Resubmissions
19-11-2022 21:40
221119-1jgzlacd49 819-11-2022 13:48
221119-q4ed4adg34 1019-11-2022 06:26
221119-g7aqmscg91 1019-11-2022 05:30
221119-f67hjsbc8t 1015-11-2022 20:50
221115-zm3j2abf6y 1015-11-2022 20:50
221115-zmpm6sfh23 1015-11-2022 20:49
221115-zl6kasfg98 1015-11-2022 20:19
221115-y4ct9sff87 1014-11-2022 19:39
221114-yc4tnsdb92 1014-11-2022 19:34
221114-yakb9adb83 10Analysis
-
max time kernel
647s -
max time network
834s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
19-11-2022 13:48
General
-
Target
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe
-
Size
307KB
-
MD5
0abe50c1509136bf62d2184ab439e7a5
-
SHA1
722a7e2a0dd66f506ba93d24946b8bf504b100c0
-
SHA256
db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50
-
SHA512
0c232d1eaf68c0099fb499fcd40bb33cd604f0259a71b853c296e00cc468342de95548ccf61d9e904cef5d34fd94defbb43f844e9f50a51517c7c95ab66862c5
-
SSDEEP
6144:Gu0FGLnBOUaLPP7S9dW8dsgMF24raEn2E1a:Gu0wTBOU2Pj6EisgM/uUv
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\@Please_Read_Me@.txt
Family
wannacry
Ransom Note
Q: What's wrong with my files?
A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.
�
Wallets
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Detects Smokeloader packer 1 IoCs
-
Modifies system executable filetype association 2 TTPs 11 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 64 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Modifies Installed Components in the registry 2 TTPs 7 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 27 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Loads dropped DLL 64 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks for any installed AV software in registry 1 TTPs 6 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 10 IoCs
-
Enumerates system info in registry 2 TTPs 21 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 11 IoCs
-
Modifies Internet Explorer settings 1 TTPs 20 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Modifies system certificate store 2 TTPs 10 IoCs
-
Suspicious behavior: AddClipboardFormatListener 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: LoadsDriver 8 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 41 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"C:\Users\Admin\AppData\Local\Temp\db79d6a667294c81210d9aa4d989f35832e75151863c2d216787028ae673da50.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff82e9c4f50,0x7ff82e9c4f60,0x7ff82e9c4f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1908 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4408 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4748 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4916 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3696 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3248 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6080 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5732 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3360 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 /prefetch:83⤵
-
C:\Users\Admin\Downloads\ChromSetup.exe"C:\Users\Admin\Downloads\ChromSetup.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-9N10R.tmp\ChromSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9N10R.tmp\ChromSetup.tmp" /SL5="$1301BA,798627,786944,C:\Users\Admin\Downloads\ChromSetup.exe"4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\chrome.bat" install"5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\\chrome.ps16⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 1.8 /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Google\Chrome\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 1.8 /f6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff82e9c4f50,0x7ff82e9c4f60,0x7ff82e9c4f707⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,211559598490726650,4239659973092791398,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:87⤵
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 86⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\edge.bat" install"5⤵
- Checks computer location settings
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\\edge.ps16⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 1.8 /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallAllowlist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "path" /t REG_SZ /d C:\\apps.crx /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge\Extensions\pejhfhcoekcajgokallhmklcjkkeemgj" /v "version" /t REG_SZ /d 1.8 /f6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory="Default" --load-extension="C:\apps-helper" --no-startup-window6⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82e8a46f8,0x7ff82e8a4708,0x7ff82e8a47187⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:37⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3460 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4840 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5080 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5004 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:17⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5640 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5816 /prefetch:87⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2588 /prefetch:27⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,18012099487170186369,17272598202197762278,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:87⤵
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout 86⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\64.exe"C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\64.exe" --system-level5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\CHROME.PACKED.7Z" --system-level6⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exeC:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x260,0x264,0x268,0x23c,0x26c,0x7ff7a86c7f80,0x7ff7a86c7f90,0x7ff7a86c7fa07⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe"C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe" --system-level --verbose-logging --create-shortcuts=0 --install-level=17⤵
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exeC:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\CR_095E9.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7a86c7f80,0x7ff7a86c7f90,0x7ff7a86c7fa08⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --from-installer7⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x100,0x104,0x108,0xd4,0x10c,0x7ff829ffde28,0x7ff829ffde38,0x7ff829ffde488⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Chromnius\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Chromnius\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x13c,0x140,0x144,0xec,0x148,0x7ff7527a9c68,0x7ff7527a9c78,0x7ff7527a9c889⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=gpu-process --start-stack-profiler --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:28⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=1844 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --first-renderer-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3560 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:18⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3468 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:18⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=4460 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:18⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5040 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5620 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5676 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5652 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6132 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:88⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=6308 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:18⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\chromnius.exe"C:\Program Files\Chromnius\Application\chromnius.exe" --type=renderer --extension-process --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=6500 --field-trial-handle=2164,i,16309565869186773222,5184715820467236005,131072 /prefetch:18⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe"C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings8⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe"C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6bb967f80,0x7ff6bb967f90,0x7ff6bb967fa09⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe"C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Chromnius\Application\master_preferences" --create-shortcuts=1 --install-level=09⤵
