7451ad4d698a207bd2c5426beb6ca2e418829186da56ed190e91fe33a1bd3ab2

Analysis

max time kernel
904s
max time network
907s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 15:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

watch.html
Size

580KB
MD5

32c9f5d6004499b10e33c7c00e642021
SHA1

f571f40147f5aa1504e798d1a60c9c3c8658ca18
SHA256

7451ad4d698a207bd2c5426beb6ca2e418829186da56ed190e91fe33a1bd3ab2
SHA512

da8f86f0f04a89bdbc0e274754ec8a0f47a9587ab12c99dc701bc0b491e4659cf2c6f927a0d5afcf4f77d2d8389fba2d2e8ebf6b1efa76f3b2fbff55f6f74f15
SSDEEP

12288:0l5Yp5Y35Y65Yj5Yh5YM5YJ5YXr5QN6MSRBL3DgfW:E5QN6M6

Score

10^/10

agilenet discovery evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\Program Files\7-Zip\History.txt

Ransom Note

HISTORY of the 7-Zip -------------------- 22.01 2022-07-15 ------------------------- - UDF support was improved to UDF version 2.60. - HFS and APFS support was improved. 22.00 2022-06-15 ------------------------- - 7-Zip now can extract APFS (Apple File System) images that can be used in DMG files. - 7-Zip now can create TAR archives in POSIX (pax) tar format with the switches -ttar -mm=pax or -ttar -mm=posix - 7-Zip now can store additional file timestamps with high precision (1 ns in Linux) in tar/pax archives with the following switches: -ttar -mm=pax -mtp=3 -mtc -mta - New switches for Linux version for TAR archives: -snoi : store owner/group ids in archive or set owner/group ids from archive to extracted files. -snon : store owner/group names in archive - New -snz switch to propagate Zone.Identifier stream to extracted files (Windows). - New option "Propagate Zone.Id stream" in Tools/Options/7-Zip menu. - New "Options" window in "Add to archive" allows to select what metadata must be included to archive. Also it allows to select new option "Do not change source files last access time". - Some bugs were fixed. 21.07 2021-12-26 ------------------------- - 7-Zip now can extract VHDX disk images (Microsoft Hyper-V Virtual Hard Disk v2 format). - New switches: -spm and -im!{file_path} to exclude directories from processing for specified paths that don't contain path separator character at the end of path. - In the "Add to Archive" window, now it is allowed to use -m prefix for "Parameters" field as in command line: -mparam. - The sorting order of files in archives was slightly changed to be more consistent for cases where the name of some directory is the same as the prefix part of the name of another directory or file. - TAR archives created by 7-Zip now are more consistent with archives created by GNU TAR program. 21.06 2021-11-24 ------------------------- - The window "Add to Archive" now allows to set a limit on memory usage (RAM) that will be used for compressing. - New switch -mmemuse={N}g / -mmemuse=p{N} to set a limit on memory usage (RAM) for compressing and decompressing. - Bug in versions 21.00-21.05 was fixed: 7-Zip didn't set attributes of directories during archive extracting. - Some bugs were fixed. 21.04 beta 2021-11-02 ------------------------- - 7-Zip now reduces the number of working CPU threads for compression, if RAM size is not enough for compression with big LZMA2 dictionary. - 7-Zip now can create and check "file.sha256" text files that contain the list of file names and SHA-256 checksums in format compatible with sha256sum program. 7-Zip can work with such checksum files as with archives, but these files don't contain real file data. The context menu commands to create and test "sha256" files: 7-Zip / CRC SHA / SHA-256 -> file.sha256 7-Zip / CRC SHA / Test Archive : Checksum The commands for command line version: 7z a -thash file.sha256 *.txt 7z t -thash file.sha256 7z t -thash -shd. file.sha256 New -shd{dir_path} switch to set the directory that is used to check files referenced by "file.sha256" file for "Test" operation. If -shd{dir_path} is not specified, 7-Zip uses the directory where "file.sha256" is stored. - New -xtd switch to exclude directory metadata records from processing. 21.03 beta 2021-07-20 ------------------------- - The maximum dictionary size for LZMA/LZMA2 compressing was increased to 4 GB (3840 MiB). - Minor speed optimizations in LZMA/LZMA2 compressing. 21.02 alpha 2021-05-06 ------------------------- - 7-Zip now writes additional field for filename in UTF-8 encoding to zip archives. It allows to extract correct file name from zip archives on different systems. - The command line version of 7-Zip for macOS was released. - The speed for LZMA and LZMA2 decompression in arm64 versions for macOS and Linux was increased by 20%-60%. - Some changes and improvements in ZIP, TAR and NSIS code. 21.01 alpha 2021-03-09 ------------------------- - The command line version of 7-Zip for Linux was released. - The improvements for speed of ARM64 version using hardware CPU instructions for AES, CRC-32, SHA-1 and SHA-256. - The bug in versions 18.02 - 21.00 was fixed: 7-Zip could not correctly extract some ZIP archives created with xz compression method. - Some bugs were fixed. 