Analysis
-
max time kernel
1810s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2023, 09:42
Static task
static1
General
-
Target
hood fighting.lua
-
Size
581B
-
MD5
19c677bb8cda5703f42c143bb4251e6a
-
SHA1
ad85336a7304a4e58b2a4f5c40b02f578aa00923
-
SHA256
d37e1cf29ba447f8d5e8f3e27be0485c986115b8280bbd5b9c57bbfe70beccd5
-
SHA512
c82d72dbd5e5d015a27334f27319ee4deb575800ae9a9f5755b7d1a0e165c7cd7883039ebf9ec0c205e1fedc26c2d68f3762893e6e369e2ebb5c565eb567ad74
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
quasar
1.4.0
Office04
127.0.0.1:4782
f378261e-3b55-43b3-86c2-48679348af0a
-
encryption_key
0CFB2805B99A46427C3BF8100C8BEFB5053114F4
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" Microsoft.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection Microsoft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" Microsoft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" Microsoft.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe -
Quasar payload 5 IoCs
resource yara_rule behavioral1/memory/2388-151-0x000001C86AB40000-0x000001C86AC78000-memory.dmp family_quasar behavioral1/memory/2388-152-0x000001C86CF80000-0x000001C86CF96000-memory.dmp family_quasar behavioral1/memory/3568-166-0x0000000000C40000-0x0000000000CC4000-memory.dmp family_quasar behavioral1/memory/5072-175-0x0000000000700000-0x0000000000784000-memory.dmp family_quasar behavioral1/memory/4300-182-0x00000000006C0000-0x0000000000744000-memory.dmp family_quasar -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/memory/2820-272-0x000001FA60070000-0x000001FA606D6000-memory.dmp asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
pid Process 3696 winrar-x64-611.exe 1680 uninstall.exe 1860 ChromeRecovery.exe 3096 WinRAR.exe 4388 WinRAR.exe 2388 Quasar.exe 4944 Quasar.exe 3568 Client-built.exe 4064 Client.exe 5072 asdada.exe 2616 asdada.exe 4116 asdada.exe 4300 not.exe 4108 dded.exe 1560 dded.exe 3592 dded.exe 1520 dded.exe 3980 dded.exe 4164 dded.exe 2824 dded.exe 920 dded.exe 3996 dded.exe 3776 dded.exe 1308 dded.exe 1956 dded.exe 4796 dded.exe 4392 dded.exe 3220 WinRAR.exe 620 WinRAR.exe 2820 AsyncRAT.exe 1040 AsyncClient.exe 64 Microsoft.exe 4752 jehavv.exe 4100 AsyncRAT.exe 2076 AsyncRAT.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks computer location settings 2 TTPs 17 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Quasar.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation Microsoft.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dded.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Loads dropped DLL 1 IoCs
pid Process 3064 Process not Found -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features Microsoft.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" Microsoft.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\desktop\desktop.ini Microsoft.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 348 api.ipify.org 349 api.ipify.org 353 api.ipify.org 360 api.ipify.org 371 api.ipify.org 384 api.ipify.org -
Drops file in System32 directory 8 IoCs
description ioc Process File created C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client-built.exe File opened for modification C:\Windows\system32\SubDir Client-built.exe File opened for modification C:\Windows\system32\SubDir\Client.exe Client.exe File opened for modification C:\Windows\system32\SubDir Client.exe File created C:\Windows\system32\SubDir\Client.exe asdada.exe File created C:\Windows\system32\SubDir\Client.exe asdada.exe File created C:\Windows\system32\SubDir\Client.exe asdada.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\zipnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\_metadata\verified_contents.json elevation_service.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\ChromeRecovery.exe elevation_service.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\ChromeRecoveryCRX.crx elevation_service.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240687609 winrar-x64-611.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3444 2820 WerFault.exe 344 3424 2820 WerFault.exe 344 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Creates scheduled task(s) 1 TTPs 18 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4916 schtasks.exe 3612 schtasks.exe 1288 schtasks.exe 676 schtasks.exe 2536 schtasks.exe 4052 schtasks.exe 1236 schtasks.exe 2144 schtasks.exe 4912 schtasks.exe 3776 schtasks.exe 1220 schtasks.exe 4636 schtasks.exe 3556 schtasks.exe 64 schtasks.exe 2988 schtasks.exe 4332 schtasks.exe 4124 schtasks.exe 4536 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2284 timeout.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "4" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\0\MRUListEx = ffffffff Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\1 AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0" AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.gz\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 AsyncRAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Pictures" AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0\1\MRUListEx = ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" AsyncRAT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tgz uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell AsyncRAT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Quasar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 78003100000000000c5519991100557365727300640009000400efbe874f77482b5655552e000000c70500000000010000000000000000003a00000000008714af0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239} AsyncRAT.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\Shell AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r14 uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 14002e8005398e082303024b98265d99428e115f0000 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r05 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 66003100000000002b56485610005155415341527e312e3000004c0009000400efbe2b560a562b5648562e0000006830020000000b0000000000000000000000000000005dd652005100750061007300610072002000760031002e0034002e00300000001a000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} Quasar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r28\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zst\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000200000001000000ffffffff Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AsyncRAT.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 dded.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e dded.exe -