- Executes dropped EXE
-
C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe"C:\Program Files\Chromnius\Application\109.0.5386.0\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --annotation=plat=Win64 --annotation=prod=Chromnius --annotation=ver=109.0.5386.0 --initial-client-data=0x220,0x224,0x228,0x200,0x22c,0x7ff6bb967f80,0x7ff6bb967f90,0x7ff6bb967fa010⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\close.bat" install"5⤵
-
C:\Windows\system32\timeout.exetimeout 16⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\\chromnius.ps16⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g0ijumgf\g0ijumgf.cmdline"7⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES352.tmp" "c:\Users\Admin\AppData\Local\Temp\g0ijumgf\CSC2BE66601F7974EE9BEEF279A8B99E9C0.TMP"8⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe /T6⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe /T6⤵
- Kills process with taskkill
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallForcelist" /v "1" /t REG_SZ /d pejhfhcoekcajgokallhmklcjkkeemgj /f6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1620,12913417202416927604,8590548709043098166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Temp\7F32.exeC:\Users\Admin\AppData\Local\Temp\7F32.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Wuwedteata.tmp",Tiuqiiueaur3⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 225354⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 5283⤵
- Program crash
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff82e9c4f50,0x7ff82e9c4f60,0x7ff82e9c4f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2028 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1772 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1704 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4380 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4540 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level3⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff77a82a890,0x7ff77a82a8a0,0x7ff77a82a8b04⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5656 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3356 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6512 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=228 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=812 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:13⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:13⤵
-
C:\Users\Admin\Downloads\driver_booster_setup.exe"C:\Users\Admin\Downloads\driver_booster_setup.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-65SHP.tmp\driver_booster_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-65SHP.tmp\driver_booster_setup.tmp" /SL5="$6034C,27993564,139264,C:\Users\Admin\Downloads\driver_booster_setup.exe"4⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,577879974677499870,1712958558283514141,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff82e8a46f8,0x7ff82e8a4708,0x7ff82e8a47183⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"2⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode4⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\21.220.1024.0005\FileSyncConfig.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe/updateInstalled /background5⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\driver_booster_setup.exe"C:\Users\Admin\Downloads\driver_booster_setup.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-SC2BM.tmp\driver_booster_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-SC2BM.tmp\driver_booster_setup.tmp" /SL5="$4030A,27993564,139264,C:\Users\Admin\Downloads\driver_booster_setup.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\is-99509.tmp-dbinst\setup.exe"C:\Users\Admin\AppData\Local\Temp\is-99509.tmp-dbinst\setup.exe" "C:\Users\Admin\Downloads\driver_booster_setup.exe" /title="Driver Booster 10" /dbver=10.0.0.65 /eula="C:\Users\Admin\AppData\Local\Temp\is-99509.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\Downloads\driver_booster_setup.exe"C:\Users\Admin\Downloads\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-5NE97.tmp\driver_booster_setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5NE97.tmp\driver_booster_setup.tmp" /SL5="$9035C,27993564,139264,C:\Users\Admin\Downloads\driver_booster_setup.exe" /sp- /verysilent /Installer /norestart /DIR="C:\Program Files (x86)\IObit\Driver Booster" /Installer-DeskIcon /Installer-TaskIcon6⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\HWiNFO\HWiNFO.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\HWiNFO\HWiNFO.exe" /brandname7⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\CareScan.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\CareScan.exe" /savefile /silentscan /low /output="C:\Program Files (x86)\IObit\Driver Booster\10.0.0\ScanData\ScanResult_all.ini"7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Enumerates connected drives
- Drops file in Program Files directory
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\TaskbarPin\ICONPIN64.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\TaskbarPin\ICONPIN64.exe" pin "C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DriverBooster.exe"7⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe" /install /setup="C:\Users\Admin\Downloads\driver_booster_setup.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe" /winstdate8⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\InstStat.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\InstStat.exe" /install db107⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DriverBooster.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DriverBooster.exe" /autoscan5⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies system certificate store