21.00 alpha 2021-01-19 ------------------------- - Some internal changes in code. - Some bugs were fixed. - New localizations: Tajik, Uzbek (Cyrillic) 20.02 alpha 2020-08-08 ------------------------- - The default number of LZMA2 chunks per solid block in 7z archive was increased to 64. It allows to increase the compression speed for big 7z archives, if there is a big number of CPU cores and threads. - The speed of PPMd compressing/decompressing was increased for 7z/ZIP/RAR archives. - The new -ssp switch. If the switch -ssp is specified, 7-Zip doesn't allow the system to modify "Last Access Time" property of source files for archiving and hashing operations. - Some bugs were fixed. - New localization: Swahili. 20.00 alpha 2020-02-06 ------------------------- - 7-Zip now supports new optional match finders for LZMA/LZMA2 compression: bt5 and hc5, that can work faster than bt4 and hc4 match finders for the data with big redundancy. - The compression ratio was improved for Fast and Fastest compression levels with the following default settings: - Fastest level (-mx1) : hc5 match finder with 256 KB dictionary. - Fast level (-mx3) : hc5 match finder with 4 MB dictionary. - Minor speed optimizations in multithreaded LZMA/LZMA2 compression for Normal/Maximum/Ultra compression levels. - bzip2 decoding code was updated to support bzip2 archives, created by lbzip2 program. - Some bugs were fixed. - New localization: Turkmen. 19.02 alpha 2019-09-05 ------------------------- - 7-Zip now can unpack files encoded with Base64 encoding (b64 filename extension). - 7-Zip now can use new x86/x64 hardware instructions for SHA-1 and SHA-256, supported by AMD Ryzen and latest Intel CPUs: Ice Lake and Goldmont. It increases - the speed of SHA-1/SHA-256 hash value calculation, - the speed of encryption/decryption in zip AES, - the speed of key derivation for encryption/decryption in 7z/zip/rar archives. - The speed of zip AES encryption and 7z/zip/rar AES decryption was increased with the following improvements: - 7-Zip now can use new x86/x64 VAES (AVX Vector AES) instructions, supported by Intel Ice Lake CPU. - The existing code of x86/x64 AES-NI was improved also. - There is 2% speed optimization in 7-Zip benchmark's decompression. - Some bugs were fixed. 19.00 2019-02-21 ------------------------- - Encryption strength for 7z archives was increased: the size of random initialization vector was increased from 64-bit to 128-bit, and the pseudo-random number generator was improved. - Some bugs were fixed. 18.06 2018-12-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 3-10%, and there are minor changes in compression ratio. - Some bugs were fixed. - The bug in 7-Zip 18.02-18.05 was fixed: there was memory leak in xz decoder. - 7-Zip 18.02-18.05 used only one CPU thread for bz2 archive creation. 18.05 2018-04-30 ------------------------- - The speed for LZMA/LZMA2 compressing was increased by 8% for fastest/fast compression levels and by 3% for normal/maximum compression levels. - 7-Zip now shows Properties (Info) window and CRC/SHA results window as "list view" window instead of "message box" window. - Some improvements in zip, hfs and dmg code. - Previous versions of 7-Zip could work incorrectly in "Large memory pages" mode in Windows 10 because of some BUG with "Large Pages" in Windows 10. Now 7-Zip doesn't use "Large Pages" on Windows 10 up to revision 1709 (16299). - The vulnerability in RAR unpacking code was fixed (CVE-2018-10115). - Some bugs were fixed. 18.03 beta 2018-03-04 ------------------------- - The speed for single-thread LZMA/LZMA2 decoding was increased by 30% in x64 version and by 3% in x86 version. - 7-Zip now can use multi-threading for 7z/LZMA2 decoding, if there are multiple independent data chunks in LZMA2 stream. - 7-Zip now can use multi-threading for xz decoding, if there are multiple blocks in xz stream. - New localization: Kabyle. - Some bugs were fixed. 18.01 2018-01-28 ------------------------- - 7-Zip now can unpack DMG archives that use LZFSE compression method. - 7-Zip now doesn't allow update operation for archives that have read-only attribute. - The BUG was fixed: extracting from tar with -si switch didn't set timestamps for directories. - Some bugs were fixed. 18.00 beta 2018-01-10 ------------------------- - 7-Zip now can unpack OBJ/COFF files. - new -sse switch to stop archive creating, if 7-Zip can't open some input file. - Some bugs were fixed. 17.01 beta 2017-08-28 ------------------------- - Minor speed optimization for LZMA2 (xz and 7z) multi-threading compression. 7-Zip now uses additional memory buffers for multi-block LZMA2 compression. CPU utilization was slightly improved. - 7-zip now creates multi-block xz archives by default. Block size can be specified with -ms[Size]{m|g} switch. - xz decoder now can unpack random block from multi-block xz archives. 7-Zip File Manager now can open nested multi-block xz archives (for example, image.iso.xz) without full unpacking of xz archive. - 7-Zip now can create zip archives from stdin to stdout. - 7-Zip command line: @listfile now doesn't work after -- switch. Use -i@listfile before -- switch instead. - The BUGs were fixed: 7-Zip could add unrequired alternate file streams to WIM archives, for commands that contain filename wildcards and -sns switch. 7-Zip 17.00 beta crashed for commands that write anti-item to 7z archive. 7-Zip 17.00 beta ignored "Use large memory pages" option. 17.00 beta 2017-04-29 ------------------------- - ZIP unpacking code was improved. - 7-Zip now reserves file space before writing to file (for extraction from archive). It can reduce file fragmentation. - Some bugs were fixed. 