azorult | hxxps://keygenit[.]com/d/3e16ccf432109nspn247[.]html

Resubmissions

06-10-2022 21:06

221006-zxrwaaaga6 10

13-04-2021 12:47

210413-myxlaxh4ta 10

12-04-2021 13:54

210412-6sz4v79f2x 10

Analysis

max time kernel
266s
max time network
360s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://keygenit.com/d/3e16ccf432109nspn247.html

Score

10^/10

azorult nymaim raccoon socelars b2215797a39d7d41aaec15c1f494d33d discovery infostealer persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

raccoon

Botnet

b2215797a39d7d41aaec15c1f494d33d

http://94.131.98.5/

http://94.131.97.129

rc4.plain

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4160	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	4160	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Downloads MZ/PE file

Executes dropped EXE 25 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-4.exeLicense Keys.exekey.exeLicense Keys.exeKiffAppE2.exekeygen-pr.exekeygen-step-1.exekeygen-step-5.exekey.exekeygen-step-4.exeLicense Keys.exeLicense Keys.exeKiffAppE2.exemp3studios_91.exepb1119.exeSetup.exemp3studios_91.exepb1119.exeSetup.exepopara.exeJZ25jMbF.exepopara.exe

pid	process
2548	keygen-pr.exe
2864	keygen-step-1.exe
2024	keygen-step-5.exe
4924	keygen-step-4.exe
4956	License Keys.exe
2700	key.exe
1036	License Keys.exe
4284	KiffAppE2.exe
2596	keygen-pr.exe
3064	keygen-step-1.exe
5224	keygen-step-5.exe
5448	key.exe
5512	keygen-step-4.exe
5628	License Keys.exe
5748	License Keys.exe
5788	KiffAppE2.exe
5884	mp3studios_91.exe
1224	pb1119.exe
4528	Setup.exe
180	mp3studios_91.exe
3712	pb1119.exe
5740	Setup.exe
4124	popara.exe
1788	JZ25jMbF.exe
1424	popara.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1788-255-0x00000000009B0000-0x0000000001C65000-memory.dmp	upx
behavioral1/memory/1788-275-0x00000000009B0000-0x0000000001C65000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1224-203-0x0000000140000000-0x0000000140604000-memory.dmp	vmprotect
behavioral1/memory/3712-222-0x0000000140000000-0x0000000140604000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

License Keys.exeSetup.exekeygen-step-4.exeLicense Keys.exekeygen-step-4.exekeygen-step-5.exepopara.exepopara.exekeygen-step-5.exekeygen-pr.exekeygen-pr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	License Keys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	License Keys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	popara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	popara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-step-5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	keygen-pr.exe

Loads dropped DLL 10 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exeSetup.exe

pid	process
3688	rundll32.exe
892	rundll32.exe
5620	rundll32.exe
5620	rundll32.exe
5640	rundll32.exe
6032	rundll32.exe
5176	rundll32.exe
4528	Setup.exe
4528	Setup.exe
4528	Setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

285 api.ipify.org
286 api.ipify.org

flow	ioc
285	api.ipify.org
286	api.ipify.org

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Drops file in Program Files directory 19 IoCs

Processes:

mp3studios_91.exemp3studios_91.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3216	892	WerFault.exe	rundll32.exe
6076	6032	WerFault.exe	rundll32.exe
6044	1224	WerFault.exe	pb1119.exe
5256	3712	WerFault.exe	pb1119.exe
5480	4124	WerFault.exe	popara.exe
5508	4124	WerFault.exe	popara.exe
5272	4124	WerFault.exe	popara.exe
6096	4124	WerFault.exe	popara.exe
5252	4124	WerFault.exe	popara.exe
3936	4124	WerFault.exe	popara.exe
4844	4124	WerFault.exe	popara.exe
952	4124	WerFault.exe	popara.exe
2964	4124	WerFault.exe	popara.exe
5000	4124	WerFault.exe	popara.exe
5424	1424	WerFault.exe	popara.exe
5780	1424	WerFault.exe	popara.exe
2836	1424	WerFault.exe	popara.exe
5912	1424	WerFault.exe	popara.exe
5916	1424	WerFault.exe	popara.exe
3300	1424	WerFault.exe	popara.exe
4804	1424	WerFault.exe	popara.exe
3012	1424	WerFault.exe	popara.exe
2432	1424	WerFault.exe	popara.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exemsedge.exemsedge.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5140 taskkill.exe
2664 taskkill.exe
4588 taskkill.exe
2076 taskkill.exe

