thirdparty /upgrade5⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files\McAfee\Temp3284205768\installer.exe"C:\Program Files\McAfee\Temp3284205768\installer.exe" /setOem:Affid=91105 /s /thirdparty /upgrade6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SYSTEM32\sc.exesc.exe create "McAfee WebAdvisor" binPath= "\"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe\"" start= auto DisplayName= "McAfee WebAdvisor"7⤵
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\WSSDep.dll"8⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\sc.exesc.exe description "McAfee WebAdvisor" "McAfee WebAdvisor Service"7⤵
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\WSSDep.dll"7⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\sc.exesc.exe failure "McAfee WebAdvisor" reset= 3600 actions= restart/1/restart/1000/restart/3000/restart/30000/restart/1800000//07⤵
-
C:\Windows\SYSTEM32\sc.exesc.exe start "McAfee WebAdvisor"7⤵
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"7⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\DownloadScan.dll"8⤵
- Loads dropped DLL
-
C:\Windows\SYSTEM32\regsvr32.exeregsvr32.exe /s "C:\Program Files\McAfee\WebAdvisor\x64\DownloadScan.dll"7⤵
- Loads dropped DLL
-
C:\Users\Admin\Desktop\keygen_5-mktW1.exe"C:\Users\Admin\Desktop\keygen_5-mktW1.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-897N8.tmp\keygen_5-mktW1.tmp"C:\Users\Admin\AppData\Local\Temp\is-897N8.tmp\keygen_5-mktW1.tmp" /SL5="$302A8,1567776,780800,C:\Users\Admin\Desktop\keygen_5-mktW1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
-
C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies system certificate store
-
C:\Program Files\McAfee\WebAdvisor\UIHost.exe"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"2⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s "C:\Program Files\McAfee\WebAdvisor\win32\IEPlugin.dll"3⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\McAfee\WebAdvisor\x64\IEPlugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\McAfee\WebAdvisor\updater.exe"C:\Program Files\McAfee\WebAdvisor\updater.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c IF EXIST "C:\Program Files\McAfee\WebAdvisor\Download" ( DEL "C:\Program Files\McAfee\WebAdvisor\Download\*.bak" )3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c DEL "C:\Program Files\McAfee\WebAdvisor\*.tmp"3⤵
-
C:\Program Files\McAfee\WebAdvisor\UIHost.exe"C:\Program Files\McAfee\WebAdvisor\UIHost.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
-
C:\Program Files\RAVAntivirus\rsClientSvc.exe"C:\Program Files\RAVAntivirus\rsClientSvc.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\RAVAntivirus\x64\rsSyncSvc.exe"C:\Program Files\RAVAntivirus\x64\rsSyncSvc.exe" -rpn:ravantivirus -lpn:rav_antivirus -url:https://update.reasonsecurity.com/v1/live1⤵
- Executes dropped EXE
-
C:\Program Files\RAVAntivirus\rsEngineSvc.exe"C:\Program Files\RAVAntivirus\rsEngineSvc.exe"1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\program files\ravantivirus\rsHelper.exe"c:\program files\ravantivirus\rsHelper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --minimized --first-run2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=gpu-process --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2348 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=gpu-process --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --gpu-preferences=UAAAAAAAAADoAAAIAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4064 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:13⤵
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