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\HWiNFO\HWiNFO.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\HWiNFO\HWiNFO.exe" /brandname6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStat /Code="a602" /Days=06⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\AutoUpdate.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\AutoUpdate.exe" /main /App=db10 /MainHwnd=06⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\ChangeIcon.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\ChangeIcon.exe" /0 "C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Icons\Main\"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\NoteIcon.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\NoteIcon.exe" "C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DriverBooster.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStat /Code="B100" /Days=76⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStat /Code="A100" /Days=06⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe" /cnt6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\FaultFixes.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\FaultFixes.exe" /fix-errorcode-16⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\RttHlp.exe" /stat6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\AUpdate.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\AUpdate.exe" /u http://stats.iobit.com/active_month.php /a db10 /p iobit /v 10.0.0.65 /t 1 /d 7 /db /user7⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe" /afterupgrade6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\FaultFixes.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\FaultFixes.exe" /fix-clean-16⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStat /Code="B101" /Days=76⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStat /Code="A101" /Days=06⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DBDownloader.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DBDownloader.exe" {"proxytype":0,"task":[{"exp":"C:\\Program Files (x86)\\IObit\\Driver Booster\\10.0.0\\Database\\Scan\\WhiteList.db","u":"http://www.cd4o.com/drivers/wlst/5c491951c5c6c9814d995afeafa86716.wlst","t":3,"p":"C:\\Program Files (x86)\\IObit\\Driver Booster\\10.0.0\\Database\\Scan\\WhiteListtmp","m":"5c491951c5c6c9814d995afeafa86716","d":false}],"downtype":1}6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStatEx /Code="b700" /Days=7 /PostNow=0 /WaitFor=0 /ExParam=""6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStatEx /Code="a700" /Days=0 /PostNow=0 /WaitFor=0 /ExParam=""6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DBDownloader.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\DBDownloader.exe" {"proxytype":0,"hosthandle":263464,"timeout":10,"id":16673,"task":[{"u":"http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2017/07/200049213_66128c0ee9f39577ded40554e5912f3ed2046d07.cab","t":0,"p":""},{"u":"http://download.windowsupdate.com/d/msdownload/update/driver/drvs/2013/07/20578753_999fee3ed6b5ef3a08f51ced090c4827a420736e.cab","t":0,"p":""}],"downtype":4}6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\ChangeIcon.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\ChangeIcon.exe" /1 "C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Icons\Main\"6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStatEx /Code="b208" /Days=7 /PostNow=-1 /WaitFor=0 /ExParam=""6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /DoCommStatEx /Code="a208" /Days=0 /PostNow=-1 /WaitFor=0 /ExParam=""6⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\Manta.exe" /CommStat /PostCommStat /Days=7 /Wait=0 /Path=""6⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.iobit.com/appgoto.php?to=install&name=db&ver=10.0.0.65&lan=&ref=db10&type=free5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff82d7c46f8,0x7ff82d7c4708,0x7ff82d7c47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2776 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5260 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5808 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5936 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --field-trial-handle=2104,14065856291681173313,172230071543224847,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5228 /prefetch:86⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\SetupHlp.exe" /afterinstall /setup="C:\Users\Admin\AppData\Local\Temp\is-99509.tmp-dbinst\setup.exe"5⤵
-
C:\Program Files (x86)\IObit\Driver Booster\10.0.0\IObitDownloader.exe"C:\Program Files (x86)\IObit\Driver Booster\10.0.0\IObitDownloader.exe" "/Config=http://update.iobit.com/infofiles/db/rmd/freeware-db.upt" /show /lang=English.lng /product=db10 "iTop VPN Installer B" "IFun Screen Recorder Installer" "iTop PDF Installer"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\ProgramData\IObit\Driver Booster\Downloader\db10\iTopSetup.exe"C:\ProgramData\IObit\Driver Booster\Downloader\db10\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-J565K.tmp\iTopSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-J565K.tmp\iTopSetup.tmp" /SL5="$40436,26434005,141312,C:\ProgramData\IObit\Driver Booster\Downloader\db10\iTopSetup.exe" /sp- /verysilent /suppressmsgboxes /norestart /insur=db_in_fre7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\is-SQRBO.tmp\ugin.exe"C:\Users\Admin\AppData\Local\Temp\is-SQRBO.tmp\ugin.exe" /kill /UPGRADE8⤵
-
C:\Windows\SysWOW64\taskkill.exe"taskkill.exe" /f /im "ugin.exe"8⤵
- Kills process with taskkill
-
C:\Program Files (x86)\iTop VPN\ugin.exe"C:\Program Files (x86)\iTop VPN\ugin.exe" /kill /updagrade8⤵
-
C:\Program Files (x86)\iTop VPN\ugin.exe"C:\Program Files (x86)\iTop VPN\ugin.exe" /init /ver 4.2.0.3790 /force /f /inspkg "C:\ProgramData\IObit\Driver Booster\Downloader\db10\iTopSetup.exe" /insur "db_in_fre" /PINTOTASKBAR8⤵
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop windivert9⤵
-
C:\Windows\SysWOW64\sc.exesc stop windivert10⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop windivert9⤵
-
C:\Windows\SysWOW64\sc.exesc stop windivert10⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc delete windivert9⤵
-
C:\Windows\SysWOW64\sc.exesc delete windivert10⤵
- Launches sc.exe
-
C:\Program Files (x86)\iTop VPN\icop64.exe"C:\Program Files (x86)\iTop VPN\icop64.exe" Pin "C:\Program Files (x86)\iTop VPN\iTopVPN.exe"9⤵
-
C:\Program Files (x86)\iTop VPN\ugin.exe"C:\Program Files (x86)\iTop VPN\ugin.exe" /checkwelcome9⤵
-
C:\Program Files (x86)\iTop VPN\iTopVPN.exe"C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /installinit8⤵
-
C:\Program Files (x86)\iTop VPN\ullc.exe"C:\Program Files (x86)\iTop VPN\ullc.exe"8⤵
-
C:\Program Files (x86)\iTop VPN\ugin.exe"C:\Program Files (x86)\iTop VPN\ugin.exe" /setlan "English"8⤵
-
C:\Program Files (x86)\iTop VPN\unpr.exe"C:\Program Files (x86)\iTop VPN\unpr.exe" /install itop48⤵
-
C:\Program Files (x86)\iTop VPN\iTopVPN.exe"C:\Program Files (x86)\iTop VPN\iTopVPN.exe" /install8⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\iTop VPN\aud.exe"C:\Program Files (x86)\iTop VPN\aud.exe" /u https://stats.itopvpn.com/active_month.php /a itop4 /p itopf /v 4.2.0.3790 /t 10 /d 7 / /user9⤵
-
C:\Program Files (x86)\iTop VPN\aud.exe"C:\Program Files (x86)\iTop VPN\aud.exe" /itop /dayactive9⤵
-
C:\Program Files (x86)\iTop VPN\atud.exe"C:\Program Files (x86)\iTop VPN\atud.exe" /auto9⤵
- Checks computer location settings
-
C:\Program Files (x86)\iTop VPN\Pub\itopbf.exe"C:\Program Files (x86)\iTop VPN\Pub\itopbf.exe" /vpn10⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ipconfig /flushdns9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns10⤵
- Gathers network information
-
C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe"C:\Program Files (x86)\iTop VPN\iTopVPNMini.exe" /antrun /install /state 09⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c sc stop itvwd9⤵
-
C:\Windows\SysWOW64\sc.exesc stop itvwd10⤵
- Launches sc.exe
-
C:\Windows\SYSTEM32\secedit.exesecedit /export /cfg C:\Users\Admin\AppData\Local\Temp\5512.inf /log C:\Users\Admin\AppData\Local\Temp\753.log9⤵
-
C:\Windows\SYSTEM32\secedit.exesecedit /export /cfg C:\Users\Admin\AppData\Local\Temp\4166.inf /log C:\Users\Admin\AppData\Local\Temp\3458.log9⤵
-
C:\Windows\SysWOW64\sc.exesc start MpsSvc9⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start MpsSvc9⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start MpsSvc9⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exesc start MpsSvc9⤵
- Launches sc.exe
-