7-Zip could crash in some cases. - Internal changes in code. 16.04 2016-10-04 ------------------------- - The bug was fixed: 7-Zip 16.03 exe installer under Vista didn't create links in Start / Programs menu. - Some bugs were fixed in RAR code. 16.03 2016-09-28 ------------------------- - Installer and SFX modules now use some protection against DLL preloading attack. - Some bugs were fixed in 7z, NSIS, SquashFS, RAR5 and another code. 16.02 2016-05-21 ------------------------- - 7-Zip now can extract multivolume ZIP archives (z01, z02, ... , zip). - Some bugs were fixed. 15.14 2015-12-31 ------------------------- - 7-Zip File Manager: - The code for "Open file from archive" operation was improved. - The code for "Tools/Options" window was improved. - The BUG was fixed: there was incorrect mouse cursor capture for drag-and-drop operations from open archive to Explorer window. - Some bugs were fixed. - New localization: Yoruba. 15.12 2015-11-19 ------------------------- - The release version. 15.11 beta 2015-11-14 ------------------------- - Some bugs were fixed. 15.10 beta 2015-11-01 ------------------------- - The BUG in 9.21 - 15.09 was fixed: 7-Zip could ignore some parameters, specified for archive creation operation for gzip and bzip2 formats in "Add to Archive" window and in command line version (-m switch). - Some bugs were fixed. 15.09 beta 2015-10-16 ------------------------- - 7-Zip now can extract ext2 and multivolume VMDK images. - Some bugs were fixed. 15.08 beta 2015-10-01 ------------------------- - 7-Zip now can extract ext3 and ext4 (Linux file system) images. - Some bugs were fixed. 15.07 beta 2015-09-17 ------------------------- - 7-Zip now can extract GPT images and single file QCOW2, VMDK, VDI images. - 7-Zip now can extract solid WIM archives with LZMS compression. - Some bugs were fixed. 15.06 beta 2015-08-09 ------------------------- - 7-Zip now can extract RAR5 archives. - 7-Zip now doesn't sort files by type while adding to solid 7z archive. - new -mqs switch to sort files by type while adding to solid 7z archive. - The BUG in 7-Zip File Manager was fixed: The "Move" operation to open 7z archive didn't delete empty files. - The BUG in 15.05 was fixed: console version added some text to the end of stdout stream, is -so switch was used. - The BUG in 9.30 - 15.05 was fixed: 7-Zip could not open multivolume sfx RAR archive. - Some bugs were fixed. 15.05 beta 2015-06-14 ------------------------- - 7-Zip now uses new installer. - 7-Zip now can create 7z, xz and zip archives with 1536 MB dictionary for LZMA/LZMA2. - 7-Zip File Manager now can operate with alternate file streams at NTFS volumes via "File / Alternate Streams" menu command. - 7-Zip now can extract .zipx (WinZip) archives that use xz compression. - new optional "section size" parameter for BCJ2 filter for compression ratio improving. Example: -mf=BCJ2:d9M, if largest executable section in files is smaller than 9 MB. - Speed optimizations for BCJ2 filter and SHA-1 and SHA-256 calculation. - Console version now uses stderr stream for error messages. - Console version now shows names of processed files only in progress line by default. - new -bb[0-3] switch to set output log level. -bb1 shows names of processed files in log. - new -bs[o|e|p][0|1|2] switch to set stream for output messages; o: output, e: error, p: progress line; 0: disable, 1: stdout, 2: stderr. - new -bt switch to show execution time statistics. - new -myx[0-9] switch to set level of file analysis. - new -mmtf- switch to set single thread mode for filters. - The BUG was fixed: 7-Zip didn't restore NTFS permissions for folders during extracting from WIM archives. - The BUG was fixed: The command line version: if the command "rn" (Rename) was called with more than one pair of paths, 7-Zip used only first rename pair. - The BUG was fixed: 7-Zip crashed for ZIP/LZMA/AES/AES-NI. - The BUG in 15.01-15.02 was fixed: 7-Zip created incorrect ZIP archives, if ZipCrypto encryption was used. 7-Zip 9.20 can extract such incorrect ZIP archives. - Some bugs were fixed. 9.38 beta 2015-01-03 ------------------------- - Some bugs were fixed. 9.36 beta 2014-12-26 ------------------------- - The BUG in command line version was fixed: 7-Zip created temporary archive in current folder during update archive operation, if -w{Path} switch was not specified. The fixed 7-Zip creates temporary archive in folder that contains updated archive. - The BUG in 9.33-9.35 was fixed: 7-Zip silently ignored file reading errors during 7z or gz archive creation, and the created archive contained only part of file that was read before error. The fixed 7-Zip stops archive creation and it reports about error. - Some bugs were fixed. 9.35 beta 2014-12-07 ------------------------- - The BUG was fixed: 7-Zip crashed during ZIP archive creation, if the number of CPU threads was more than 64. - The BUG in 9.31-9.34 was fixed: 7-Zip could not correctly extract ISO archives that are larger than 4 GiB. - The BUG in 9.33-9.34 was fixed: The option "Compress shared files" and -ssw switch didn't work. - The BUG in 9.26-9.34 was fixed: 7-Zip File Manager could crash for some archives open in "Flat View" mode. - Some bugs were fixed. 9.34 alpha 2014-06-22 ------------------------- - The BUG in 9.33 was fixed: Command line version of 7-Zip could work incorrectly, if there is relative path in exclude filename optiton (-x) an