Runs ping.exe 1 TTPs 13 IoCs
pid Process 3648 PING.EXE 2240 PING.EXE 1336 PING.EXE 2324 PING.EXE 4068 PING.EXE 408 PING.EXE 3772 PING.EXE 4344 PING.EXE 528 PING.EXE 4664 PING.EXE 1920 PING.EXE 4600 PING.EXE 1468 PING.EXE -
Runs regedit.exe 1 IoCs
pid Process 868 regedit.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3320 explorer.exe 64 Microsoft.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4988 chrome.exe 4988 chrome.exe 1272 chrome.exe 1272 chrome.exe 1852 chrome.exe 1852 chrome.exe 4056 chrome.exe 4056 chrome.exe 1312 chrome.exe 1312 chrome.exe 3056 chrome.exe 3056 chrome.exe 4112 chrome.exe 4112 chrome.exe 3476 chrome.exe 3476 chrome.exe 1584 chrome.exe 1584 chrome.exe 3592 chrome.exe 3592 chrome.exe 5024 chrome.exe 5024 chrome.exe 1152 chrome.exe 1152 chrome.exe 1152 chrome.exe 1152 chrome.exe 4108 chrome.exe 4108 chrome.exe 4196 chrome.exe 4196 chrome.exe 2412 chrome.exe 2412 chrome.exe 5072 asdada.exe 2616 asdada.exe 4116 asdada.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe 4064 Client.exe -
Suspicious behavior: GetForegroundWindowSpam 9 IoCs
pid Process 4388 WinRAR.exe 4944 Quasar.exe 620 WinRAR.exe 2820 AsyncRAT.exe 4100 AsyncRAT.exe 64 Microsoft.exe 2076 AsyncRAT.exe 1860 taskmgr.exe 868 regedit.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 39 IoCs
pid Process 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4672 msedge.exe 4672 msedge.exe 2024 msedge.exe 2024 msedge.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
description pid Process Token: SeDebugPrivilege 2388 Quasar.exe Token: SeDebugPrivilege 4944 Quasar.exe Token: SeDebugPrivilege 3568 Client-built.exe Token: SeDebugPrivilege 4064 Client.exe Token: SeDebugPrivilege 5072 asdada.exe Token: SeDebugPrivilege 2616 asdada.exe Token: SeDebugPrivilege 4116 asdada.exe Token: SeDebugPrivilege 4300 not.exe Token: SeDebugPrivilege 4108 dded.exe Token: SeDebugPrivilege 1560 dded.exe Token: SeDebugPrivilege 3592 dded.exe Token: SeDebugPrivilege 1520 dded.exe Token: SeDebugPrivilege 3980 dded.exe Token: SeDebugPrivilege 4164 dded.exe Token: SeDebugPrivilege 2824 dded.exe Token: SeDebugPrivilege 920 dded.exe Token: SeDebugPrivilege 3996 dded.exe Token: SeDebugPrivilege 3776 dded.exe Token: SeDebugPrivilege 1308 dded.exe Token: SeDebugPrivilege 1956 dded.exe Token: SeDebugPrivilege 4796 dded.exe Token: SeDebugPrivilege 3564 taskmgr.exe Token: SeSystemProfilePrivilege 3564 taskmgr.exe Token: SeCreateGlobalPrivilege 3564 taskmgr.exe Token: SeDebugPrivilege 4392 dded.exe Token: 33 3564 taskmgr.exe Token: SeIncBasePriorityPrivilege 3564 taskmgr.exe Token: SeDebugPrivilege 1040 AsyncClient.exe Token: SeDebugPrivilege 64 Microsoft.exe Token: SeDebugPrivilege 64 Microsoft.exe Token: SeDebugPrivilege 2820 AsyncRAT.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 3060 taskmgr.exe Token: SeSystemProfilePrivilege 3060 taskmgr.exe Token: SeCreateGlobalPrivilege 3060 taskmgr.exe Token: 33 3060 taskmgr.exe Token: SeIncBasePriorityPrivilege 3060 taskmgr.exe Token: SeDebugPrivilege 4100 AsyncRAT.exe Token: SeDebugPrivilege 3372 taskmgr.exe Token: SeSystemProfilePrivilege 3372 taskmgr.exe Token: SeCreateGlobalPrivilege 3372 taskmgr.exe Token: 33 3372 taskmgr.exe Token: SeIncBasePriorityPrivilege 3372 taskmgr.exe Token: SeDebugPrivilege 2076 AsyncRAT.exe Token: SeDebugPrivilege 1860 taskmgr.exe Token: SeSystemProfilePrivilege 1860 taskmgr.exe Token: SeCreateGlobalPrivilege 1860 taskmgr.exe Token: 33 1860 taskmgr.exe Token: SeIncBasePriorityPrivilege 1860 taskmgr.exe Token: 33 4172 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4172 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 4056 chrome.exe 2388 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe 3564 taskmgr.exe -
Suspicious use of SetWindowsHookEx 35 IoCs
pid Process 4372 OpenWith.exe 3696 winrar-x64-611.exe 3696 winrar-x64-611.exe 3096 WinRAR.exe 3096 WinRAR.exe 4944 Quasar.exe 3320 explorer.exe 3320 explorer.exe 3320 explorer.exe 3320 explorer.exe 3320 explorer.exe 3320 explorer.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 4944 Quasar.exe 2820 AsyncRAT.exe 2820 AsyncRAT.exe 2820 AsyncRAT.exe 2820 AsyncRAT.exe 2820 AsyncRAT.exe 64 Microsoft.exe 2076 AsyncRAT.exe 2076 AsyncRAT.exe 2076 AsyncRAT.exe 2076 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1324 wrote to memory of 4528 1324 chrome.exe 86 PID 1324 wrote to memory of 4528 1324 chrome.exe 86 PID 4204 wrote to memory of 4540 4204 chrome.exe 88 PID 4204 wrote to memory of 4540 4204 chrome.exe 88 PID 4056 wrote to memory of 1268 4056 chrome.exe 87 PID 4056 wrote to memory of 1268 4056 chrome.exe 87 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93 PID 4204 wrote to memory of 1372 4204 chrome.exe 92 PID 4056 wrote to memory of 4820 4056 chrome.exe 93
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdd394f50,0x7ffbdd394f60,0x7ffbdd394f702⤵PID:1268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:22⤵PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:82⤵PID:2760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2748 /prefetch:12⤵PID:5044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:12⤵PID:4436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:12⤵PID:2416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:82⤵PID:1712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:82⤵PID:8