C:\Program Files (x86)\iTop VPN\ugin.exe"C:\Program Files (x86)\iTop VPN\ugin.exe" /combinslog "C:\Users\Admin\AppData\Local\Temp\Setup Log 2022-11-19 #004.txt"8⤵
-
C:\ProgramData\IObit\Driver Booster\Downloader\db10\ISRSetup.exe"C:\ProgramData\IObit\Driver Booster\Downloader\db10\ISRSetup.exe" /sp- /verysilent /suppressmsgboxes /NoRestart /insur=db_in6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-V1J5I.tmp\ISRSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-V1J5I.tmp\ISRSetup.tmp" /SL5="$604B6,95546839,228864,C:\ProgramData\IObit\Driver Booster\Downloader\db10\ISRSetup.exe" /sp- /verysilent /suppressmsgboxes /NoRestart /insur=db_in7⤵
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe"C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe" /CopyOldConfig /installdir=""8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe"C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe" /CleanReg8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe"C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe" /KillProcess /installdir="C:\Program Files\iTop Screen Recorder"8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe"C:\Users\Admin\AppData\Local\Temp\is-MS54H.tmp\iScrInit.exe" /DeleteAllFile /reinstall=1 /installdir="C:\Program Files\iTop Screen Recorder"8⤵
-
C:\Program Files\iTop Screen Recorder\LocalLang.exe"C:\Program Files\iTop Screen Recorder\LocalLang.exe"8⤵
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /reinstall=0 /insur=db_in /SetupFile="C:\ProgramData\IObit\Driver Booster\Downloader\db10\ISRSetup.exe"8⤵
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /install8⤵
- Checks computer location settings
-
C:\Program Files\iTop Screen Recorder\GpuCheck.exe"C:\Program Files\iTop Screen Recorder\GpuCheck.exe" /GpuCheck9⤵
- Checks SCSI registry key(s)
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /pin=08⤵
-
C:\Program Files\iTop Screen Recorder\UninstallInfo.exe"C:\Program Files\iTop Screen Recorder\UninstallInfo.exe" /install isr38⤵
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /PostSystemInfo8⤵
- Checks computer location settings
-
C:\Program Files\iTop Screen Recorder\iScrRec.exe"C:\Program Files\iTop Screen Recorder\iScrRec.exe"8⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\iTop Screen Recorder\GpuCheck.exe"C:\Program Files\iTop Screen Recorder\GpuCheck.exe" /GpuCheck9⤵
- Executes dropped EXE
-
C:\Program Files\iTop Screen Recorder\graphics-check.exe"C:\Program Files\iTop Screen Recorder\graphics-check.exe"9⤵
-
C:\Program Files\iTop Screen Recorder\AutoUpdate.exe"C:\Program Files\iTop Screen Recorder\AutoUpdate.exe" /auto /start9⤵
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /AutoupdateUac10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Schtasks /run /tn "iTop Screen Recorder UAC"9⤵
-
C:\Windows\system32\schtasks.exeSchtasks /run /tn "iTop Screen Recorder UAC"10⤵
-
C:\Program Files\iTop Screen Recorder\get-graphics-offsets32.exe"C:\Program Files\iTop Screen Recorder\get-graphics-offsets32.exe" /main9⤵
-
C:\Program Files\iTop Screen Recorder\get-graphics-offsets64.exe"C:\Program Files\iTop Screen Recorder\get-graphics-offsets64.exe" /main9⤵
-
C:\Program Files\iTop Screen Recorder\iScrPaint.exe"C:\Program Files\iTop Screen Recorder\iScrPaint.exe" /hwnd 524846 /rect 0 0 1280 720 /needscale 0 /shape 1 /color 1 /recordprotec 09⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 91610⤵
- Program crash
-
C:\ProgramData\IObit\Driver Booster\Downloader\db10\PDFSetup.exe"C:\ProgramData\IObit\Driver Booster\Downloader\db10\PDFSetup.exe" /sp- /verysilent /suppressmsgboxes /insur=db_inw6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-U0N30.tmp\PDFSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-U0N30.tmp\PDFSetup.tmp" /SL5="$405A2,163617026,199680,C:\ProgramData\IObit\Driver Booster\Downloader\db10\PDFSetup.exe" /sp- /verysilent /suppressmsgboxes /insur=db_inw7⤵
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im iTopPDF.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im Launcher.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im AutoUpdate.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im AUpdate.exe8⤵
- Kills process with taskkill
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /u /s "C:\Program Files\iTop PDF\PDFShellExtension.dll"8⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /deletefile8⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /pintaskbar /lastversion=8⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\iTop PDF\PDFShellExtension.dll"8⤵
- Modifies system executable filetype association
- Modifies registry class
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im iTopPDF.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im Launcher.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im AutoUpdate.exe8⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\System32\taskkill.exe" -f -im AUpdate.exe8⤵
- Kills process with taskkill
-
C:\Program Files\iTop PDF\LocalLang.exe"C:\Program Files\iTop PDF\LocalLang.exe"8⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /recordver8⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /reinstall=0 /Language=English /insur=db_inw8⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /install /lastversion=8⤵
- Modifies registry class
-
C:\Program Files\iTop PDF\ICONPIN64.exe"C:\Program Files\iTop PDF\ICONPIN64.exe" Pin "C:\Program Files\iTop PDF\Launcher.exe"8⤵
-
C:\Program Files\iTop PDF\UninstallInfo.exe"C:\Program Files\iTop PDF\UninstallInfo.exe" /install pdf38⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe"8⤵
- Checks computer location settings
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\iTop PDF" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\iTop PDF\Crashpad" --url=https://f.a.k/e "--annotation=_productName=iTop PDF" --annotation=_version=3.1.0-26 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=19.0.17 --initial-client-data=0x468,0x470,0x474,0x464,0x478,0x7ff7a2e94270,0x7ff7a2e94280,0x7ff7a2e942909⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:29⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2084 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:89⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2324 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"10⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp 65001|powershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}""10⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}"11⤵
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 6500112⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b100 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b100 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a100 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a100 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 011⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\PDFInit.exe" /createuactask"9⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /createuactask10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\PDFInit.exe" /correctautask /createexprttask"9⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /correctautask /createexprttask10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\AutoUpdate.exe" /main"9⤵
-
C:\Program Files\iTop PDF\AutoUpdate.exe"C:\Program Files\iTop PDF\AutoUpdate.exe" /main10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\AUpdate.exe" /pdf /dayactive"9⤵
-
C:\Program Files\iTop PDF\AUpdate.exe"C:\Program Files\iTop PDF\AUpdate.exe" /pdf /dayactive10⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2832 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
- Checks computer location settings