pid	process
5140	taskkill.exe
2664	taskkill.exe
4588	taskkill.exe
2076	taskkill.exe

Modifies registry class 35 IoCs

Processes:

JPEGView.exekeygen-step-5.exechrome.exemsedge.exemspaint.exekeygen-step-5.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "3"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	keygen-step-5.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	JPEGView.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	mspaint.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures"	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	JPEGView.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	JPEGView.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	keygen-step-5.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	JPEGView.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	JPEGView.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	JPEGView.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	284	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	290	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exechrome.exechrome.exemspaint.exe

pid	process
1928	chrome.exe
1928	chrome.exe
4540	chrome.exe
4540	chrome.exe
4904	chrome.exe
4904	chrome.exe
4444	chrome.exe
4444	chrome.exe
952	chrome.exe
952	chrome.exe
3592	chrome.exe
3592	chrome.exe
4904	chrome.exe
4904	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
4796	chrome.exe
4796	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
1584	chrome.exe
1584	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5048	mspaint.exe
5048	mspaint.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exetaskmgr.exeJPEGView.exe

pid process

4836 OpenWith.exe
5080 taskmgr.exe
4656 JPEGView.exe

pid	process
4836	OpenWith.exe
5080	taskmgr.exe
4656	JPEGView.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 50 IoCs

Processes:

chrome.exechrome.exechrome.exemsedge.exemsedge.exe

pid	process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
5260	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
1216	chrome.exe
2760	msedge.exe
2760	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeKiffAppE2.exemp3studios_91.exetaskkill.exemp3studios_91.exe