\??\c:\program files\ravantivirus\ui\RAVAntivirus.exe"c:\program files\ravantivirus\ui\RAVAntivirus.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\rav-antivirus-client" --standard-schemes=mc --secure-schemes=mc --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-path="c:\program files\ravantivirus\ui\resources\app.asar" --enable-sandbox --field-trial-handle=2056,2094224868272883882,16344860354694730158,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:13⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Users\Admin\Desktop\File_Setup.exe"C:\Users\Admin\Desktop\File_Setup.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\Desktop\*.txt" "C:\Users\Admin\AppData\Local\Temp\8869\_Files"2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7fffbd4a4f50,0x7fffbd4a4f60,0x7fffbd4a4f702⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap11530:96:7zEvent117141⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap3610:96:7zEvent134791⤵
-
C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
-
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 272861648040072.bat2⤵
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\@[email protected]
-
C:\Windows\SysWOW64\cmd.exe
-
C:\Users\Admin\Desktop\@[email protected]
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hwbyvkdbeiyped484" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hwbyvkdbeiyped484" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\Desktop\taskse.exe
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\taskse.exe
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PASSWORD == 1234.txt1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe/updateInstalled /background4⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wsappx1⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
-
C:\Windows\system32\net.exenet user /add test2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user /add test3⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a81855 /state1:0x41c64e6d1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003c0 000000801⤵
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000003e8 000000801⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 0000034c 000000801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
2New Service
1Browser Extensions
1Hidden Files and Directories
1Defense Evasion
Modify Registry
7File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
50aaaaf398ca0085560bf4aa1e59d7c3
SHA133e2c9fe4ce290ff747ce52f1699dcbed32a4d9c
SHA2564e2ebb0e91c18c89643144ceb786682293fb8967765c5957dfd5d7c8bcfcff0e
SHA512478ee1ba72162c6b7d7047690c5fd452e21b8dfa538f6ec7c58525dc8c7c4b4511c228efcad294bdd750acdc2b286a4dfbc5c90d25f9515febcc63543cded1b6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datMD5
50aaaaf398ca0085560bf4aa1e59d7c3
SHA133e2c9fe4ce290ff747ce52f1699dcbed32a4d9c
SHA2564e2ebb0e91c18c89643144ceb786682293fb8967765c5957dfd5d7c8bcfcff0e
SHA512478ee1ba72162c6b7d7047690c5fd452e21b8dfa538f6ec7c58525dc8c7c4b4511c228efcad294bdd750acdc2b286a4dfbc5c90d25f9515febcc63543cded1b6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\CookiesMD5
759a7a9797c005e6be0a541a5660cc94
SHA1c39246fb7a0b73ba804271b0516c24a1dbc0dd5e
SHA256b8ddbbdb30b83f923e59e4bc93fa781de39cf932f3ab7ba5c33adaa943bdff9a
SHA512a96f372014c96b4440ff4f1a2c25f8d20300abaff1c909c5ea7506bcf388492474ac4f7632e890ceb91564548208df97febd19eb33d88c0a2b0952b52c2cee1a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataMD5
a499ac9e2e6da04b8e9d86f27950c24b
SHA11bdb472f103b9238991552a70aeb038940760aa1
SHA25677778b7b1818c25eea1c37a72ecde4aca0d114ff16c530a6ab48d6b135e41acb
SHA512eb491f06bb8479489046959163f83413bc5fd5800d48e770bf04fd617f95f71288d4988195894a421e9a8295c1bf7a7301dbbd66ca3127b846139c7b13854c61