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid"10⤵
-
C:\Windows\System32\reg.exeC:\Windows\System32\REG.exe QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "chcp 65001|powershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}""10⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "chcp 65001|Out-Null;Add-Type -AssemblyName PresentationCore;$families=[Windows.Media.Fonts]::SystemFontFamilies;foreach($family in $families){$name='';if(!$family.FamilyNames.TryGetValue([Windows.Markup.XmlLanguage]::GetLanguage('zh-cn'),[ref]$name)){$name=$family.FamilyNames[[Windows.Markup.XmlLanguage]::GetLanguage('en-us')]}echo $name}"11⤵
-
C:\Windows\system32\chcp.com"C:\Windows\system32\chcp.com" 6500112⤵
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b100 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b100 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b619 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce /postnow"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b619 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce /postnow11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a619 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0 /postnow"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a619 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0 /postnow11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a100 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0"10⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a100 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 011⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b600 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce /postnow"9⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag b600 /type 10 /url http://stats.itopvpn.com/iusage.php /dyonce /postnow10⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a600 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0 /postnow"9⤵
-
C:\Program Files\iTop PDF\ProductStat.exe"C:\Program Files\iTop PDF\ProductStat.exe" /cachepath "C:\Users\Admin\AppData\Roaming\iTop PDF\Data" /appid pdf3 /pr itop /ver 3.1.0.26 /stflag a600 /type 10 /url http://stats.itopvpn.com/iusage.php /dycus 0 /postnow10⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3416 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3428 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=3464 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3452 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
- Checks computer location settings
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=3676 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
- Checks computer location settings
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --standard-schemes --secure-schemes --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --service-worker-schemes --streaming-schemes --app-path="C:\Program Files\iTop PDF\resources\app" --no-sandbox --no-zygote --enable-blink-features --disable-blink-features --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=3632 --field-trial-handle=1808,i,14904980365576408756,3507533383604678588,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:19⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks processor information in registry
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82e9c4f50,0x7ff82e9c4f60,0x7ff82e9c4f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1792 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1744 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4692 /prefetch:83⤵
- Checks SCSI registry key(s)
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,7109973046170700511,14150062818725089446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3496 /prefetch:83⤵
-
C:\Program Files\iTop PDF\Launcher.exe"C:\Program Files\iTop PDF\Launcher.exe"2⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C iTopPDF.exe3⤵
-
C:\Program Files\iTop PDF\iTopPDF.exeiTopPDF.exe4⤵
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\iTop PDF" /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\iTop PDF\Crashpad" --url=https://f.a.k/e "--annotation=_productName=iTop PDF" --annotation=_version=3.1.0-26 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=19.0.17 --initial-client-data=0x4a4,0x4a8,0x4ac,0x4a0,0x494,0x7ff7a2e94270,0x7ff7a2e94280,0x7ff7a2e942905⤵
- Checks SCSI registry key(s)
-
C:\Program Files\iTop PDF\iTopPDF.exe"C:\Program Files\iTop PDF\iTopPDF.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\iTop PDF" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1812,i,17205615237908686099,9129662640389527462,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:25⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\iTop PDF\PDFInit.exe" /createuactask"5⤵
-
C:\Program Files\iTop PDF\PDFInit.exe"C:\Program Files\iTop PDF\PDFInit.exe" /createuactask6⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff82df14f50,0x7ff82df14f60,0x7ff82df14f703⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2012 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2492 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2756 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4556 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:83⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4820 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3876 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5488 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5512 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5976 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6060 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5980 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6180 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6096 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3232 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5672 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1384 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,15358341706416814073,5729005099134023850,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6176 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"2⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 130131668866368.bat3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Checks computer location settings
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zywnfqwizjcp627" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zywnfqwizjcp627" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f4⤵
- Modifies registry key
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\Desktop\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@WanaDecryptor@.exe3⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4564 -ip 45641⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\vwfcehvC:\Users\Admin\AppData\Roaming\vwfcehv1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows mail\cloud_icon.dll",YA9RMXE=2⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\iTop Screen Recorder\iScrInit.exe"C:\Program Files\iTop Screen Recorder\iScrInit.exe" /UAC1⤵
- Checks computer location settings
-
C:\Program Files\iTop Screen Recorder\AUpdate.exe"C:\Program Files\iTop Screen Recorder\AUpdate.exe" /u http://stats.itopvpn.com/iactive_month.php /a isr3 /p itop /v 3.2.0.1168 /t 1 /d 72⤵
-
C:\Program Files\iTop Screen Recorder\AUpdate.exe"C:\Program Files\iTop Screen Recorder\AUpdate.exe" /isr /dayactive2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x4cc1⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5992 -ip 59921⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6220_1936316300\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir6220_1936316300\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={cafb396e-0b4a-410e-90bb-e04feeee65aa} --system2⤵