description	pid	process
Token: SeDebugPrivilege	5080	taskmgr.exe
Token: SeSystemProfilePrivilege	5080	taskmgr.exe
Token: SeCreateGlobalPrivilege	5080	taskmgr.exe
Token: SeDebugPrivilege	4284	KiffAppE2.exe
Token: 33	5080	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5080	taskmgr.exe
Token: SeCreateTokenPrivilege	5884	mp3studios_91.exe
Token: SeAssignPrimaryTokenPrivilege	5884	mp3studios_91.exe
Token: SeLockMemoryPrivilege	5884	mp3studios_91.exe
Token: SeIncreaseQuotaPrivilege	5884	mp3studios_91.exe
Token: SeMachineAccountPrivilege	5884	mp3studios_91.exe
Token: SeTcbPrivilege	5884	mp3studios_91.exe
Token: SeSecurityPrivilege	5884	mp3studios_91.exe
Token: SeTakeOwnershipPrivilege	5884	mp3studios_91.exe
Token: SeLoadDriverPrivilege	5884	mp3studios_91.exe
Token: SeSystemProfilePrivilege	5884	mp3studios_91.exe
Token: SeSystemtimePrivilege	5884	mp3studios_91.exe
Token: SeProfSingleProcessPrivilege	5884	mp3studios_91.exe
Token: SeIncBasePriorityPrivilege	5884	mp3studios_91.exe
Token: SeCreatePagefilePrivilege	5884	mp3studios_91.exe
Token: SeCreatePermanentPrivilege	5884	mp3studios_91.exe
Token: SeBackupPrivilege	5884	mp3studios_91.exe
Token: SeRestorePrivilege	5884	mp3studios_91.exe
Token: SeShutdownPrivilege	5884	mp3studios_91.exe
Token: SeDebugPrivilege	5884	mp3studios_91.exe
Token: SeAuditPrivilege	5884	mp3studios_91.exe
Token: SeSystemEnvironmentPrivilege	5884	mp3studios_91.exe
Token: SeChangeNotifyPrivilege	5884	mp3studios_91.exe
Token: SeRemoteShutdownPrivilege	5884	mp3studios_91.exe
Token: SeUndockPrivilege	5884	mp3studios_91.exe
Token: SeSyncAgentPrivilege	5884	mp3studios_91.exe
Token: SeEnableDelegationPrivilege	5884	mp3studios_91.exe
Token: SeManageVolumePrivilege	5884	mp3studios_91.exe
Token: SeImpersonatePrivilege	5884	mp3studios_91.exe
Token: SeCreateGlobalPrivilege	5884	mp3studios_91.exe
Token: 31	5884	mp3studios_91.exe
Token: 32	5884	mp3studios_91.exe
Token: 33	5884	mp3studios_91.exe
Token: 34	5884	mp3studios_91.exe
Token: 35	5884	mp3studios_91.exe
Token: SeDebugPrivilege	5140	taskkill.exe
Token: SeCreateTokenPrivilege	180	mp3studios_91.exe
Token: SeAssignPrimaryTokenPrivilege	180	mp3studios_91.exe
Token: SeLockMemoryPrivilege	180	mp3studios_91.exe
Token: SeIncreaseQuotaPrivilege	180	mp3studios_91.exe
Token: SeMachineAccountPrivilege	180	mp3studios_91.exe
Token: SeTcbPrivilege	180	mp3studios_91.exe
Token: SeSecurityPrivilege	180	mp3studios_91.exe
Token: SeTakeOwnershipPrivilege	180	mp3studios_91.exe
Token: SeLoadDriverPrivilege	180	mp3studios_91.exe
Token: SeSystemProfilePrivilege	180	mp3studios_91.exe
Token: SeSystemtimePrivilege	180	mp3studios_91.exe
Token: SeProfSingleProcessPrivilege	180	mp3studios_91.exe
Token: SeIncBasePriorityPrivilege	180	mp3studios_91.exe
Token: SeCreatePagefilePrivilege	180	mp3studios_91.exe
Token: SeCreatePermanentPrivilege	180	mp3studios_91.exe
Token: SeBackupPrivilege	180	mp3studios_91.exe
Token: SeRestorePrivilege	180	mp3studios_91.exe
Token: SeShutdownPrivilege	180	mp3studios_91.exe
Token: SeDebugPrivilege	180	mp3studios_91.exe
Token: SeAuditPrivilege	180	mp3studios_91.exe
Token: SeSystemEnvironmentPrivilege	180	mp3studios_91.exe
Token: SeChangeNotifyPrivilege	180	mp3studios_91.exe
Token: SeRemoteShutdownPrivilege	180	mp3studios_91.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
4540	chrome.exe
4540	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
4540	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
4540	chrome.exe
4540	chrome.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe
5080	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

mspaint.exeOpenWith.exeAdobe_Acrobat_Reader_DC_keygen_by_ACME.exeJPEGView.exe

pid	process
5048	mspaint.exe
4836	OpenWith.exe
3268	Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe
3268	Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe
4656	JPEGView.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4540 wrote to memory of 4644	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4644	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 4468	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1928	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1928	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe
PID 4540 wrote to memory of 1016	4540	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/3e16ccf432109nspn247.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffcf0b94f50,0x7ffcf0b94f60,0x7ffcf0b94f70
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:2
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
2⤵
PID:1016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3008 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5272 /prefetch:8
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
PID:928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:1160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:2760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:3504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6028 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:8
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6004 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6072 /prefetch:8
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4892 /prefetch:8
2⤵
PID:4652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:8
2⤵
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1008 /prefetch:2
2⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3592 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6628 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
2⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
2⤵
PID:3156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7400 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7936 /prefetch:8
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7112 /prefetch:8
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
2⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
2⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,16792313726314987527,5987585243245549733,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2964