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateMD5
248104bef051af563ef77eb9c3d7527a
SHA10344dd530c5ec1e0dbaffd4d3edaef0be1c084ab
SHA256b4b7d6960f32d76907a81c12481bbecb5cd7a3a32b92543c610f19138dee77ff
SHA51288d2e32e9199753218cff08ab13e7af3f189a9dcad4777966bbf30b63f513f58cc1e06f9bbbd1a7d58d75a8a338cb7a597e0b645a716c56962abfc410673e445
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\1601268389\3877292338.priMD5
0d02b03a068d671348931cc20c048422
SHA167b6deacf1303acfcbab0b158157fdc03a02c8d5
SHA25644f4263d65889ea8f0db3c6e31a956a4664e9200aba2612c9be7016feeb323c0
SHA512805e7b4fafed39dec5ecc2ede0c65b6e103e6757e0bd43ecdce7c00932f59e3e7a68d2ea0818244dfeb691b022c1ccca590a3f4239f99e1cd8a29ba66daed358
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PRICache\4183903823\810424605.priMD5
a2942665b12ed000cd2ac95adef8e0cc
SHA1ac194f8d30f659131d1c73af8d44e81eccab7fde
SHA256bdc5de6c42c523a333c26160d212c62385b03f5ebdae5aa8c5d025ff3f8aa374
SHA5124e5ba962ba97656974c390b45302d60f4c82d604feb6199d44e80497a40d0b0a9fd119ca17ac184809ca0821ab6813292892c433ed7277f65c275f37a96070b9
-
C:\Users\Admin\Desktop\FileSetups1.exeMD5
ff07f646c8cd176649aa484b0c4828c2
SHA199201afe7d8bbe76d5ae66c4fcb1ec63d93eb7d7
SHA25618fbf51abddb5f80a892197b3cc1bee2841454abdfcc18f1777d2f974b475787
SHA5128fa83d701cf9a397f8634c82144337b524ba50c1cf7aef149095c2823f034f70ea1a7c4a44c1b0662175e39e13a228f1592dc7f55706d49157c0d0af824b24bc
-
C:\Users\Admin\Desktop\FileSetups1.exeMD5
ff07f646c8cd176649aa484b0c4828c2
SHA199201afe7d8bbe76d5ae66c4fcb1ec63d93eb7d7
SHA25618fbf51abddb5f80a892197b3cc1bee2841454abdfcc18f1777d2f974b475787
SHA5128fa83d701cf9a397f8634c82144337b524ba50c1cf7aef149095c2823f034f70ea1a7c4a44c1b0662175e39e13a228f1592dc7f55706d49157c0d0af824b24bc
-
C:\Users\Admin\Desktop\PASSWORD == 1234.txtMD5
75ae1dd956d2344136da312614b5ab5d
SHA13ff18fe7d6f1a776caaee1ca79483fe028351cdf
SHA25696497ba6cea458912c9ef66a8dbcfbd1305d4482f05cb0428f77438085f03922
SHA512db8278ada4087fa8ccf9aca3bc6b5ae386a0f7174a7107da48ebc1686e3ed2ce216573e06508fe6f18c39d4e6615ec916eefc0f1e0f8e257f4140e3d8d05c103
-
C:\Users\Admin\Desktop\Password_is_1234__Setuper--A7.rarMD5
7afba39745ca810bd137679bfb3d8403
SHA12a01189290a03ae1d8b4b0211a4bbceec27cba78
SHA256d261aaf38a93881f934307ac7b5554cde856a93a83ee871c88715c6c3201c2d8
SHA5129209830292db26b2c50707dec24b6ec70908703979844ac4467a5a0a12cf47bbf70f2b52f045786d8bd43bdc28dc23274923b5660ee6c4578b2722bdb4d6aa6d
-
\??\pipe\crashpad_4068_HYJWVPXAGUTOXRYCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/364-244-0x0000000000000000-mapping.dmp
-
memory/364-252-0x0000000000000000-mapping.dmp
-
memory/660-176-0x0000000000000000-mapping.dmp
-
memory/1000-2695-0x0000000000000000-mapping.dmp
-
memory/1356-171-0x0000000000000000-mapping.dmp
-
memory/1356-172-0x0000019C27730000-0x0000019C2774C000-memory.dmpFilesize
112KB
-
memory/1356-173-0x0000019C29220000-0x0000019C2924A000-memory.dmpFilesize
168KB
-
memory/1356-175-0x0000019C29290000-0x0000019C29292000-memory.dmpFilesize
8KB
-
memory/1420-251-0x0000000000000000-mapping.dmp
-
memory/1824-4857-0x0000000000000000-mapping.dmp
-
memory/1828-239-0x0000000000000000-mapping.dmp
-
memory/1872-246-0x0000000000000000-mapping.dmp
-
memory/1908-352-0x0000000000000000-mapping.dmp
-
memory/1972-247-0x0000000000000000-mapping.dmp
-
memory/2368-161-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2368-167-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/2404-387-0x0000000000000000-mapping.dmp
-
memory/2484-166-0x0000000000000000-mapping.dmp
-
memory/2488-4850-0x0000000000000000-mapping.dmp
-