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

wscript.exewscript.exewscript.exewscript.exewscript.exeNoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Downloads MZ/PE file

Executes dropped EXE 27 IoCs

Processes:

7z2201-x64.exe7z2201-x64.exe7z2201-x64.exe7z.exewinrar-x64-611.exeuninstall.exeWinRAR.exeWinRAR.exeWinRAR.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 3.0.exeeulascr.exeMrsMajor 3.0.exeeulascr.exeWinRAR.exeWinRAR.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeWinRAR.exeWinRAR.exeNoEscape.exe

pid	process
3784	7z2201-x64.exe
4840	7z2201-x64.exe
3540	7z2201-x64.exe
6112	7z.exe
3948	winrar-x64-611.exe
3512	uninstall.exe
5048	WinRAR.exe
4852	WinRAR.exe
5476	WinRAR.exe
5444	MrsMajor 3.0.exe
1404	eulascr.exe
5612	MrsMajor 3.0.exe
3408	eulascr.exe
1664	MrsMajor 3.0.exe
376	eulascr.exe
3128	MrsMajor 3.0.exe
1908	eulascr.exe
1468	MrsMajor 3.0.exe
6132	eulascr.exe
6080	WinRAR.exe
2060	WinRAR.exe
4356	YouAreAnIdiot.exe
4236	YouAreAnIdiot.exe
1260	YouAreAnIdiot.exe
4084	WinRAR.exe
1668	WinRAR.exe
580	NoEscape.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

7z2201-x64.exe7z2201-x64.exeuninstall.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2201-x64.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MrsMajor 3.0.exeMrsMajor 3.0.exeMrsMajor 3.0.exewscript.exewscript.exewscript.exewscript.exewinrar-x64-611.exeMrsMajor 3.0.exewscript.exeMrsMajor 3.0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winrar-x64-611.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	MrsMajor 3.0.exe