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:1488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4660 /prefetch:82⤵PID:3520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:82⤵PID:4276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4612 /prefetch:82⤵PID:4008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4584 /prefetch:82⤵PID:60
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:82⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4640 /prefetch:82⤵PID:4920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:3712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:12⤵PID:3636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:82⤵PID:1856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:82⤵PID:4880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6084 /prefetch:82⤵PID:4164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:2704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:4172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:82⤵PID:3960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵PID:2920
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5864 /prefetch:82⤵PID:2632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:82⤵PID:1748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5012 /prefetch:82⤵PID:856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:3888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:82⤵PID:4952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:3916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵PID:3528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:5068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:4440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:82⤵PID:3912
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵PID:3556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:4940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3680 /prefetch:82⤵PID:3664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4028 /prefetch:82⤵PID:1276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=208 /prefetch:82⤵PID:4996
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3188 /prefetch:82⤵PID:980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:4644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5460 /prefetch:82⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:82⤵PID:4908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:12⤵PID:2872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6220 /prefetch:82⤵PID:3804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3956 /prefetch:82⤵PID:3648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6288 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4108
-
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3696 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:1680
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5900 /prefetch:82⤵PID:3496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:12⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:82⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:3384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:4828
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:82⤵PID:3696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:64
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:12⤵PID:4348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:82⤵PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4844 /prefetch:82⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:2228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵PID:1656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:82⤵PID:4924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6344 /prefetch:82⤵PID:864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:82⤵PID:988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:82⤵PID:4520
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=208 /prefetch:82⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6932 /prefetch:82⤵PID:2404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:82⤵PID:1532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6192 /prefetch:82⤵PID:3228
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:12⤵PID:908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:12⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:12⤵PID:3492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:12⤵PID:2556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:82⤵PID:3036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:82⤵PID:1844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵PID:4784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:82⤵PID:3916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Quasar.v1.4.0.zip"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3096
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Quasar.v1.4.0.zip"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5504 /prefetch:82⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5680 /prefetch:82⤵PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:82⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:82⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=844 /prefetch:82⤵PID:3220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:3176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵PID:4732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:12⤵PID:3608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:12⤵PID:2100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:82⤵PID:4876
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:12⤵PID:1288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,12478894036596472911,8898432903808990469,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7576 /prefetch:82⤵PID:1220
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\COMPILED.zip"2⤵
- Executes dropped EXE
PID:3220
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\COMPILED.zip"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:620
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdd394f50,0x7ffbdd394f60,0x7ffbdd394f702⤵PID:4528
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,4476112152743828180,2473025229749395154,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:22⤵PID:2256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,4476112152743828180,2473025229749395154,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1960 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\hood fighting.lua"1⤵PID:4036
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbdd394f50,0x7ffbdd394f60,0x7ffbdd394f702⤵PID:4540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,16331096867633163269,10387827086053722216,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1632 /prefetch:22⤵PID:1372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,16331096867633163269,10387827086053722216,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4372
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:4048 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4048_965208742\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={96c7f40d-5d66-49c6-b546-6015995515ab} --system2⤵
- Executes dropped EXE
PID:1860
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4908
-
C:\Users\Admin\Desktop\Quasar v1.4.0\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.0\Quasar.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2388
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\0d062f209a3f47968cd63fb9cb52baab /t 4656 /p 23881⤵PID:4972
-
C:\Users\Admin\Desktop\Quasar v1.4.0\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.0\Quasar.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4944 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.0\quasar.p12"2⤵PID:3652
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3320
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:2144
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:1288
-
-
-
C:\Users\Admin\Downloads\asdada.exe"C:\Users\Admin\Downloads\asdada.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
C:\Users\Admin\Downloads\asdada.exe"C:\Users\Admin\Downloads\asdada.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
C:\Users\Admin\Downloads\asdada.exe"C:\Users\Admin\Downloads\asdada.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
C:\Users\Admin\Downloads\not.exe"C:\Users\Admin\Downloads\not.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\Downloads\not.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4636
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4108 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmaiLobjb9a3.bat" "3⤵PID:3348
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2136
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
PID:3648
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f5⤵
- Creates scheduled task(s)
PID:4916
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b1n8tQAuoKTl.bat" "5⤵PID:2284
-
C:\Windows\system32\chcp.comchcp 650016⤵PID:2520
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
PID:408
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3592 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f7⤵
- Creates scheduled task(s)
PID:3556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eFcqirHtFlWY.bat" "7⤵PID:4276
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2232
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:3772
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1520 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f9⤵
- Creates scheduled task(s)
PID:64
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cv8qaF4ABdpO.bat" "9⤵PID:5092
-
C:\Windows\system32\chcp.comchcp 6500110⤵PID:4532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
PID:4344
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"10⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3980 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f11⤵
- Creates scheduled task(s)
PID:3612
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L0l69n849B8O.bat" "11⤵PID:4152
-
C:\Windows\system32\chcp.comchcp 6500112⤵PID:1532
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
PID:2240
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f13⤵
- Creates scheduled task(s)
PID:3776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZQNAiWRIauOj.bat" "13⤵PID:2664
-
C:\Windows\system32\chcp.comchcp 6500114⤵PID:408
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
PID:528
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"14⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f15⤵
- Creates scheduled task(s)
PID:2988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XjAtX7RNKPT0.bat" "15⤵PID:3652
-
C:\Windows\system32\chcp.comchcp 6500116⤵PID:2704
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
PID:4664
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"16⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:920 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f17⤵
- Creates scheduled task(s)
PID:1220
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lzFmEPo8hcj7.bat" "17⤵PID:456
-
C:\Windows\system32\chcp.comchcp 6500118⤵PID:3916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
PID:1336
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"18⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f19⤵
- Creates scheduled task(s)
PID:4332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pVj8ubBAANTh.bat" "19⤵PID:3424
-
C:\Windows\system32\chcp.comchcp 6500120⤵PID:644
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
PID:2324
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"20⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3776 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f21⤵
- Creates scheduled task(s)
PID:676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYobGV7NVRs9.bat" "21⤵PID:4888
-
C:\Windows\system32\chcp.comchcp 6500122⤵PID:4256
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
PID:4068
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"22⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1308 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f23⤵
- Creates scheduled task(s)
PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OtFDgHarwQwm.bat" "23⤵PID:2404
-
C:\Windows\system32\chcp.comchcp 6500124⤵PID:2540
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
PID:1920
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"24⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1956 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f25⤵
- Creates scheduled task(s)
PID:2536
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RzEzOmXxtMPJ.bat" "25⤵PID:4884
-
C:\Windows\system32\chcp.comchcp 6500126⤵PID:1712
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
PID:4600
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"26⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f27⤵
- Creates scheduled task(s)
PID:4052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\d9XQdBo7QZKy.bat" "27⤵PID:3124
-
C:\Windows\system32\chcp.comchcp 6500128⤵PID:1216
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
PID:1468
-
-
C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"C:\Users\Admin\AppData\Roaming\SubDir\dded.exe"28⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\dded.exe" /rl HIGHEST /f29⤵
- Creates scheduled task(s)
PID:1236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3564
-
C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2820 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2820 -s 42082⤵
- Program crash
PID:3444
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2820 -s 35282⤵
- Program crash
PID:3424
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2180
-
C:\Users\Admin\Downloads\AsyncClient.exe"C:\Users\Admin\Downloads\AsyncClient.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1040 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"' & exit2⤵PID:1276
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Microsoft" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft.exe"'3⤵
- Creates scheduled task(s)
PID:4536
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AE2.tmp.bat""2⤵PID:4256
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2284
-
-
C:\Users\Admin\AppData\Roaming\Microsoft.exe"C:\Users\Admin\AppData\Roaming\Microsoft.exe"3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Windows security modification
- Drops desktop.ini file(s)
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jehavv.exe"' & exit4⤵PID:1084
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jehavv.exe"'5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\jehavv.exe"C:\Users\Admin\AppData\Local\Temp\jehavv.exe"6⤵
- Executes dropped EXE
PID:4752
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc6f146f8,0x7ffbc6f14708,0x7ffbc6f147185⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:25⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:35⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:85⤵PID:644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:15⤵PID:1504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:15⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,8332476760378924369,7374153613010827787,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:85⤵PID:4308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2024 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffbc6f146f8,0x7ffbc6f14708,0x7ffbc6f147185⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:25⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:35⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:85⤵PID:440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:15⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:15⤵PID:2924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,6512127291166401712,477307150648471237,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 /prefetch:85⤵PID:4728
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3060
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 360 -p 2820 -ip 28201⤵PID:1712
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 2820 -ip 28201⤵PID:4612
-
C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3552
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3372
-
C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"C:\Users\Admin\Desktop\AsyncRAT v0.5.7B\AsyncRAT.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2076
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3864
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1860
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x4f41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:868
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3448
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
2Install Root Certificate
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
40B
MD5f9117eef265e523cfb5089ab5388e102
SHA113da751278466c6af5b00499ddc8f4cc129a6056
SHA25697625a9a59a2481937e156777eb38537f212ad290e3c9d974f5c558ddd490268
SHA51214fb42f95120fefe78ad63945521cbef00ddbeec7619b08855b580eef59769d051ccdd05a7409347bdbb0c85c1f934f4dc91928f9122ad12bd66dbb97934f6fc
-
Filesize
2KB
MD5a99ab00491c80840cf9ef0bed5fa69dd
SHA157e0102f1d1dc8b6b0c517efef1e3306c72d7ccf
SHA25605e8091ca9efb7c1516809e3c83b50a37a36f490ecabaf55d8fe0672fd852769
SHA512d50a998365f4c57c602939614cbfe4c0ec0d58c19be72c89ad7929a7bb26b51daa1bdbf97456680975e81e7a200e775b1baf03db57bc16fee81a5fda843f8611
-
Filesize
2KB
MD549880feb55eab190378fac297f08ba70
SHA1c1f7ac4bbd9c5f887609bc876b5296155c2630f7
SHA2568642a9aa62027763803a6efc46bd3b2f0d37df279a34aebef00875a8d4f1a0b2
SHA5122ca94989f48e6f3bb58e5e4d031b0a079ef0a99935af9fc7d2b0042b1827704419eaaa6df1af48f878ebe4d803fea103fcd09376a2cb4948b352956ec5e69bc0