memory/2508-214-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-209-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-185-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-203-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-205-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-201-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-218-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-199-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-188-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-217-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-202-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-215-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-198-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-197-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-196-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-195-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-204-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-206-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-216-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-187-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-207-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-212-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-213-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-211-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-189-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-208-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-190-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-186-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-183-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-182-0x00007FF6EFEB0000-0x00007FF6EFEC0000-memory.dmpFilesize
64KB
-
memory/2508-210-0x00007FF6D83B0000-0x00007FF6D83C0000-memory.dmpFilesize
64KB
-
memory/2508-178-0x0000000000000000-mapping.dmp
-
memory/2508-179-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2508-180-0x00007FF6EEA70000-0x00007FF6EEA80000-memory.dmpFilesize
64KB
-
memory/2576-370-0x00007FFFC7C50000-0x00007FFFC7C51000-memory.dmpFilesize
4KB
-
memory/2576-359-0x0000000000000000-mapping.dmp
-
memory/2576-368-0x00007FFFC77F0000-0x00007FFFC77F1000-memory.dmpFilesize
4KB
-
memory/2840-174-0x0000000000000000-mapping.dmp
-
memory/2872-4855-0x0000000000000000-mapping.dmp
-
memory/2968-245-0x0000000000000000-mapping.dmp
-
memory/2968-3067-0x0000000000000000-mapping.dmp
-
memory/3040-3455-0x0000000000000000-mapping.dmp
-
memory/3364-121-0x0000000008F90000-0x0000000008FC4000-memory.dmpFilesize
208KB
-
memory/3364-117-0x00000000032F0000-0x00000000032FA000-memory.dmpFilesize
40KB
-
memory/3364-119-0x0000000009000000-0x000000000909C000-memory.dmpFilesize
624KB
-
memory/3364-120-0x0000000009290000-0x000000000938E000-memory.dmpFilesize
1016KB
-
memory/3364-114-0x0000000000D20000-0x0000000000E1E000-memory.dmpFilesize
1016KB
-
memory/3364-115-0x0000000005C60000-0x000000000615E000-memory.dmpFilesize
5.0MB
-
memory/3364-116-0x0000000003320000-0x00000000033B2000-memory.dmpFilesize
584KB
-
memory/3364-118-0x00000000057F0000-0x0000000005802000-memory.dmpFilesize
72KB
-
memory/3364-253-0x0000000000000000-mapping.dmp
-
memory/3396-255-0x0000000000000000-mapping.dmp
-
memory/3440-177-0x0000000000000000-mapping.dmp
-
memory/3564-124-0x00000000015B0000-0x00000000018D0000-memory.dmpFilesize
3.1MB
-
memory/3564-123-0x000000000041F0E0-mapping.dmp
-
memory/3564-122-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3744-164-0x0000000000000000-mapping.dmp
-
memory/3744-169-0x0000000004060000-0x000000000406F000-memory.dmpFilesize
60KB
-
memory/3772-3080-0x0000000000000000-mapping.dmp
-
memory/3816-265-0x000001AFC2A90000-0x000001AFC2C8A000-memory.dmpFilesize
2.0MB
-