Loads dropped DLL 25 IoCs

Processes:

WinRAR.exeWinRAR.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exe

pid	process
3004
4852	WinRAR.exe
4852	WinRAR.exe
3004
3004
5476	WinRAR.exe
1404	eulascr.exe
3408	eulascr.exe
376	eulascr.exe
1908	eulascr.exe
6132	eulascr.exe
3004
3004
3004
3004
4356	YouAreAnIdiot.exe
4356	YouAreAnIdiot.exe
4236	YouAreAnIdiot.exe
4236	YouAreAnIdiot.exe
1260	YouAreAnIdiot.exe
1260	YouAreAnIdiot.exe
3004
3004
3004
3004

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1404-153-0x0000000000680000-0x00000000006AA000-memory.dmp	agile_net

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

NoEscape.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NoEscape.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

NoEscape.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2201-x64.exewinrar-x64-611.exe7z2201-x64.exeuninstall.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2201-x64.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2201-x64.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-611.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2201-x64.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2201-x64.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240854734	winrar-x64-611.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2201-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2201-x64.exe

Drops file in Windows directory 2 IoCs

Processes:

NoEscape.exe

description ioc process

File created C:\Windows\winnt32.exe NoEscape.exe
File opened for modification C:\Windows\winnt32.exe NoEscape.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

5936 4356 WerFault.exe YouAreAnIdiot.exe
5504 4236 WerFault.exe YouAreAnIdiot.exe
1628 1260 WerFault.exe YouAreAnIdiot.exe

description	ioc	process
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe

pid	pid_target	process	target process
5936	4356	WerFault.exe	YouAreAnIdiot.exe
5504	4236	WerFault.exe	YouAreAnIdiot.exe
1628	1260	WerFault.exe	YouAreAnIdiot.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies Internet Explorer settings 1 TTPs 17 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeWinRAR.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BFDE8913-3C1B-11ED-A0EE-62142853BA25} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "223"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

OpenWith.exeOpenWith.exeuninstall.exe7z2201-x64.exe7z2201-x64.exeWinRAR.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r08\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2201-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Applications\7z2201-x64.exe	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000010000000300000002000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 01000000000000000300000002000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2201-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exechrome.exechrome.exechrome.exechrome.exe

pid	process
756	chrome.exe
756	chrome.exe
4224	chrome.exe
4224	chrome.exe
3020	chrome.exe
3020	chrome.exe
4776	chrome.exe
4776	chrome.exe
5384	chrome.exe
5384	chrome.exe
4288	chrome.exe
4288	chrome.exe
728	chrome.exe
728	chrome.exe
5632	chrome.exe
5632	chrome.exe
5376	chrome.exe
5376	chrome.exe
4920	chrome.exe
4920	chrome.exe
4464	chrome.exe
4464	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
1260	chrome.exe
4124	chrome.exe
4124	chrome.exe
5624	chrome.exe
5624	chrome.exe
4488	chrome.exe
4488	chrome.exe
5260	chrome.exe
5260	chrome.exe
5624	chrome.exe
5624	chrome.exe
1404	eulascr.exe
3408	eulascr.exe
376	eulascr.exe
376	eulascr.exe
1908	eulascr.exe
1908	eulascr.exe
6132	eulascr.exe
6132	eulascr.exe
3368	chrome.exe
3368	chrome.exe
2748	chrome.exe
2748	chrome.exe
3976	chrome.exe
3976	chrome.exe
796	chrome.exe
796	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

OpenWith.exeOpenWith.exeWinRAR.exeWinRAR.exeOpenWith.exe

pid process

3276 OpenWith.exe
5468 OpenWith.exe
4852 WinRAR.exe
6080 WinRAR.exe
5948 OpenWith.exe

pid	process
3276	OpenWith.exe
5468	OpenWith.exe
4852	WinRAR.exe
6080	WinRAR.exe
5948	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