-
C:\Users\Admin\AppData\Roaming\vwfcehvC:\Users\Admin\AppData\Roaming\vwfcehv1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Registry Run Keys / Startup Folder
5Modify Existing Service
1Hidden Files and Directories
1Defense Evasion
Modify Registry
8File Deletion
1Impair Defenses
1File Permissions Modification
1Install Root Certificate
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD52141e916c95cfa9ad154136321e16bab
SHA1e5eca565f7d6e04aacb92e2d334f0dbf39c799b0
SHA256dadff5e5eaa502c91cf8cc77b20dbd3b166efcf1f4f39536d98e73121895d275
SHA5120b59ccda76d76ab5142273153d4a57bbd8eb112b3d2c46d08448113fb0fb178c5927d5855d33e43dc3376c9196dde6c924bbf021b914363c2d7e2f931b2c07a7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD52141e916c95cfa9ad154136321e16bab
SHA1e5eca565f7d6e04aacb92e2d334f0dbf39c799b0
SHA256dadff5e5eaa502c91cf8cc77b20dbd3b166efcf1f4f39536d98e73121895d275
SHA5120b59ccda76d76ab5142273153d4a57bbd8eb112b3d2c46d08448113fb0fb178c5927d5855d33e43dc3376c9196dde6c924bbf021b914363c2d7e2f931b2c07a7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\computed_hashes.jsonFilesize
10KB
MD590f880064a42b29ccff51fe5425bf1a3
SHA16a3cae3996e9fff653a1ddf731ced32b2be2acbf
SHA256965203d541e442c107dbc6d5b395168123d0397559774beae4e5b9abc44ef268
SHA512d9cbfcd865356f19a57954f8fd952caf3d31b354112766c41892d1ef40bd2533682d4ec3f4da0e59a5397364f67a484b45091ba94e6c69ed18ab681403dfd3f3
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_metadata\verified_contents.jsonFilesize
7KB
MD50834821960cb5c6e9d477aef649cb2e4
SHA17d25f027d7cee9e94e9cbdee1f9220c8d20a1588
SHA25652a24fa2fb3bcb18d9d8571ae385c4a830ff98ce4c18384d40a84ea7f6ba7f69
SHA5129aeafc3ece295678242d81d71804e370900a6d4c6a618c5a81cacd869b84346feac92189e01718a7bb5c8226e9be88b063d2ece7cb0c84f17bb1af3c5b1a3fc4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\FaviconsFilesize
28KB
MD53b0c359be60d5111473cbb9106955b34
SHA1d4c32e30de5f17946cd501fa5e2661d27dceb0c9
SHA256b466710bf666877c6e854887d56e7be236a5ebaba19ab024725be00d5d8ddf3e
SHA5124002c190dc8736417319ba5e7bf0207c5e22cc71dd655b50e57ba3cfc066f6452af1e1b37f1ea7d68ae224ccbf15691de9251f577d61de43cdbb60f5fdb0c828
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryFilesize
116KB
MD553518ca2fef85234cc8eeb98d94f295f
SHA17e29cc19d9109ff4343d3dcde286e475767fe6de
SHA256bcdc9287a2a615720a13f11441764b8b684207be441ae2c9853975235a542151
SHA512261b5cc9d2974428b941cff62e99681fc40d3495bf22026d9b9f8fefcaf0ed22b04e7c85f41ed5f87ef1d689a12e0f542baddfd849630484697e3789ed84a15c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOGFilesize
329B
MD55ec64a9aa9ba6e13d99461dca531f690
SHA1ed8817da86ef37ac0d1d2dec107d5be212ff758c
SHA2560890b3533e3c1fd7e798493ec472b89b29e1747429faefb82264d28f57b3454c
SHA51259e8d4b0b10ca82ec4ee3e041a09d7fbfec8327b26e9b2479101e4f31ca0cad27976d9368504bb41ebb0d47912c8e92b440c4d72b5df5cf23810c0690420916f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5c2040f0ac8c2811da8e40e2bf2e025d9
SHA17528ded7d83344606efbd07ff8063c157682e929
SHA256d76bee7d5c5559accc75b58a026f2141bf7768884bd30b1d7803ce22b2d54875
SHA512548171da5bf06348c354dc18943b4a43d4695edbbd77e0a4cb95f897cdb5d393d3f2a802b9fc433f1ce0cfdb32009baf92cf681f47c171329c307eb3c27c2b79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
17KB
MD55d127f537d1e778fe2bca76986bcaff8
SHA1b50bf984b9406b3ee07861973001a2315cf5917a
SHA25642493ec4d87c4653f6d5f211f44b81da88046ae2f7a333389d8aa195a3d9c846
SHA5121a5be90ac143d342133e2dd1e7a8cd99b1323894358de0e0312dce1192ccdf2841723633c6569e8963d5b47eba03945ffcd1d4fa71c61776b496329a5f4c91c6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Session_13313339332993794Filesize
36KB
MD5597412bce4a16c0e74f56e2ae31e504d
SHA1b99697f4f4fa45e39851209f4a5125b651c7f463
SHA25680721a884fc0399804976f5a862c82c763612de19cb151d0222fb5229d1b3651
SHA512bdcc532d58a2a98c65d612334f99caec127c103cb70554dc706f0761139ea8485ee73abafef239d0666702021977b5256164b425753e7ec1a7ebbd367e177478
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13313339334028794Filesize
8KB
MD5226b5dde153d7ead28b5bbd1284e3be9
SHA108ea59dfe1a37c2a8e8dacbbe858dc509a0d054d
SHA256bf6291bb98656889cede938a512c2f4cfc611f3b18b2c21ebc7acaff3553af25
SHA5124d483a86058186580a11c90299c31a48323e3945d51683745d8138128e131a92da1b509727b5532297ca0ee32ded51047e49bc91074d4a306e8c143d90ab36ee
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logFilesize
184B
MD532afd00f3ece9f8daa87c8998dd39969
SHA178b3407558ac787b6af1d682417d9257b5b3a90b
SHA256062cd71b84c6814c75e5ed9c1502e603b157bbe201333365fbe2ee197eee1104
SHA5126af99f6a047891f4914f3b54a27b591ba7b65385c1140d0324e0ad1da7e30abe05955e1441c03096418d5c5917d0c54c42a3f5a70aed4fdf8e5dc195fb3a4a29
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGFilesize
345B
MD5f0f3f27712f5070fbf11f6e28f21a048
SHA14ceba2f4438bdfb3a6481cde7689e4441cb4a963
SHA256b6725cb5c58fa872c2ea4fb0279075c868068227e8215779d2215495acea653a
SHA512a8fce49c0cf86927a26442cca674765adfab922681c1cf5e9efafa82ee5a0d461b5780e39ed7d5a8966838f601fefc9d7446d4a78e6009ec3a595d73dc166d10
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logFilesize
160B
MD5de92ad90be6d3364745b2f73f4c3cf73
SHA19158681463bd30e5af4dda4baac81f93cedbda77
SHA2560025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0
SHA5129e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGFilesize
321B
MD52beec767ec18f9d27cfc7e377c60aa7b
SHA1d86fc58a302ef2a595919519d79da5ea95e0f6be
SHA2566b2f555e83be563e4bebe95828a37225feeb14766f62a7174303d73d487e1b6e
SHA51268a4f11dd862a6fe4ea2a765bfc60675dc7a6766a628112414444ee2e525f9f00b3b8b53d7a43869ee4c26faf4b504e6e121ed099300e53b54e880620a6b5b53
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited LinksFilesize
128KB
MD59014570112a4639039a24438e0f6f265
SHA1edac8b2b44bd35a57b38ad9b04ee8967ffb1e3bb
SHA256502f9b98790bb3bf6803d1044e35b8985e372b051f284ec8726fb333c5f039e2
SHA512be6de37c7e6f403cf1d96773698ba5ba9cb541692d306cc107b4b2a46181e130ce3132dea8b3cc802a6fbcd0274b507f0e82b1c5f5488605e5707ecd31eba022
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
88KB
MD5f1ce8111251b0b0afdfc85ce3d1ca626
SHA18630b4d960e48d9f01e0eb474681f3d75a67219b
SHA25649a6f39eda6bfa316090a50e9aad40cfe8ab78ce10bdb4611866937c20d1707a
SHA5126c65ebb90a005b8a174d09eae02fa0b53f141c0bc98ab777f6465d18564001b41a440bdf1d76b04d93f4682051c4c93bd4b039281833ba1fd53133f010f90c13
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionFilesize
13B
MD5b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
103KB
MD5f3ea0e0100eb87f807f118df453805ad
SHA14ed64fdd9b478bbcaace80f8db734ce6d9732b3c
SHA25665dfba4d9354756030aeb868204692f6d8a682b7799dbb18b88dab40ff61233f
SHA512cdff7ab5d442b352507ad38593772e03ff58f290bcdf4e6eddf748a71abc9a5c2caf25eda3e3593abe63df0ac790c68aebee5595bcf73ece7edab006486ebb6b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
103KB
MD51da3d13165c7d3536ac48fea221692c9
SHA16dcaf5c71a7f91abafe94fc2b6049f2414d0d07e
SHA256bebfc5d42c160f11bee0fd049e8c8f42f81f2fb460b8dc919e93fc65aa947cce
SHA512a39e80d680239eab7cc23e9315c41afb64763154766ae3eabcc4315e1ae68cbcdc93a36662e6b226ab516202a63a81b18f084a794afbbbfac5323853f03971c9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\CachesMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\7F32.exeFilesize
1.1MB
MD51e128c8d4692ee6fc5817f61e3acf6cf
SHA150c6ca5e5b0cf70ef534124495bd93063708a060
SHA2563a3e054f3a6902fe31c8fe8854d67cc3f2ddcd34b2c6c52a06a925c41e86125b
SHA512ced518530ba380dec2e7737286a14e24d15db808f126f43637145031e56941964a726737e94fa8d973351aea4c64a7333f88e17bdf7fc0afd6905d593c1d5314
-
C:\Users\Admin\AppData\Local\Temp\7F32.exeFilesize
1.1MB
MD51e128c8d4692ee6fc5817f61e3acf6cf
SHA150c6ca5e5b0cf70ef534124495bd93063708a060
SHA2563a3e054f3a6902fe31c8fe8854d67cc3f2ddcd34b2c6c52a06a925c41e86125b
SHA512ced518530ba380dec2e7737286a14e24d15db808f126f43637145031e56941964a726737e94fa8d973351aea4c64a7333f88e17bdf7fc0afd6905d593c1d5314
-
C:\Users\Admin\AppData\Local\Temp\Wuwedteata.tmpFilesize
752KB
MD5ad4fe6dd11eca5f7254e0e00ed47d984
SHA1e809de0322d74dd4642f215f46f22b3a9b7caa21
SHA2566ecc725eab418e27d8fa2f1031fce6bc119d677b8d72e0447050a87489e8e0ca
SHA512d09f4f9a94f34fe1a6f5fe78ec32e91026fe07263183d4d41c4a51cfa7ee5fbc1b38d2ebeda20a717a2a730af011d73d113decb3ae2fe9db50530c095cf33ea3
-
C:\Users\Admin\AppData\Local\Temp\Wuwedteata.tmpFilesize
752KB
MD5ad4fe6dd11eca5f7254e0e00ed47d984
SHA1e809de0322d74dd4642f215f46f22b3a9b7caa21
SHA2566ecc725eab418e27d8fa2f1031fce6bc119d677b8d72e0447050a87489e8e0ca
SHA512d09f4f9a94f34fe1a6f5fe78ec32e91026fe07263183d4d41c4a51cfa7ee5fbc1b38d2ebeda20a717a2a730af011d73d113decb3ae2fe9db50530c095cf33ea3
-
C:\Users\Admin\AppData\Local\Temp\is-9N10R.tmp\ChromSetup.tmpFilesize
3.0MB
MD5104684b539640daef74e717e02abcf98
SHA13dbe093bbe92ab27c23610795358a763eab1b11b
SHA256c46d28f68af133e26dcb5f60564e4e31896c7917b68baf5d0c11fc2dd5bad7f3
SHA5123eaa956d34ec3d98fcb9cb28a08d8832314140f0ac9f7e3266a75831ea7e99041090fd98ff69a221ce8a0a5615767b34cd3555c182d069e3a1bbd02e1a5e54c1
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\chrome.batFilesize
2KB
MD5ac6e68d7bd044284c3c242888155365a
SHA163d6005504dc269f5f279053614861a068f2c924
SHA256b6f41ff464f1baa1bc276e5f46d3be49fed71fe0b490c1bcd401869b9b8df56a
SHA51264a4325c1c22b771532ec0be4a973064b3c98d401475f93acc515a1b70238652dc47bd76754695d8ca9fa76b3ddeaf8f2abbfeb17d5566bea439c8e6bad04d10
-
C:\Users\Admin\AppData\Local\Temp\is-G70PU.tmp\chrome.ps1Filesize
27B
MD5c774ee6f456444fcadd09dc5e27a501b
SHA13b49a20623ff5968b24dac1bcd1a57125e111341
SHA256d3477d17f918bc82462191dee88fe57f25d19173a8361d94580e2dfae3b503df
SHA512a2b8f0ce3dd8b3c9d7e1bd468953eb4a03f0f11511cf65531497056d7ad9a8134d628cf1e1a5e2baafbe05a1a47ffa4673d1fcdc915e7aa9e7da12de4644674d
-
C:\Users\Admin\Downloads\ChromSetup.exeFilesize
1.6MB
MD59a072b31cdd243f970d9904e4a3ca8b2
SHA183ba63619ebac80f0326d42eadb469d2d21de4e4
SHA256d189921d4776bbeadfbea8722738bfbd179c5fc402eaa9676544183aeaf153a2
SHA51217f3f9e73bae21a4d7501387738792b87bde4528e4b5202ca778e97cb3d056c0c1981edea0a01970518f80eef5f6e3a3bf8d014c733ad93f3276233c48fa667b
-
C:\Users\Admin\Downloads\ChromSetup.exeFilesize
1.6MB
MD59a072b31cdd243f970d9904e4a3ca8b2
SHA183ba63619ebac80f0326d42eadb469d2d21de4e4
SHA256d189921d4776bbeadfbea8722738bfbd179c5fc402eaa9676544183aeaf153a2
SHA51217f3f9e73bae21a4d7501387738792b87bde4528e4b5202ca778e97cb3d056c0c1981edea0a01970518f80eef5f6e3a3bf8d014c733ad93f3276233c48fa667b
-
C:\apps.crxFilesize
11KB
MD5555a540738693069a61ba7c45b97b4fd
SHA10243a4ed559e18e3c02fe68db46a7584071a9408
SHA256605837c12691b6db0aeca8cb97e5a38f0af477e221824b4e1db38170ee202576
SHA5121a802fdc0c80c4ff349bcd053803a86a7f5ecc1692035f749ca8893b403e3a6e2d7e28295bc2e186d10107a6ec566b571f85765c0a3ab48c46a9dbfb5057ab4c
-
\??\pipe\crashpad_2384_RJHAAORWAEFYPTJRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3204_AKOXQRYBEBNEZXLQMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_3988_HVTVLIMMNGPZFPPUMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/224-177-0x0000000000000000-mapping.dmp
-
memory/232-319-0x0000000004090000-0x000000000419D000-memory.dmpFilesize
1.1MB
-
memory/428-317-0x0000000003580000-0x0000000003590000-memory.dmpFilesize
64KB
-
memory/448-159-0x000001404BFA0000-0x000001404BFC2000-memory.dmpFilesize
136KB
-
memory/448-157-0x0000000000000000-mapping.dmp
-
memory/448-160-0x00007FF82A0F0000-0x00007FF82ABB1000-memory.dmpFilesize
10.8MB
-
memory/448-162-0x00007FF82A0F0000-0x00007FF82ABB1000-memory.dmpFilesize
10.8MB
-
memory/1000-163-0x0000000000000000-mapping.dmp
-
memory/1188-142-0x0000000000000000-mapping.dmp
-
memory/1248-165-0x0000000000000000-mapping.dmp
-
memory/1352-426-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1352-627-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1352-423-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/1504-243-0x0000000000000000-mapping.dmp
-
memory/1660-216-0x0000000000000000-mapping.dmp
-
memory/1664-211-0x0000000000000000-mapping.dmp
-
memory/1664-213-0x00007FF82A210000-0x00007FF82ACD1000-memory.dmpFilesize
10.8MB
-
memory/1664-214-0x00007FF82A210000-0x00007FF82ACD1000-memory.dmpFilesize
10.8MB
-
memory/1784-155-0x0000000000000000-mapping.dmp
-
memory/2000-241-0x0000000000000000-mapping.dmp
-
memory/2000-172-0x0000000000000000-mapping.dmp
-
memory/2060-232-0x0000000000000000-mapping.dmp
-
memory/2184-169-0x0000000000000000-mapping.dmp
-
memory/2488-263-0x0000000000000000-mapping.dmp
-
memory/2868-167-0x0000000000000000-mapping.dmp
-
memory/2900-198-0x0000000005EE0000-0x0000000006A5A000-memory.dmpFilesize
11.5MB
-
memory/2900-202-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2900-212-0x0000000005EE0000-0x0000000006A5A000-memory.dmpFilesize
11.5MB
-
memory/2900-204-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2900-203-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2900-149-0x0000000000000000-mapping.dmp
-
memory/2900-197-0x0000000005EE0000-0x0000000006A5A000-memory.dmpFilesize
11.5MB
-
memory/2900-199-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2900-200-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2900-201-0x0000000004420000-0x0000000004560000-memory.dmpFilesize
1.2MB
-
memory/2928-227-0x0000000000000000-mapping.dmp
-
memory/2928-132-0x0000000000AF2000-0x0000000000B07000-memory.dmpFilesize
84KB
-
memory/2928-135-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2928-136-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/2928-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/2948-235-0x0000000000000000-mapping.dmp
-
memory/2948-221-0x0000000000000000-mapping.dmp
-
memory/3168-231-0x0000000000000000-mapping.dmp
-
memory/3260-168-0x0000000000000000-mapping.dmp
-
memory/3320-219-0x0000000000000000-mapping.dmp
-
memory/3524-261-0x0000000000000000-mapping.dmp
-
memory/3536-237-0x0000000000000000-mapping.dmp
-
memory/3536-255-0x0000000000000000-mapping.dmp
-
memory/3552-205-0x00007FF69B2D6890-mapping.dmp
-
memory/3552-206-0x000001E52FC40000-0x000001E52FD80000-memory.dmpFilesize
1.2MB
-
memory/3552-210-0x000001E52E1F0000-0x000001E52E498000-memory.dmpFilesize
2.7MB
-
memory/3552-209-0x0000000000F40000-0x00000000011D7000-memory.dmpFilesize
2.6MB
-
memory/3552-207-0x000001E52FC40000-0x000001E52FD80000-memory.dmpFilesize
1.2MB
-
memory/3600-225-0x0000000000000000-mapping.dmp
-
memory/3616-223-0x0000000000000000-mapping.dmp
-
memory/3704-267-0x0000000000000000-mapping.dmp
-
memory/3760-158-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/3760-139-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/3760-137-0x0000000000000000-mapping.dmp
-
memory/3760-302-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/3840-239-0x0000000000000000-mapping.dmp
-
memory/3924-269-0x0000000000000000-mapping.dmp
-
memory/4000-259-0x0000000000000000-mapping.dmp
-
memory/4012-222-0x0000000000000000-mapping.dmp
-
memory/4028-196-0x0000000000000000-mapping.dmp
-
memory/4028-173-0x0000000000000000-mapping.dmp
-
memory/4116-224-0x0000000000000000-mapping.dmp
-
memory/4128-164-0x0000000000000000-mapping.dmp
-
memory/4148-220-0x0000000000000000-mapping.dmp
-
memory/4212-166-0x0000000000000000-mapping.dmp
-
memory/4236-318-0x0000000010000000-0x0000000010237000-memory.dmpFilesize
2.2MB
-
memory/4388-218-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/4388-229-0x0000000000400000-0x0000000000850000-memory.dmpFilesize
4.3MB
-
memory/4388-215-0x00000000008A2000-0x00000000008B8000-memory.dmpFilesize
88KB
-
memory/4412-268-0x0000000000000000-mapping.dmp
-
memory/4448-334-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-368-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-369-0x000000000C8F0000-0x000000000C904000-memory.dmpFilesize
80KB
-
memory/4448-367-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-366-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-365-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-364-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-363-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-362-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-360-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-361-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-359-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-358-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-357-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-356-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-355-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-354-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-353-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-352-0x000000000B521000-0x000000000B606000-memory.dmpFilesize
916KB
-
memory/4448-351-0x000000000B520000-0x000000000B679000-memory.dmpFilesize
1.3MB
-
memory/4448-348-0x0000000006560000-0x00000000065FB000-memory.dmpFilesize
620KB
-
memory/4448-347-0x0000000006490000-0x0000000006560000-memory.dmpFilesize
832KB
-
memory/4448-344-0x0000000005CC0000-0x0000000005DCD000-memory.dmpFilesize
1.1MB
-
memory/4448-342-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-341-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-340-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-339-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-338-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-337-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-336-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-335-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-333-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-332-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-329-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-331-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-330-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-327-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-328-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-326-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4448-324-0x00000000011F1000-0x00000000013B0000-memory.dmpFilesize
1.7MB
-
memory/4560-321-0x00000000027E0000-0x00000000028ED000-memory.dmpFilesize
1.1MB
-
memory/4564-150-0x0000000000400000-0x0000000000920000-memory.dmpFilesize
5.1MB
-
memory/4564-154-0x0000000000400000-0x0000000000920000-memory.dmpFilesize
5.1MB
-
memory/4564-144-0x0000000000000000-mapping.dmp
-
memory/4564-147-0x0000000000CAE000-0x0000000000D8C000-memory.dmpFilesize
888KB
-
memory/4564-148-0x0000000000D90000-0x0000000000EB1000-memory.dmpFilesize
1.1MB
-
memory/4568-228-0x0000000000000000-mapping.dmp
-
memory/4596-217-0x0000000000000000-mapping.dmp
-
memory/4700-226-0x0000000000000000-mapping.dmp
-
memory/4776-208-0x0000000000000000-mapping.dmp
-
memory/4824-272-0x0000000000000000-mapping.dmp
-
memory/4856-306-0x00000000044E0000-0x000000000505A000-memory.dmpFilesize
11.5MB
-
memory/4856-307-0x00000000044E0000-0x000000000505A000-memory.dmpFilesize
11.5MB
-
memory/4856-312-0x00000000044E0000-0x000000000505A000-memory.dmpFilesize
11.5MB
-
memory/4856-234-0x0000000000000000-mapping.dmp
-
memory/4944-253-0x0000000000000000-mapping.dmp
-
memory/4976-273-0x0000000000000000-mapping.dmp
-
memory/5004-310-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5004-305-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5004-303-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5004-311-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5140-252-0x0000000000000000-mapping.dmp
-
memory/5144-266-0x0000000000000000-mapping.dmp
-
memory/5168-257-0x0000000000000000-mapping.dmp
-
memory/5184-245-0x0000000000000000-mapping.dmp
-
memory/5228-462-0x000000006FF30000-0x000000006FF53000-memory.dmpFilesize
140KB
-
memory/5240-247-0x0000000000000000-mapping.dmp
-
memory/5252-270-0x0000000000000000-mapping.dmp
-
memory/5444-248-0x0000000000000000-mapping.dmp
-
memory/5648-249-0x0000000000000000-mapping.dmp
-
memory/5660-313-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5660-323-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5660-316-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5660-315-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/5724-262-0x0000000000000000-mapping.dmp
-
memory/5728-432-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/5728-404-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/5732-250-0x0000000000000000-mapping.dmp
-
memory/5732-320-0x0000000003CD0000-0x0000000003DDD000-memory.dmpFilesize
1.1MB
-
memory/5752-251-0x0000000000000000-mapping.dmp
-
memory/5800-275-0x0000000000000000-mapping.dmp
-
memory/5944-265-0x0000000000000000-mapping.dmp
-
memory/5992-694-0x0000000004E20000-0x0000000004E24000-memory.dmpFilesize
16KB
-
memory/5992-686-0x0000000002560000-0x0000000002564000-memory.dmpFilesize
16KB
-
memory/5992-693-0x0000000004DE0000-0x0000000004DE5000-memory.dmpFilesize
20KB
-
memory/5992-689-0x0000000004D70000-0x0000000004D74000-memory.dmpFilesize
16KB
-
memory/5992-695-0x0000000004E30000-0x0000000004E34000-memory.dmpFilesize
16KB
-
memory/5992-696-0x0000000004E40000-0x0000000004E48000-memory.dmpFilesize
32KB
-
memory/5992-343-0x0000000003D60000-0x0000000003E6D000-memory.dmpFilesize
1.1MB
-
memory/5992-690-0x0000000004DB0000-0x0000000004DB4000-memory.dmpFilesize
16KB
-
memory/5992-688-0x0000000004D40000-0x0000000004D47000-memory.dmpFilesize
28KB
-
memory/5992-692-0x0000000004DC0000-0x0000000004DC4000-memory.dmpFilesize
16KB
-
memory/5992-687-0x0000000004D20000-0x0000000004D24000-memory.dmpFilesize
16KB
-
memory/5992-691-0x0000000004D60000-0x0000000004D64000-memory.dmpFilesize
16KB
-
memory/5992-678-0x0000000002550000-0x0000000002554000-memory.dmpFilesize
16KB
-
memory/5992-679-0x0000000003EB0000-0x0000000003EC9000-memory.dmpFilesize
100KB
-
memory/5992-681-0x0000000003F10000-0x0000000003F14000-memory.dmpFilesize
16KB
-
memory/5992-682-0x0000000003E90000-0x0000000003E94000-memory.dmpFilesize
16KB
-
memory/5992-683-0x0000000003F20000-0x0000000003F24000-memory.dmpFilesize
16KB
-
memory/5992-684-0x0000000003F30000-0x0000000003F38000-memory.dmpFilesize
32KB
-
memory/5992-685-0x0000000003F40000-0x0000000003F44000-memory.dmpFilesize
16KB
-
memory/5992-680-0x0000000003EE0000-0x0000000003EE5000-memory.dmpFilesize
20KB
-
memory/6140-524-0x0000000000400000-0x000000000043B000-memory.dmpFilesize
236KB
-
memory/6212-277-0x0000000000000000-mapping.dmp
-
memory/6320-322-0x0000000003BE0000-0x0000000003CED000-memory.dmpFilesize
1.1MB
-
memory/6348-299-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/6348-297-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/6348-279-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/6348-282-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/6788-292-0x00007FF8033C0000-0x00007FF803E81000-memory.dmpFilesize
10.8MB
-
memory/6788-298-0x00007FF8033C0000-0x00007FF803E81000-memory.dmpFilesize
10.8MB
-
memory/6908-309-0x0000000004D90000-0x000000000590A000-memory.dmpFilesize
11.5MB
-
memory/6908-308-0x0000000004D90000-0x000000000590A000-memory.dmpFilesize
11.5MB