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Password.HERE.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe
"C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Users\Admin\Desktop\JPEGView.exe
"C:\Users\Admin\Desktop\JPEGView.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe
"C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe"
1⤵
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2548

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe"
4⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX2\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2864

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2024

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
4⤵
PID:4988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
5⤵
- Loads dropped DLL
PID:3688

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
6⤵
PID:5580

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
7⤵
- Loads dropped DLL
PID:5640

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4924

C:\Users\Admin\AppData\Local\Temp\RarSFX1\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\License Keys.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4956

C:\Users\Admin\AppData\Local\Temp\RarSFX1\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\License Keys.exe" -h
5⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\KiffAppE2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Users\Admin\AppData\Local\Temp\RarSFX1\mp3studios_91.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\mp3studios_91.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:180

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:6096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcff7b4f50,0x7ffcff7b4f60,0x7ffcff7b4f70
6⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1948 /prefetch:8
6⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
6⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1716 /prefetch:2
6⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
6⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1
6⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
6⤵
PID:4628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1688,16521038760736742869,9876295066754024986,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
6⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\RarSFX1\pb1119.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\pb1119.exe"
4⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3712 -s 424
5⤵
- Program crash
PID:5256

C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
4⤵
- Executes dropped EXE
PID:5740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcf15946f8,0x7ffcf1594708,0x7ffcf1594718
5⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
5⤵
PID:5660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
5⤵
PID:5788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
5⤵
PID:5744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
5⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4760 /prefetch:8
5⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,4568219690849082273,15293396117933956094,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4896 /prefetch:8
5⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\RarSFX1\popara.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\popara.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 452
5⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 764
5⤵
- Program crash
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 772
5⤵
- Program crash
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 772
5⤵
- Program crash
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 792
5⤵
- Program crash
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 984
5⤵
- Program crash
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1000
5⤵
- Program crash
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1084
5⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 1372
5⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "popara.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX1\popara.exe" & exit
5⤵
PID:3952

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "popara.exe" /f
6⤵
- Kills process with taskkill
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4124 -s 492
5⤵
- Program crash
PID:5000

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:1288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 600
3⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 892 -ip 892
1⤵
PID:2044

C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe
"C:\Users\Admin\Desktop\Adobe_Acrobat_Reader_DC_keygen_by_ACME.exe"
1⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen.bat" "
2⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2596

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
4⤵
- Executes dropped EXE
PID:5448

C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:3064

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:5224

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
4⤵
PID:5500

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
5⤵
- Loads dropped DLL
PID:5620

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
6⤵
PID:5152

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\k7IZ1Y.cPl",
7⤵
- Loads dropped DLL
PID:5176

C:\Users\Admin\AppData\Local\Temp\RarSFX3\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:5512

C:\Users\Admin\AppData\Local\Temp\RarSFX5\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\License Keys.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:5628

C:\Users\Admin\AppData\Local\Temp\RarSFX5\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\License Keys.exe" -h
5⤵
- Executes dropped EXE
PID:5748

C:\Users\Admin\AppData\Local\Temp\RarSFX5\KiffAppE2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\KiffAppE2.exe"
4⤵
- Executes dropped EXE
PID:5788

C:\Users\Admin\AppData\Local\Temp\RarSFX5\mp3studios_91.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\mp3studios_91.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
PID:6096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd070b4f50,0x7ffd070b4f60,0x7ffd070b4f70
6⤵
PID:5272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 /prefetch:8
6⤵
PID:1264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1972 /prefetch:8
6⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2852 /prefetch:1
6⤵
PID:5652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
6⤵
PID:228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=2 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
6⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1988 /prefetch:2
6⤵
PID:1408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
6⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4676 /prefetch:8
6⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4684 /prefetch:8
6⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1976,5720581302551762891,5224217108632513444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:8
6⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\RarSFX5\pb1119.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\pb1119.exe"
4⤵
- Executes dropped EXE
PID:1224

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1224 -s 424
5⤵
- Program crash
PID:6044