Processes:

chrome.exe

pid	process
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AUDIODG.EXEeulascr.exeeulascr.exeeulascr.exeeulascr.exeeulascr.exeAUDIODG.EXE

description	pid	process
Token: 33	852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	852	AUDIODG.EXE
Token: SeDebugPrivilege	1404	eulascr.exe
Token: SeDebugPrivilege	3408	eulascr.exe
Token: SeDebugPrivilege	376	eulascr.exe
Token: SeDebugPrivilege	1908	eulascr.exe
Token: SeDebugPrivilege	6132	eulascr.exe
Token: 33	5776	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5776	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

iexplore.exechrome.exeWinRAR.exeWinRAR.exe

pid	process
524	iexplore.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4852	WinRAR.exe
4852	WinRAR.exe
4852	WinRAR.exe
4852	WinRAR.exe
5476	WinRAR.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exe

pid	process
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4072	firefox.exe
4072	firefox.exe
4072	firefox.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe
4224	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

iexplore.exeIEXPLORE.EXEOpenWith.exeOpenWith.exe7z2201-x64.exe7z2201-x64.exewinrar-x64-611.exe

pid	process
524	iexplore.exe
524	iexplore.exe
3832	IEXPLORE.EXE
3832	IEXPLORE.EXE
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
3276	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
5468	OpenWith.exe
4840	7z2201-x64.exe
3540	7z2201-x64.exe
3948	winrar-x64-611.exe
3948	winrar-x64-611.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exechrome.exe

description	pid	process	target process
PID 524 wrote to memory of 3832	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 3832	524	iexplore.exe	IEXPLORE.EXE
PID 524 wrote to memory of 3832	524	iexplore.exe	IEXPLORE.EXE
PID 4224 wrote to memory of 1620	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 1620	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 5104	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 756	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 756	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe
PID 4224 wrote to memory of 2524	4224	chrome.exe	chrome.exe

System policy modification 1 TTPs 15 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exeNoEscape.exewscript.exewscript.exewscript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\watch.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:524 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe941b4f50,0x7ffe941b4f60,0x7ffe941b4f70
2⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1660 /prefetch:2
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
2⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:8
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5324 /prefetch:8
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:3540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:4060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=920 /prefetch:1
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6040 /prefetch:8
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
2⤵
PID:6108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1152 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
2⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
2⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
2⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5488 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6676 /prefetch:8
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:5304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 /prefetch:8
2⤵
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
PID:2108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5624

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
2⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:8
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
2⤵
PID:5696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
2⤵
PID:4884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1560 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
PID:5608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
PID:2044

C:\Users\Admin\Downloads\winrar-x64-611.exe
"C:\Users\Admin\Downloads\winrar-x64-611.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
2⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
2⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6756 /prefetch:8
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
2⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6496 /prefetch:8
2⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3368

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\YouAreAnIdiot.zip"
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:8
2⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1032 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7156 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,2053840211533884870,10650917830589528849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe" "C:\Users\Admin\Downloads\MrsMajor 3.0 (1).7z"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1456

C:\Users\Admin\Downloads\7z2201-x64.exe
"C:\Users\Admin\Downloads\7z2201-x64.exe"
1⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe"
1⤵
- Executes dropped EXE
PID:6112

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
PID:5048

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MrsMajor 3.0.7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4852

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Downloads\MrsMajor 3.0.7z" "C:\Users\Admin\Downloads\MrsMajor 3.0\"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5476

C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:5444

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A04F.tmp\A050.tmp\A051.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5656

C:\Users\Admin\AppData\Local\Temp\A04F.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\A04F.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:5612

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3EF0.tmp\3EF1.tmp\3F02.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5244

C:\Users\Admin\AppData\Local\Temp\3EF0.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\3EF0.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1664

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4CCB.tmp\4CCC.tmp\4CDC.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:2200

C:\Users\Admin\AppData\Local\Temp\4CCB.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\4CCB.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:3128

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\62C4.tmp\62C5.tmp\62C6.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:4312

C:\Users\Admin\AppData\Local\Temp\62C4.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\62C4.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Downloads\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:1468

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\7E0C.tmp\7E0D.tmp\7E0E.vbs //Nologo
2⤵
- UAC bypass
- Checks computer location settings
- System policy modification
PID:5836

C:\Users\Admin\AppData\Local\Temp\7E0C.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\7E0C.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Downloads\YouAreAnIdiot.zip" C:\Users\Admin\Downloads\YouAreAnIdiot\
1⤵
- Executes dropped EXE
PID:2060

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 1520
2⤵
- Program crash
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4356 -ip 4356
1⤵
PID:3044

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 1408
2⤵
- Program crash
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4236 -ip 4236
1⤵
PID:4300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\YouAreAnIdiot\Interop.ShockwaveFlashObjects.dll"
2⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -url C:\Users\Admin\Downloads\YouAreAnIdiot\Interop.ShockwaveFlashObjects.dll
3⤵
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
PID:4072