memory/3816-263-0x000001AFA9AF0000-0x000001AFA9B2E000-memory.dmpFilesize
248KB
-
memory/3816-262-0x000001AFA81A0000-0x000001AFA81B2000-memory.dmpFilesize
72KB
-
memory/3816-261-0x000001AFA7D40000-0x000001AFA7D9C000-memory.dmpFilesize
368KB
-
memory/3816-260-0x000001AFC2370000-0x000001AFC2372000-memory.dmpFilesize
8KB
-
memory/3816-259-0x000001AFA80E0000-0x000001AFA8108000-memory.dmpFilesize
160KB
-
memory/3816-258-0x000001AFA8130000-0x000001AFA8180000-memory.dmpFilesize
320KB
-
memory/3816-257-0x000001AFA7D40000-0x000001AFA7D9C000-memory.dmpFilesize
368KB
-
memory/3816-256-0x0000000000000000-mapping.dmp
-
memory/3840-4856-0x0000000000000000-mapping.dmp
-
memory/3904-133-0x00000000012B0000-0x000000000133C000-memory.dmpFilesize
560KB
-
memory/3904-143-0x0000000005510000-0x0000000005B16000-memory.dmpFilesize
6.0MB
-
memory/3904-138-0x00000000728D0000-0x0000000072950000-memory.dmpFilesize
512KB
-
memory/3904-137-0x00000000012B0000-0x000000000133C000-memory.dmpFilesize
560KB
-
memory/3904-136-0x00000000012B0000-0x000000000133C000-memory.dmpFilesize
560KB
-
memory/3904-129-0x00000000012B0000-0x000000000133C000-memory.dmpFilesize
560KB
-
memory/3904-135-0x0000000074DC0000-0x0000000074EB1000-memory.dmpFilesize
964KB
-
memory/3904-134-0x0000000077790000-0x0000000077952000-memory.dmpFilesize
1.8MB
-
memory/3904-132-0x00000000012B0000-0x000000000133C000-memory.dmpFilesize
560KB
-
memory/3904-151-0x0000000006190000-0x00000000061AE000-memory.dmpFilesize
120KB
-
memory/3904-153-0x0000000006960000-0x0000000006B22000-memory.dmpFilesize
1.8MB
-
memory/3904-130-0x00000000003E0000-0x00000000003E1000-memory.dmpFilesize
4KB
-
memory/3904-146-0x0000000004F40000-0x0000000004F7E000-memory.dmpFilesize
248KB
-
memory/3904-147-0x0000000004F80000-0x0000000004FCB000-memory.dmpFilesize
300KB
-
memory/3904-148-0x000000006E370000-0x000000006E3BB000-memory.dmpFilesize
300KB
-
memory/3904-156-0x00000000063D0000-0x0000000006420000-memory.dmpFilesize
320KB
-
memory/3904-131-0x0000000000FB0000-0x0000000000FF5000-memory.dmpFilesize
276KB
-
memory/3904-140-0x00000000759B0000-0x0000000076CF8000-memory.dmpFilesize
19.3MB
-
memory/3904-149-0x00000000051D0000-0x0000000005236000-memory.dmpFilesize
408KB
-
memory/3904-145-0x0000000002DA0000-0x0000000002DB2000-memory.dmpFilesize
72KB
-
memory/3904-150-0x0000000005DA0000-0x0000000005E16000-memory.dmpFilesize
472KB
-
memory/3904-139-0x0000000075300000-0x0000000075884000-memory.dmpFilesize
5.5MB
-
memory/3904-154-0x0000000007060000-0x000000000758C000-memory.dmpFilesize
5.2MB
-
memory/3904-144-0x0000000005010000-0x000000000511A000-memory.dmpFilesize
1.0MB
-
memory/4040-163-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4040-168-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4044-170-0x0000000000000000-mapping.dmp
-
memory/4132-254-0x0000017B10C20000-0x0000017B10C30000-memory.dmpFilesize
64KB
-
memory/4200-181-0x0000000000000000-mapping.dmp
-
memory/4208-248-0x0000000000000000-mapping.dmp
-
memory/4252-184-0x0000000000000000-mapping.dmp
-
memory/4280-3006-0x0000000000000000-mapping.dmp
-
memory/4332-226-0x00007FFFC1F30000-0x00007FFFC1F40000-memory.dmpFilesize
64KB
-
memory/4332-223-0x0000000000000000-mapping.dmp
-
memory/4332-225-0x00007FFFC1F30000-0x00007FFFC1F40000-memory.dmpFilesize
64KB
-
memory/4332-224-0x00007FFFC1F30000-0x00007FFFC1F40000-memory.dmpFilesize
64KB
-
memory/4372-191-0x0000000000000000-mapping.dmp
-
memory/4384-192-0x0000000000000000-mapping.dmp
-
memory/4408-193-0x0000000000000000-mapping.dmp
-
memory/4420-3070-0x0000000000000000-mapping.dmp
-
memory/4480-194-0x0000000000000000-mapping.dmp
-
memory/4540-249-0x0000000000000000-mapping.dmp
-
memory/4580-2682-0x0000000000000000-mapping.dmp