C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4528

C:\Users\Admin\AppData\Roaming\JZ25jMbF.exe
"C:\Users\Admin\AppData\Roaming\JZ25jMbF.exe"
5⤵
- Executes dropped EXE
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
6⤵
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf15946f8,0x7ffcf1594708,0x7ffcf1594718
5⤵
PID:4200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
5⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
5⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2448 /prefetch:8
5⤵
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
5⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
5⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3632 /prefetch:8
5⤵
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 /prefetch:8
5⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
5⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,3423656790940439869,7419019441389857970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
5⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\RarSFX5\popara.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX5\popara.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 452
5⤵
- Program crash
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 772
5⤵
- Program crash
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 808
5⤵
- Program crash
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 816
5⤵
- Program crash
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 824
5⤵
- Program crash
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 984
5⤵
- Program crash
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1012
5⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 1356
5⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "popara.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX5\popara.exe" & exit
5⤵
PID:4864

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "popara.exe" /f
6⤵
- Kills process with taskkill
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 468
5⤵
- Program crash
PID:2432

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:6020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 600
3⤵
- Program crash
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6032 -ip 6032
1⤵
PID:6060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 1224 -ip 1224
1⤵
PID:6076

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3712 -ip 3712
1⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4124 -ip 4124
1⤵
PID:5552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4124 -ip 4124
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4124 -ip 4124
1⤵
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4124 -ip 4124
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4124 -ip 4124
1⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4124 -ip 4124
1⤵
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4124 -ip 4124
1⤵
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4124 -ip 4124
1⤵
PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4124 -ip 4124
1⤵
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4124 -ip 4124
1⤵
PID:5904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1424 -ip 1424
1⤵
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1424 -ip 1424
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 1424
1⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1424 -ip 1424
1⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1424 -ip 1424
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 1424
1⤵
PID:5960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1424 -ip 1424
1⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1424 -ip 1424
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1424 -ip 1424
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4540_ILNFOBFBZVMWATAA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/180-218-0x0000000000000000-mapping.dmp

Download
memory/228-158-0x0000000000000000-mapping.dmp

Download
memory/892-156-0x0000000000000000-mapping.dmp

Download
memory/1036-148-0x0000000000000000-mapping.dmp

Download
memory/1224-203-0x0000000140000000-0x0000000140604000-memory.dmp

Filesize
6.0MB

Download
memory/1224-202-0x0000000000000000-mapping.dmp

Download
memory/1252-274-0x0000000000000000-mapping.dmp

Download
memory/1424-258-0x0000000000000000-mapping.dmp

Download
memory/1424-276-0x00000000007ED000-0x0000000000814000-memory.dmp

Filesize
156KB

Download
memory/1424-277-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/1424-271-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/1424-270-0x00000000007ED000-0x0000000000814000-memory.dmp

Filesize
156KB

Download
memory/1476-139-0x0000000000000000-mapping.dmp

Download
memory/1584-150-0x0000000000000000-mapping.dmp

Download
memory/1788-253-0x0000000000000000-mapping.dmp

Download
memory/1788-255-0x00000000009B0000-0x0000000001C65000-memory.dmp

Filesize
18.7MB

Download
memory/1788-275-0x00000000009B0000-0x0000000001C65000-memory.dmp

Filesize
18.7MB

Download
memory/2024-142-0x0000000000000000-mapping.dmp

Download
memory/2548-140-0x0000000000000000-mapping.dmp

Download
memory/2596-159-0x0000000000000000-mapping.dmp

Download
memory/2664-220-0x0000000000000000-mapping.dmp

Download
memory/2700-152-0x0000000002B30000-0x0000000002CCC000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000000000000-mapping.dmp