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4072.0.1416802817\1674433308" -parentBuildID 20200403170909 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 1 -prefMapSize 219940 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4072 "\\.\pipe\gecko-crash-server-pipe.4072" 1800 gpu
4⤵
PID:4896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4072.3.1111637629\726570656" -childID 1 -isForBrowser -prefsHandle 2468 -prefMapHandle 2464 -prefsLen 142 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4072 "\\.\pipe\gecko-crash-server-pipe.4072" 2264 tab
4⤵
PID:4712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4072.13.407195544\317967478" -childID 2 -isForBrowser -prefsHandle 3696 -prefMapHandle 3708 -prefsLen 7565 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4072 "\\.\pipe\gecko-crash-server-pipe.4072" 3688 tab
4⤵
PID:1876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4072.20.940235463\1554639378" -childID 3 -isForBrowser -prefsHandle 3188 -prefMapHandle 3236 -prefsLen 7688 -prefMapSize 219940 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4072 "\\.\pipe\gecko-crash-server-pipe.4072" 3228 tab
4⤵
PID:3520

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1408
2⤵
- Program crash
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1260 -ip 1260
1⤵
PID:6012

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -imon1 -- "C:\Users\Admin\Downloads\NoEscape.zip" C:\Users\Admin\Downloads\NoEscape\
1⤵
- Executes dropped EXE
PID:4084

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\NoEscape.zip"
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1668

C:\Users\Admin\Downloads\NoEscape\NoEscape.exe
"C:\Users\Admin\Downloads\NoEscape\NoEscape.exe"
1⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Modifies WinLogon
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- System policy modification
PID:580

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa389e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
e6fb9bae0145ff7e879200db14d4b51a

SHA1
1f28a41c5e0c55a33d43dd1fed0c3813d9f66e0b

SHA256
977ae9d4d37cd8d629adafe4ffb73cce3c0a2f148840f4dc08b5cb5482afbf31

SHA512
7896d9c251c6c012cf73a8899da03bd94a2da42777ff35f30134420ffde50161fdd33e6ac0c4972d56b108cd2c0a140080cd23105f6d9e5c0de6660f0fd439ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_F50E39BD15585D010723EFF535E1CBF1
Filesize
471B

MD5
2d6b384162abb715786693222b341a43

SHA1
2a68f142c91b5700b9481a64e6c6aa23070b3839

SHA256
2a2e9dfac0cf910ec76692a5d6fa3462422b1cb9b804934b275baca7b0cf1ebc

SHA512
c6c6eedd8dffe3f65a18db14fc8b905e662320bf733b73dd742d793d640946fe20adfc549e4b86de1d203ac21c2f759b64865acd61076a020c26654cfc9cbca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1
Filesize
472B

MD5
423331d8bae78ba045bea86f1e4c6e7f

SHA1
8ed72a508ba25a95e6899569180a02728d5edb5c

SHA256
fb27ab0f1591889639eff81fa012d5c185ecb1b04be5060af2e89e378fc264a6

SHA512
5bef9c1f3d9b9ed74c22070dff8737f1092c1d0cbbe2f9b6cc4fbfd1c1729697afb62c0ffefe1cd6c935e0765ac6386a5eaa16fcbc93598a5c1600ca8dd089e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
20fa5c9c38210f4df1725235d335889b

SHA1
bc186d4290a36a3d33c7585dc3d268f9091bdc64

SHA256
47df26c1c31a46976efc455072a657c58f224adf57309527a1a6986b6294d0ac

SHA512
fc0d1f954d705707baa456b3f0fe621e49032b29199e9faf33d1dea80414d83fc94882c0bd2355c6d1d4a9a810f3124a08da5bfe13fa7291b5f8993486b15d4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_F50E39BD15585D010723EFF535E1CBF1
Filesize
410B

MD5
1d626dc1877e55f069d228d2f8879a52

SHA1
73ec5a1e1aac95844f8ba9fac2c7d227da3c89d3

SHA256
9b85d295bdadee4a2e75b13579d2fa66f4c020ad0b9fa7024785329b65982310

SHA512
58dd5fa6b0166b81f1a39e4874062c491b42751232894cca8f028ae735b2fc0515695dcad3402f0e8ef846c22e9da44a196610869a481820a5d7d08efc2ca299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
73d29c1748bc4b572d1a908cf9aa1851