-
memory/4636-250-0x0000000000000000-mapping.dmp
-
memory/4704-237-0x00000137912D0000-0x0000013791336000-memory.dmpFilesize
408KB
-
memory/4704-238-0x00000137AB9B0000-0x00000137AB9B2000-memory.dmpFilesize
8KB
-
memory/4704-236-0x0000000000000000-mapping.dmp
-
memory/4776-242-0x0000000000000000-mapping.dmp
-
memory/4816-219-0x0000000000000000-mapping.dmp
-
memory/4828-220-0x0000000000000000-mapping.dmp
-
memory/4836-229-0x0000000000000000-mapping.dmp
-
memory/4840-230-0x0000000000000000-mapping.dmp
-
memory/4856-221-0x0000000000000000-mapping.dmp
-
memory/4868-231-0x0000000000000000-mapping.dmp
-
memory/4900-234-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4900-227-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4900-228-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4900-235-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4900-240-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4900-241-0x00007FFFC2B30000-0x00007FFFC2B40000-memory.dmpFilesize
64KB
-
memory/4920-222-0x0000000000000000-mapping.dmp
-
memory/5208-266-0x0000000000000000-mapping.dmp
-
memory/5288-267-0x0000000000000000-mapping.dmp
-
memory/5356-347-0x0000000000000000-mapping.dmp
-
memory/5356-349-0x00007FFFC9540000-0x00007FFFC9541000-memory.dmpFilesize
4KB
-
memory/5404-1728-0x0000000000000000-mapping.dmp
-
memory/5420-275-0x0000027462540000-0x000002746256E000-memory.dmpFilesize
184KB
-
memory/5420-271-0x0000027449780000-0x000002744979A000-memory.dmpFilesize
104KB
-
memory/5420-291-0x00000274637C0000-0x00000274637FA000-memory.dmpFilesize
232KB
-
memory/5420-292-0x0000027463B50000-0x0000027463BB4000-memory.dmpFilesize
400KB
-
memory/5420-293-0x0000027462390000-0x00000274628BA000-memory.dmpFilesize
5.2MB
-
memory/5420-277-0x0000027463160000-0x0000027463194000-memory.dmpFilesize
208KB
-
memory/5420-278-0x0000027462670000-0x000002746269E000-memory.dmpFilesize
184KB
-
memory/5420-289-0x0000027463660000-0x0000027463686000-memory.dmpFilesize
152KB
-
memory/5420-288-0x00000274631A0000-0x00000274631C5000-memory.dmpFilesize
148KB
-
memory/5420-276-0x00000274626B0000-0x00000274626E6000-memory.dmpFilesize
216KB
-
memory/5420-273-0x00000274624E0000-0x0000027462506000-memory.dmpFilesize
152KB
-
memory/5420-274-0x0000027462390000-0x00000274628BA000-memory.dmpFilesize
5.2MB
-
memory/5420-272-0x0000027462720000-0x000002746289A000-memory.dmpFilesize
1.5MB
-
memory/5420-280-0x0000027463260000-0x00000274632C0000-memory.dmpFilesize
384KB
-
memory/5420-287-0x0000027463710000-0x000002746374A000-memory.dmpFilesize
232KB
-
memory/5420-290-0x0000027463750000-0x0000027463778000-memory.dmpFilesize
160KB
-
memory/5420-270-0x0000027449750000-0x0000027449772000-memory.dmpFilesize
136KB
-
memory/5420-281-0x00000274632C0000-0x0000027463625000-memory.dmpFilesize
3.4MB
-
memory/5420-269-0x0000027462DF0000-0x0000027463154000-memory.dmpFilesize
3.4MB
-
memory/5420-268-0x00000274628C0000-0x0000027462DEA000-memory.dmpFilesize
5.2MB
-
memory/5420-286-0x00000274636A0000-0x0000027463704000-memory.dmpFilesize
400KB
-
memory/5420-285-0x00000274638C0000-0x0000027463B4C000-memory.dmpFilesize
2.5MB
-
memory/5420-279-0x00000274631D0000-0x0000027463200000-memory.dmpFilesize
192KB
-
memory/5420-282-0x0000027463200000-0x000002746324F000-memory.dmpFilesize
316KB
-
memory/5476-2683-0x0000000000000000-mapping.dmp
-
memory/5592-4849-0x0000000000000000-mapping.dmp
-
memory/5744-4560-0x0000000000000000-mapping.dmp
-
memory/5772-2601-0x0000000000000000-mapping.dmp
-
memory/5944-3074-0x0000000000000000-mapping.dmp
-
memory/5972-317-0x0000000000000000-mapping.dmp
-
memory/6084-327-0x0000000000000000-mapping.dmp
-
memory/6096-4266-0x0000000000000000-mapping.dmp