Download
memory/2760-230-0x0000000000000000-mapping.dmp

Download
memory/2864-141-0x0000000000000000-mapping.dmp

Download
memory/3064-160-0x0000000000000000-mapping.dmp

Download
memory/3440-261-0x0000000000000000-mapping.dmp

Download
memory/3688-161-0x00000000034D0000-0x000000000357D000-memory.dmp

Filesize
692KB

Download
memory/3688-154-0x00000000030D0000-0x00000000031FF000-memory.dmp

Filesize
1.2MB

Download
memory/3688-155-0x0000000003300000-0x00000000033F8000-memory.dmp

Filesize
992KB

Download
memory/3688-184-0x0000000003300000-0x00000000033F8000-memory.dmp

Filesize
992KB

Download
memory/3688-163-0x00000000034D0000-0x000000000357D000-memory.dmp

Filesize
692KB

Download
memory/3688-147-0x0000000000000000-mapping.dmp

Download
memory/3688-157-0x0000000003400000-0x00000000034C2000-memory.dmp

Filesize
776KB

Download
memory/3712-221-0x0000000000000000-mapping.dmp

Download
memory/3712-222-0x0000000140000000-0x0000000140604000-memory.dmp

Filesize
6.0MB

Download
memory/3728-256-0x0000000000000000-mapping.dmp

Download
memory/3952-249-0x0000000000000000-mapping.dmp

Download
memory/4124-251-0x00000000008FD000-0x0000000000924000-memory.dmp

Filesize
156KB

Download
memory/4124-240-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4124-232-0x0000000000000000-mapping.dmp

Download
memory/4124-252-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4124-238-0x00000000008FD000-0x0000000000924000-memory.dmp

Filesize
156KB

Download
memory/4124-239-0x00000000007F0000-0x0000000000831000-memory.dmp

Filesize
260KB

Download
memory/4200-257-0x0000000000000000-mapping.dmp

Download
memory/4284-183-0x00007FFCEA980000-0x00007FFCEB441000-memory.dmp

Filesize
10.8MB

Download
memory/4284-149-0x0000000000000000-mapping.dmp

Download
memory/4284-151-0x0000000000950000-0x000000000097E000-memory.dmp

Filesize
184KB

Download
memory/4284-217-0x00007FFCEA980000-0x00007FFCEB441000-memory.dmp

Filesize
10.8MB

Download
memory/4284-153-0x00007FFCEA980000-0x00007FFCEB441000-memory.dmp

Filesize
10.8MB

Download
memory/4528-254-0x0000000000140000-0x00000000009E1000-memory.dmp

Filesize
8.6MB

Download
memory/4528-216-0x0000000000140000-0x00000000009E1000-memory.dmp

Filesize
8.6MB

Download
memory/4528-208-0x0000000000000000-mapping.dmp

Download
memory/4528-213-0x0000000000140000-0x00000000009E1000-memory.dmp

Filesize
8.6MB

Download
memory/4588-250-0x0000000000000000-mapping.dmp

Download
memory/4732-244-0x0000000000000000-mapping.dmp

Download
memory/4760-273-0x0000000000000000-mapping.dmp

Download
memory/4808-269-0x0000000000000000-mapping.dmp

Download
memory/4924-143-0x0000000000000000-mapping.dmp

Download
memory/4956-145-0x0000000000000000-mapping.dmp

Download
memory/4988-144-0x0000000000000000-mapping.dmp

Download
memory/5052-138-0x000001FC445B0000-0x000001FC445C0000-memory.dmp

Filesize
64KB

Download
memory/5052-137-0x000001FC44560000-0x000001FC44570000-memory.dmp

Filesize
64KB

Download
memory/5140-195-0x0000000000000000-mapping.dmp

Download
memory/5152-196-0x0000000000000000-mapping.dmp

Download
memory/5176-199-0x0000000003530000-0x000000000365F000-memory.dmp

Filesize
1.2MB

Download
memory/5176-197-0x0000000000000000-mapping.dmp

Download
memory/5176-215-0x0000000003760000-0x0000000003858000-memory.dmp

Filesize
992KB

Download
memory/5176-209-0x0000000003860000-0x0000000003922000-memory.dmp

Filesize
776KB

Download
memory/5176-211-0x0000000003930000-0x00000000039DD000-memory.dmp

Filesize
692KB

Download
memory/5176-200-0x0000000003760000-0x0000000003858000-memory.dmp

Filesize
992KB

Download
memory/5188-267-0x0000000000000000-mapping.dmp

Download
memory/5224-162-0x0000000000000000-mapping.dmp

Download
memory/5264-263-0x0000000000000000-mapping.dmp

Download
memory/5276-265-0x0000000000000000-mapping.dmp

Download
memory/5408-246-0x0000000000000000-mapping.dmp

Download
memory/5436-260-0x0000000000000000-mapping.dmp

Download
memory/5444-234-0x0000000000000000-mapping.dmp

Download
memory/5448-201-0x0000000002720000-0x00000000028BC000-memory.dmp

Filesize
1.6MB

Download
memory/5448-168-0x0000000002720000-0x00000000028BC000-memory.dmp

Filesize
1.6MB

Download
memory/5448-165-0x0000000000000000-mapping.dmp

Download
memory/5500-166-0x0000000000000000-mapping.dmp

Download
memory/5512-167-0x0000000000000000-mapping.dmp

Download
memory/5580-169-0x0000000000000000-mapping.dmp

Download
memory/5600-170-0x0000000000000000-mapping.dmp

Download
memory/5620-178-0x0000000002DD0000-0x0000000002EC8000-memory.dmp

Filesize
992KB

Download
memory/5620-186-0x0000000002ED0000-0x0000000002F92000-memory.dmp

Filesize
776KB

Download
memory/5620-204-0x0000000002DD0000-0x0000000002EC8000-memory.dmp

Filesize
992KB

Download
memory/5620-190-0x00000000022C0000-0x000000000236D000-memory.dmp

Filesize
692KB

Download
memory/5620-172-0x0000000000000000-mapping.dmp

Download
memory/5620-174-0x00000000027B0000-0x0000000002959000-memory.dmp

Filesize
1.7MB

Download
memory/5620-177-0x0000000002BA0000-0x0000000002CCF000-memory.dmp

Filesize
1.2MB

Download
memory/5628-171-0x0000000000000000-mapping.dmp

Download
memory/5640-173-0x0000000000000000-mapping.dmp

Download
memory/5640-188-0x0000000003590000-0x0000000003652000-memory.dmp

Filesize
776KB

Download
memory/5640-179-0x0000000003260000-0x000000000338F000-memory.dmp

Filesize
1.2MB

Download
memory/5640-198-0x0000000003490000-0x0000000003588000-memory.dmp

Filesize
992KB

Download
memory/5640-180-0x0000000003490000-0x0000000003588000-memory.dmp

Filesize
992KB

Download
memory/5640-193-0x0000000003660000-0x000000000370D000-memory.dmp

Filesize
692KB

Download
memory/5660-235-0x0000000000000000-mapping.dmp

Download
memory/5676-231-0x0000000000000000-mapping.dmp

Download
memory/5740-229-0x0000000000E60000-0x0000000001701000-memory.dmp

Filesize
8.6MB

Download
memory/5740-227-0x0000000000E60000-0x0000000001701000-memory.dmp

Filesize
8.6MB

Download
memory/5740-226-0x0000000000000000-mapping.dmp

Download
memory/5744-242-0x0000000000000000-mapping.dmp

Download
memory/5748-175-0x0000000000000000-mapping.dmp

Download
memory/5788-237-0x0000000000000000-mapping.dmp

Download
memory/5788-176-0x0000000000000000-mapping.dmp

Download
memory/5788-181-0x00007FFCEA980000-0x00007FFCEB441000-memory.dmp

Filesize
10.8MB

Download
memory/5884-182-0x0000000000000000-mapping.dmp

Download
memory/6032-185-0x0000000000000000-mapping.dmp

Download
memory/6096-187-0x0000000000000000-mapping.dmp

Download
memory/6096-219-0x0000000000000000-mapping.dmp

Download
memory/6100-248-0x0000000000000000-mapping.dmp

Download