SHA1
2515132d8bf237fdfa921f07aa326c1f1b345103

SHA256
7f95176161a4f62fa56200c136481b9722488be11b49f79f77f7da7c056d5396

SHA512
2fcb255c4f8219d4a4dd89190c3d726ddcb36eb841f7075c775e5cc51821c9efd90c3298fe041d2547a1cdb96a6a37f9ac6bbdf395ab74bb4c47ad5bb8a04e56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_58589533BD741CABD9C6A1C2A7AAD4A1
Filesize
406B

MD5
afe15ec5dc253291f5963e4281b8c856

SHA1
4aad2a6895d0130e584f984168698f229a01377f

SHA256
135cd89cf62d2eef8dd4d5b0444b2849adf73058526183a6d92f455672cf711d

SHA512
90b1795452449324738f873edcb429a10fba9d6741c46518532083c77e4ba91decec629a768acf7485ccdf246059410cfc922c10208faa5ef8c3f9d80066b87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
C:\Users\Admin\Downloads\7z2201-x64.exe
Filesize
1.5MB

MD5
a6a0f7c173094f8dafef996157751ecf

SHA1
c0dcae7c4c80be25661d22400466b4ea074fc580

SHA256
b055fee85472921575071464a97a79540e489c1c3a14b9bdfbdbab60e17f36e4

SHA512
965d43f06d104bf6707513c459f18aaf8b049f4a043643d720b184ed9f1bb6c929309c51c3991d5aaff7b9d87031a7248ee3274896521abe955d0e49f901ac94

Download Submit
\??\pipe\crashpad_4224_ASDWFMEBASMRNMIJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-173-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/376-167-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/376-166-0x00007FFE95730000-0x00007FFE9587E000-memory.dmp

Filesize
1.3MB

Download
memory/376-165-0x0000000000000000-mapping.dmp

Download
memory/580-190-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/580-189-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1404-153-0x0000000000680000-0x00000000006AA000-memory.dmp

Filesize
168KB

Download
memory/1404-154-0x00007FFE96040000-0x00007FFE9618E000-memory.dmp

Filesize
1.3MB

Download
memory/1404-155-0x000000001E460000-0x000000001E622000-memory.dmp

Filesize
1.8MB

Download
memory/1404-156-0x000000001EB60000-0x000000001F088000-memory.dmp

Filesize
5.2MB

Download
memory/1404-157-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1404-158-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1404-159-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1404-152-0x0000000000000000-mapping.dmp

Download
memory/1908-180-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1908-172-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1908-171-0x00007FFE95730000-0x00007FFE9587E000-memory.dmp

Filesize
1.3MB

Download
memory/1908-178-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/1908-170-0x0000000000000000-mapping.dmp

Download
memory/2200-164-0x0000000000000000-mapping.dmp

Download
memory/3408-162-0x00007FFE95730000-0x00007FFE9587E000-memory.dmp

Filesize
1.3MB

Download
memory/3408-168-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/3408-163-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/3408-161-0x0000000000000000-mapping.dmp

Download
memory/3512-148-0x0000000000000000-mapping.dmp

Download
memory/3784-142-0x0000000000000000-mapping.dmp

Download
memory/3948-146-0x0000000000000000-mapping.dmp

Download
memory/4312-169-0x0000000000000000-mapping.dmp

Download
memory/4356-182-0x0000000000B60000-0x0000000000BD2000-memory.dmp

Filesize
456KB

Download
memory/4356-185-0x0000000005680000-0x0000000005712000-memory.dmp

Filesize
584KB

Download
memory/4356-188-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/4356-187-0x0000000005870000-0x00000000058C6000-memory.dmp

Filesize
344KB

Download
memory/4356-183-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/4356-186-0x0000000005620000-0x000000000562A000-memory.dmp

Filesize
40KB

Download
memory/4356-184-0x0000000005B90000-0x0000000006134000-memory.dmp

Filesize
5.6MB

Download
memory/4840-145-0x0000000000000000-mapping.dmp

Download
memory/5244-160-0x0000000000000000-mapping.dmp

Download
memory/5656-151-0x0000000000000000-mapping.dmp

Download
memory/5836-174-0x0000000000000000-mapping.dmp

Download
memory/6080-181-0x0000000000000000-mapping.dmp

Download
memory/6132-179-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download
memory/6132-176-0x00007FFE95730000-0x00007FFE9587E000-memory.dmp

Filesize
1.3MB

Download
memory/6132-175-0x0000000000000000-mapping.dmp

Download
memory/6132-177-0x00007FFE8F440000-0x00007FFE8FF01000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads