Analysis
-
max time kernel
1802s -
max time network
1804s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13/01/2023, 03:15
Static task
static1
Behavioral task
behavioral1
Sample
hitho.lua
Resource
win10v2004-20220812-en
General
-
Target
hitho.lua
-
Size
134B
-
MD5
ddfdcc11a3e4a5dd265442a5bcea9fcf
-
SHA1
a98cf41fb793d5c23bef6baac5c5848233c6ff41
-
SHA256
8a8762536fbbd093b02ed8e6d698b8831575206d3d2f0b9d4a06a770ff95785f
-
SHA512
25baa3074642a5f45760a905e238b3882debc856d9c84701930f4b6ed5d105e983bec3a3dfed0de6c8b6b5b901f575cbccf8fe3debc8f970acc8ff70371d6c02
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
quasar
1.3.0.0
Office04
127.0.0.1:9018
QSR_MUTEX_K7WFFxc2Bmagj3PE7K
-
encryption_key
XyxsIjqX01n2hT2xKY1j
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe -
Quasar payload 1 IoCs
resource yara_rule behavioral1/memory/4508-207-0x0000000000CA0000-0x0000000000CFE000-memory.dmp family_quasar -
Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs
description pid Process procid_target PID 5476 created 4736 5476 Taskmgr.exe 284 PID 5476 created 4736 5476 Taskmgr.exe 284 PID 5476 created 704 5476 Taskmgr.exe 278 PID 5476 created 704 5476 Taskmgr.exe 278 -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
XMRig Miner payload 8 IoCs
resource yara_rule behavioral1/memory/5088-186-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-187-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-188-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-189-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-193-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-194-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-199-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig behavioral1/memory/5088-200-0x0000000000400000-0x0000000000DCB000-memory.dmp xmrig -
Downloads MZ/PE file
-
Executes dropped EXE 40 IoCs
pid Process 4024 winrar-x64-611.exe 664 uninstall.exe 3400 WinRAR.exe 504 Quasarx.exe 5088 TiWorker.exe 440 Quasar.exe 3428 Quasarx.exe 2236 Quasar.exe 4508 Client-built.exe 996 Client.exe 3436 ChromeRecovery.exe 4940 WinRAR.exe 3516 WinRAR.exe 2196 Vayne Ratx.exe 1360 Vayne Rat.exe 3132 Vayne Ratx.exe 1588 Vayne Rat.exe 2392 Vayne Rat.exe 4052 armsvc.exe 4256 Vayne Ratx.exe 1592 Vayne Rat.exe 1400 WinRAR.exe 5092 WinRAR.exe 2580 shia hacker -ratx.exe 376 shia hacker -rat.exe 2372 ded.exe 3808 svchost.exe 1000 shia hacker -rat.exe 4008 dedd.exe 2988 BlueEagleSplitterx.exe 308 BlueEagleSplitter.exe 4504 Blueeagle_Splitter.exe 704 wat.exe 4464 wat.exe 4736 why.exe 6100 WinRAR.exe 928 WARZONE RAT 1.2x.exe 3016 WARZONE RAT 1.2.exe 1548 Notable.exe 2272 services.exe -
Modifies Windows Firewall 1 TTPs 2 IoCs
pid Process 2816 netsh.exe 3612 netsh.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Quasarx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Quasarx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WinRAR.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Vayne Ratx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Vayne Ratx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation ded.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation BlueEagleSplitterx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation winrar-x64-611.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation Vayne Ratx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation shia hacker -ratx.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation BlueEagleSplitter.exe Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation WARZONE RAT 1.2x.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wat.exe wat.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\why.exe why.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\why.exe why.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wat.exe wat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wat.exe wat.exe -
Loads dropped DLL 22 IoCs
pid Process 2376 Process not Found 1360 Vayne Rat.exe 1360 Vayne Rat.exe 1588 Vayne Rat.exe 1588 Vayne Rat.exe 2392 Vayne Rat.exe 2392 Vayne Rat.exe 1588 Vayne Rat.exe 1588 Vayne Rat.exe 1588 Vayne Rat.exe 1588 Vayne Rat.exe 1592 Vayne Rat.exe 1592 Vayne Rat.exe 1592 Vayne Rat.exe 1592 Vayne Rat.exe 1592 Vayne Rat.exe 1592 Vayne Rat.exe 5476 Taskmgr.exe 3016 WARZONE RAT 1.2.exe 3016 WARZONE RAT 1.2.exe 3016 WARZONE RAT 1.2.exe 3016 WARZONE RAT 1.2.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Google App Update = "C:\\ProgramData\\services.exe" Notable.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 289 ip-api.com -
Drops file in System32 directory 17 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\SysWOW64\config.json Quasarx.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\SysWOW64\TiWorker.exe Quasarx.exe File created C:\Windows\SysWOW64\config.json Quasarx.exe File opened for modification C:\Windows\SysWOW64\MicrosoftWindows.xml Quasarx.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File created C:\Windows\SysWOW64\TiWorker.exe Quasarx.exe File created C:\Windows\SysWOW64\MicrosoftWindows.xml Quasarx.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240754109 winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\ChromeRecoveryCRX.crx elevation_service.exe File created C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\License.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\ChromeRecovery.exe elevation_service.exe File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarFiles.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\7zxa.dll winrar-x64-611.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR winrar-x64-611.exe File created C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File created C:\Program Files\WinRAR\rarnew.dat uninstall.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Uninstall.lst winrar-x64-611.exe File created C:\Program Files\WinRAR\Rar.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-611.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-611.exe File created C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\manifest.json elevation_service.exe File created C:\Program Files\WinRAR\ReadMe.txt winrar-x64-611.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-611.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-611.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-611.exe File opened for modification C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\_metadata\verified_contents.json elevation_service.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-611.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4532 schtasks.exe 2320 schtasks.exe 2328 schtasks.exe -
Enumerates system info in registry 2 TTPs 11 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Internet Explorer\IESettingSync WinRAR.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" shia hacker -rat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Blueeagle_Splitter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 Taskmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" Blueeagle_Splitter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000004000000030000000200000001000000ffffffff shia hacker -rat.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" shia hacker -rat.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Taskmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\NodeSlot = "12" WARZONE RAT 1.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU WARZONE RAT 1.2.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff WARZONE RAT 1.2.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" WARZONE RAT 1.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU shia hacker -rat.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000500000004000000030000000200000001000000ffffffff Blueeagle_Splitter.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r28 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.001 uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Quasar.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Quasar.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 = 14002e80922b16d365937a46956b92703aca08af0000 shia hacker -rat.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" shia hacker -rat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r04 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Quasar.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\3 shia hacker -rat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" shia hacker -rat.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" shia hacker -rat.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" Blueeagle_Splitter.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Blueeagle_Splitter.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000500000004000000030000000200000001000000ffffffff Taskmgr.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Downloads" WARZONE RAT 1.2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings Quasar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Blueeagle_Splitter.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r21 uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon uninstall.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ WinRAR.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ WinRAR.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Blueeagle_Splitter.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings Taskmgr.exe Set value (data) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202 WARZONE RAT 1.2.exe Set value (int) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" WARZONE RAT 1.2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" uninstall.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1932 chrome.exe 1932 chrome.exe 3120 chrome.exe 3120 chrome.exe 3656 chrome.exe 3656 chrome.exe 4612 chrome.exe 4612 chrome.exe 4812 chrome.exe 4812 chrome.exe 2544 chrome.exe 2544 chrome.exe 3928 chrome.exe 3928 chrome.exe 2896 chrome.exe 2896 chrome.exe 3752 chrome.exe 3752 chrome.exe 4944 chrome.exe 4944 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 2656 chrome.exe 2656 chrome.exe 1556 chrome.exe 1556 chrome.exe 4496 chrome.exe 4496 chrome.exe 1328 chrome.exe 1328 chrome.exe 2056 chrome.exe 2056 chrome.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 504 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 3428 Quasarx.exe 428 mspaint.exe 428 mspaint.exe 4032 chrome.exe 4032 chrome.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 13 IoCs
pid Process 3400 WinRAR.exe 2236 Quasar.exe 4940 WinRAR.exe 4392 taskmgr.exe 1360 Vayne Rat.exe 1400 WinRAR.exe 5092 WinRAR.exe 376 shia hacker -rat.exe 1000 shia hacker -rat.exe 4504 Blueeagle_Splitter.exe 5476 Taskmgr.exe 6100 WinRAR.exe 3016 WARZONE RAT 1.2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
pid Process 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 2208 msedge.exe 2208 msedge.exe 2208 msedge.exe 2152 msedge.exe 2152 msedge.exe 2152 msedge.exe 2152 msedge.exe 2152 msedge.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: 33 4036 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4036 AUDIODG.EXE Token: SeLockMemoryPrivilege 5088 TiWorker.exe Token: SeDebugPrivilege 552 taskmgr.exe Token: SeSystemProfilePrivilege 552 taskmgr.exe Token: SeCreateGlobalPrivilege 552 taskmgr.exe Token: 33 552 taskmgr.exe Token: SeIncBasePriorityPrivilege 552 taskmgr.exe Token: SeDebugPrivilege 4508 Client-built.exe Token: SeDebugPrivilege 996 Client.exe Token: SeDebugPrivilege 2236 Quasar.exe Token: SeDebugPrivilege 4392 taskmgr.exe Token: SeSystemProfilePrivilege 4392 taskmgr.exe Token: SeCreateGlobalPrivilege 4392 taskmgr.exe Token: SeDebugPrivilege 2372 ded.exe Token: SeDebugPrivilege 3808 svchost.exe Token: SeDebugPrivilege 308 BlueEagleSplitter.exe Token: SeDebugPrivilege 4504 Blueeagle_Splitter.exe Token: SeDebugPrivilege 704 wat.exe Token: SeDebugPrivilege 4464 wat.exe Token: SeDebugPrivilege 4736 why.exe Token: SeRestorePrivilege 544 dw20.exe Token: SeBackupPrivilege 544 dw20.exe Token: SeBackupPrivilege 544 dw20.exe Token: SeBackupPrivilege 544 dw20.exe Token: SeBackupPrivilege 544 dw20.exe Token: SeDebugPrivilege 5476 Taskmgr.exe Token: SeSystemProfilePrivilege 5476 Taskmgr.exe Token: SeCreateGlobalPrivilege 5476 Taskmgr.exe Token: SeSecurityPrivilege 5476 Taskmgr.exe Token: SeTakeOwnershipPrivilege 5476 Taskmgr.exe Token: SeDebugPrivilege 3016 WARZONE RAT 1.2.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 3120 chrome.exe 440 Quasar.exe 2236 Quasar.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe 552 taskmgr.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4344 OpenWith.exe 4024 winrar-x64-611.exe 4024 winrar-x64-611.exe 3400 WinRAR.exe 3400 WinRAR.exe 504 Quasarx.exe 3428 Quasarx.exe 428 mspaint.exe 3412 OpenWith.exe 2236 Quasar.exe 2236 Quasar.exe 2236 Quasar.exe 2196 Vayne Ratx.exe 3132 Vayne Ratx.exe 4256 Vayne Ratx.exe 2580 shia hacker -ratx.exe 376 shia hacker -rat.exe 376 shia hacker -rat.exe 1000 shia hacker -rat.exe 1000 shia hacker -rat.exe 2988 BlueEagleSplitterx.exe 4504 Blueeagle_Splitter.exe 4504 Blueeagle_Splitter.exe 704 wat.exe 4504 Blueeagle_Splitter.exe 4736 why.exe 544 dw20.exe 928 WARZONE RAT 1.2x.exe 3016 WARZONE RAT 1.2.exe 3016 WARZONE RAT 1.2.exe 3016 WARZONE RAT 1.2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 3548 3120 chrome.exe 93 PID 3120 wrote to memory of 3548 3120 chrome.exe 93 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1204 3120 chrome.exe 94 PID 3120 wrote to memory of 1932 3120 chrome.exe 95 PID 3120 wrote to memory of 1932 3120 chrome.exe 95 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97 PID 3120 wrote to memory of 2384 3120 chrome.exe 97
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\hitho.lua1⤵PID:396
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4344
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaa074f50,0x7ffbaa074f60,0x7ffbaa074f702⤵PID:3548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:22⤵PID:1204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 /prefetch:82⤵PID:2384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:12⤵PID:2980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4436 /prefetch:82⤵PID:4336
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4616 /prefetch:82⤵PID:308
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4592 /prefetch:82⤵PID:208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:12⤵PID:1260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:82⤵PID:3160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5244 /prefetch:82⤵PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:82⤵PID:220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4580 /prefetch:82⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:4816
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:1044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2544
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3256 /prefetch:82⤵PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4432 /prefetch:82⤵PID:260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:82⤵PID:4476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:12⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5296 /prefetch:82⤵PID:1272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5196 /prefetch:82⤵PID:3884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3028 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:82⤵PID:3432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:82⤵PID:3624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:82⤵PID:4960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4448 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:3420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1248
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:82⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:12⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:82⤵PID:3056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6184 /prefetch:82⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:82⤵PID:4932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:12⤵PID:2908
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:12⤵PID:2124
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵PID:2068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:4136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6908 /prefetch:82⤵PID:3092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵PID:2208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6964 /prefetch:82⤵PID:628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6608 /prefetch:82⤵PID:3352
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:82⤵PID:2976
-
-
C:\Users\Admin\Downloads\winrar-x64-611.exe"C:\Users\Admin\Downloads\winrar-x64-611.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4024 -
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:664
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:4372
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:4980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Quasar 1.3 modified by Deos.zip"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6808 /prefetch:82⤵PID:2196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:82⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4032
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:2184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:82⤵PID:4868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:2808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:12⤵PID:4584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:82⤵PID:3164
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4600 /prefetch:82⤵PID:4984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7140 /prefetch:82⤵PID:3344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7132 /prefetch:82⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:82⤵PID:212
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6592 /prefetch:82⤵PID:456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:82⤵PID:1904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:82⤵PID:4768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵PID:2880
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:12⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:4092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:82⤵PID:1400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:82⤵PID:4268
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:82⤵PID:5008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6812 /prefetch:82⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:82⤵PID:3400
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5912 /prefetch:82⤵PID:3516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:82⤵PID:1608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7016 /prefetch:82⤵PID:1936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6276 /prefetch:82⤵PID:908
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\MeGa-RAT-Pack-master.zip"2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4940 -
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\Admin\AppData\Local\Temp\Rar$DIa4940.44300\VayneRat.zip3⤵
- Executes dropped EXE
- Modifies registry class
PID:3516
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rar$DIa4940.20707\Shia Hacker School -Rat v1.0.zip"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1400
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\Admin\AppData\Local\Temp\Rar$DIa4940.21868\SaherBlueEagle_Splitter[RAT].zip3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:5092
-
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rar$DIa4940.37987\WARZONE 1.2 Cracked.zip"3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:6100
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6240 /prefetch:82⤵PID:1296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:82⤵PID:4064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵PID:364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1572,4316888642968382152,9698418959292873117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:82⤵PID:180
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4184
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x324 0x4c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:116
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit2⤵PID:308
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:2216
-
-
C:\Windows\system32\schtasks.exeschtasks /End /TN "WindowsUpdate"3⤵PID:4384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit2⤵PID:3088
-
C:\Windows\system32\schtasks.exeschtasks /Delete /TN "WindowsUpdate" /F3⤵PID:2280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵PID:2168
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:2816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit2⤵PID:1296
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes3⤵
- Modifies Windows Firewall
PID:3612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit2⤵PID:4940
-
C:\Windows\system32\schtasks.exeschtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F3⤵
- Creates scheduled task(s)
PID:2328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit2⤵PID:2880
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"3⤵PID:3592
-
-
C:\Windows\system32\schtasks.exeschtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"3⤵PID:632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit2⤵PID:1260
-
C:\Windows\system32\certutil.execertutil –addstore –f root MicrosoftWindows.crt3⤵PID:4188
-
-
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"2⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:440
-
-
C:\Windows\SysWOW64\TiWorker.exeC:\Windows\SysWOW64\TiWorker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasarx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3428 -
C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Quasar.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2236
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Quasar 1.3 modified by Deos\Screenshot.png" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:700
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3412
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:552
-
C:\Users\Admin\Downloads\Client-built.exe"C:\Users\Admin\Downloads\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\Downloads\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4532
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:2320
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4392
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:1360 -
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir1360_128786915\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d05485f9-0ca8-4147-b0df-34c3d819f7df} --system2⤵
- Executes dropped EXE
PID:3436
-
-
C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2196 -
C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:1360
-
-
C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3132 -
C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588
-
-
C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392
-
C:\Users\Admin\Desktop\VayneRat\armsvc.exe"C:\Users\Admin\Desktop\VayneRat\armsvc.exe"1⤵
- Executes dropped EXE
PID:4052
-
C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Ratx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4256 -
C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"C:\Users\Admin\Desktop\VayneRat\Vayne Rat.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592
-
-
C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -ratx.exe"C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -ratx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2580 -
C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -rat.exe"C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -rat.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:376
-
-
C:\Users\Admin\Downloads\ded.exe"C:\Users\Admin\Downloads\ded.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3808
-
-
C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -rat.exe"C:\Users\Admin\Desktop\Shia Hacker School -Rat v1.0\shia hacker -rat.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1000
-
C:\Users\Admin\Downloads\dedd.exe"C:\Users\Admin\Downloads\dedd.exe"1⤵
- Executes dropped EXE
PID:4008
-
C:\Users\Admin\Desktop\SaherBlueEagle_Splitter[RAT]\BlueEagleSplitterx.exe"C:\Users\Admin\Desktop\SaherBlueEagle_Splitter[RAT]\BlueEagleSplitterx.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2988 -
C:\Users\Admin\Desktop\SaherBlueEagle_Splitter[RAT]\BlueEagleSplitter.exeC:\Users\Admin\Desktop\SaherBlueEagle_Splitter[RAT]\BlueEagleSplitter.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:308 -
C:\Users\Admin\AppData\Local\Temp\Blueeagle_Splitter.exe"C:\Users\Admin\AppData\Local\Temp\Blueeagle_Splitter.exe"3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4504 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 31644⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:544
-
-
-
-
C:\Users\Admin\Downloads\wat.exe"C:\Users\Admin\Downloads\wat.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:704
-
C:\Users\Admin\Downloads\wat.exe"C:\Users\Admin\Downloads\wat.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
PID:4464
-
C:\Users\Admin\Downloads\why.exe"C:\Users\Admin\Downloads\why.exe"1⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4736
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:2872
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3268
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:5276
-
C:\Windows\system32\Taskmgr.exetaskmgr.exe2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5476
-
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\23dd2da8fb00448b98fd6e5d3e5bfe8c /t 1936 /p 47361⤵PID:5676
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\19c5f1e2fcb9468ca6ed09581754f3d0 /t 4500 /p 7041⤵PID:5744
-
C:\Users\Admin\Desktop\WARZONE 1.2 Cracked\WARZONE RAT 1.2x.exe"C:\Users\Admin\Desktop\WARZONE 1.2 Cracked\WARZONE RAT 1.2x.exe"1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:928 -
C:\Users\Admin\Desktop\WARZONE 1.2 Cracked\WARZONE RAT 1.2.exe"C:\Users\Admin\Desktop\WARZONE 1.2 Cracked\WARZONE RAT 1.2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://xakfor.net/forum/3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2208 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffba88d46f8,0x7ffba88d4708,0x7ffba88d47184⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:24⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:84⤵PID:5368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:14⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:14⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 /prefetch:84⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11728857712244453322,5817232458252506304,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:14⤵PID:4916
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://xakfor.net/forum/3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:2152 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffba88d46f8,0x7ffba88d4708,0x7ffba88d47184⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:24⤵PID:312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:34⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:84⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:14⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:14⤵PID:5240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4340 /prefetch:84⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:14⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:14⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,8365253307317037100,3192445141293994984,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:14⤵PID:5940
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:756
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5860
-
C:\Users\Admin\Downloads\Notable.exe"C:\Users\Admin\Downloads\Notable.exe"1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1548 -
C:\ProgramData\services.exe"C:\ProgramData\services.exe"2⤵
- Executes dropped EXE
PID:2272
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD5a779a0c9793c7ec344234be41527f7cd
SHA1f2f9ab4aa78fe61e1fea9e03f7c9aef5477cd26e
SHA256799bf0d4729429b656c61f05aff1a02e8faf618be09294f7df4733b6955b5c27
SHA512fc3c30f455f3089bc02448a9366897c8a5e6d2726d754a5b261efe6c7ba84f19aceaf6e92ee24acc913566fc64cb63ba7d10bebf0f4c85240212dbc446eddb83
-
Filesize
235KB
MD547ad55b434d1699e1f56c3b4af5e1ea8
SHA1fd51c452b725f5d8bb4cb0cb73f4597d95acd0c0
SHA256f394c8c683290b47907ba28d271d7e599d94b98429dc9cacc1c383fdb4d80398
SHA5123a1f69f3a98f23f2a37e69f10833e804245c14ebe9212e828434e3941ba2ffe4492856b60719db2bed53af9bcf60607b80d51503181e748a054c73e72ba0ee2d
-
Filesize
108KB
MD5dc9af1a85a3f51d5a294a55936229cd9
SHA1e44cfac85f6ed161e6c7f6fede27128f4f851ea8
SHA2569dad52c89afe5a4b188bec9ae2c53e6ed8deb628810e1cf0ef6e529de8258498
SHA512cd199eb93482b86bd38a6e9d4216212db224fa67f34e502aa6a4733bc53a9d287ec80efec1c9798fc0f93e4401334a7b7e9d8a63efd1b33aec45e01c9c7e994e
-
Filesize
158KB
MD5a4a49b0e9abc43e5b92713da4fe788ed
SHA1a748cb7a1f5b9a914158a0d2dab4cb63bc98032b
SHA25612898ae9bc4db182a00c6fa488da457ea03af3f5b9bfc01a7eab2fa09c053189
SHA512d6423fde06151f798c3293832a82ae3d86cde7fa3d9cc9ec5afb5c847bca0e783f39abbe86fefb0f3eef308cbc5938d83171da5ff9081ac32860886dd9aaeae9
-
Filesize
165KB
MD50997bef510a35e9a3d1c89c508f3a98b
SHA1b1dfba42e10c63682eb208cde413003e6072abbf
SHA256a31bdb13f44bd6e365c6b575de93fa0b88e2df662e1c4bcfeff27adc9835fa0a
SHA51292271983fbea3482e088621f95ab73ad819bc4f592c5b082b6466ffe06c9f35b4fdd86543be18524491c9216eda2673afd86c8598721e825b9f39e8ece675cd1
-
Filesize
249KB
MD55e69191648cd244533fe39a61baf611a
SHA1757f5e7c24f8dbb883c4c6f5f70c3c467b86dd34
SHA2562a186eabfc1f4107e9c20ccda60500931c4f5e2405686c4a9c2c402e11b9cd92
SHA51209c31a8b76b2c3e68cdb115a74d93a5de1388ec1f9eb9832d6966728c484c3f4aad0770950ffa7667a37dd0220a9d1e96a17b9cdad2ea81a6b014a3691fca301
-
Filesize
172KB
MD5c1e08bbefb136c347079e36b4afdac88
SHA117d922c887d1e3a350f56657c55d229bcafb3238
SHA256499a4925d80e0fbb008f4b7ad92226352b6b0faa1fa8988976b9c51df0b3875a
SHA5125dafaead13365d2d520e878d0ce7f235c45bc11914cafcc783c1c45513b8bb000a354826a5e7aeef54820b24a84d8014b161b266527249117336d49e34a25845
-
Filesize
221KB
MD57392fda1b5836bf2ad76f8f826df2d41
SHA1820b9ff15638ef14f9552a479adb361378ec6791
SHA2567183e436980fadb6847f1ace46bf6eab6f2d00f5f951ed024ca3bdcf1b493759
SHA5124dedbc85f955db871ad399e2bdd86f378040ac8b55eb8dd8b774ea8894c7901dd158b9ff8e34192c5067a6dfc50b7076d2181210242c4d687f0fb66f04dd0e63
-
Filesize
193KB
MD5ce90e53109f750cc2dc221e7eb864363
SHA1c19443feff8c44db1e4a3d62e38533d2fdfdbbcf
SHA256f2e370702c05ad3e137a57b58543644c069c99f71b032004ce132f3f11966ad6
SHA5122455446aa24e1561a31eba73842db4214e4c2ddc694be70818876f28d83d3748410d757dbc57344a1a2378d198bc02de436c56eced4e72455dda48b8c7ecff5e
-
Filesize
94KB
MD56a6c66f6059a37be386206df81303a63
SHA1f5f17a59a49a167ad4aa7498a96529e5c21db3da
SHA256eff34fd34e4c54692aadf8f3e7b931f697fd9ad1d4494944329391449cf30272
SHA512d0af526381e55b1cf82cbf66902310825adf067f164f86627a4388e40aa75cf31629a8ea98c67aa1cae047e5533984eef53b685932b243ed9bffd5542ea2c0fc
-
Filesize
151KB
MD5e693a6f7a85832e5e79377404236957c
SHA13dc4eb8a3a1af03d82cc9b6d82ccef33b779d8e8
SHA25615d4a0f95e231960dba3df9da1387305dcedbf0e0d29b47df1322cc5e89b805b
SHA512fda4e755bd64352a545e83b5f19e7d8d77bbcdcc24a31b73f4dc264157283054cdb7c7e59274dd69d5576109f9811624f960e2e2d40ad3af4e32d4478e808a44
-
Filesize
101KB
MD5bcde1bb25aaf69d34526693ed3cb63de
SHA12b8a80223184efd4edc0f2350d7d1e233220173a
SHA256763a1c157a044d133dd7aff25bb7f40b2de3ece3da7ee8a51b61f3103767b63a
SHA5125a942631e56fbeee8788fc3538021d6b78fbbf4469701639ac7a068b911d684f658d5e8ca877bbfa452ea12f6f9ef3a490e894b4773e6a344d02bf900738cfde
-
Filesize
372KB
MD5a1b9bec2353d4db71c438a70de19b985
SHA1f791a4314560cad7c6cc211655f6df01ae613a30
SHA256c420edc657a45fbd7dc0abf09e9f417d39868300bd49e3c1df381e5b0eae9cf5
SHA512cdaf929bc3e5fbcda551b62378c7b6eecbb1ec0dfdd31ccc8855cbfca96f0c9d8964cb34f8e9a9e0b33e83313d8f1e7b9e30b6de9571210981da5fc82679fbdd
-
Filesize
256KB
MD50a2a99eed1bb99045eb093a792b78948
SHA12cce8c8522cffae99962187d70186784cac283b8
SHA25648a07dfb509f0b8787ac2f87eed4cd25a251e91dc20bd7c03a033ceb105955ea
SHA512a48a4ec8d0b70c34c9ffb47de7e63c224e764180125d72f24564e10c64edde7b64657c24e23ef6c412c430423eb51f8535008c9d6b2dd76d0fae8b6db9bd033e
-
Filesize
228KB
MD58a9cae02a0887ac52493da61ab72355b
SHA1cfe05da54a268c53322e147201f2d7ee7f0d4536
SHA256f0fda0d7e526ff4cc82fe8c013cc8467e2e0e917180c7623840005b1247e0922
SHA512abe7c4b3d33bdb9ce2a096ee110a5be1d993ef709448ef51b9f97a3c95d9afc4997f2bab470088c8385ee1635620a476dccde7c877929ee41c5b2973b7f89bd0
-
Filesize
242KB
MD5a72608775e9b273ed20989bf825e2d82
SHA1dbd5caa79f7b6c17f473540834bc0fbee59d4e05
SHA256bfdb130708a386325217176ee4a1800f2f1fad461a61da732cef29225540ec96
SHA5121f50657c9bda934aa6388190c9bad78203b3861ba5e70445fbe8e17729e53bf47c2684b743a56011c7beb403dffa46775fdcc160eec2e104ee2c99c1df942e1f
-
Filesize
263KB
MD5be636027f08a1eb98fd23aa342923072
SHA142a2db89af936cc8de0c497a0b04c0fd35f26767
SHA25684ce77ae7afa8b8e971dc5d2e87a38d24966637c7aed4e54084de6518925b66f
SHA512f577e2f48f97261a27efbe30107d8406c518d043a0c5845d5e302e69ef70406ab1fa5cfb20cdaafcf709463286438a7ef59f2880c95b9c08fb7d2c20c778bd55
-
Filesize
122KB
MD5bbbbae6860f0475c9ad659acad9d569e
SHA19de8bd7f37d01192133864f5225a2239ee1aa19e
SHA256cee4cdeac7ef85e2f5124efaeb4cd8a43deaf54014ed8b490d3210e06344427c
SHA512d709dc6a41e0058f318fcd65c9803200dd833a6dff620f38cd0ea8e5d4f238897fde1c1ec10c0a8bc0850e300ae06ee6d1ec9c286ff216ff019c2db83ae92e2c
-
Filesize
129KB
MD52c535d4d964758483c5b37c2ebf7b93b
SHA1559c5b5a95f960afc4817114c11df2e86ac717f9
SHA2560f4332fe0eeb0bf11f88409e866139fe4e4cf0d00b1f264c59230399eafbda13
SHA5125b872ec908228f80075d1b5670598731b2868241499f42df04d2d5cbf0a4f3ad7ea1f31a71a499fb540f09d8a522d233f8777abd41ee608dc2672fdf5ec4a99d
-
Filesize
115KB
MD5558d8e32685dcf92110154f78e773b37
SHA171b23f41356ed5adf09094bd9f187e4b0ce432bd
SHA25692644fb72426e94f88887d9eba28ceaad165e938cd9f7c791e33f3e0994b68db
SHA51274f21f562fe80777500820727c5beebb32be622bf39db41a4ec3dcc5f34d6169a71799c6e92b881ba247a6b13f86488926a142bfdf3df9c58cc8e0e9d9968bb3
-
Filesize
136KB
MD53a14f4f7a8f8640d4b106fd0acd991bd
SHA13fdb65d3c5647d2a957de6d7770a0af818df2171
SHA256c62eb6638b6fa2fc773ed62d90b5de4c94bedebd7f9b13262a859f69b5537b2d
SHA5125307284b8e3d1c4357d73c9cdf37b04f5c59795e1d69bd34b72c52c46fc9384cca293919e1d283a12997bee9fa86d12a9ed8d794111411861e8dd85dc7f9370c
-
Filesize
186KB
MD554637253afa91d5ed5c35ce121ad0aa7
SHA151d9fab15d0ba5d6775f8d0c8fade2af53311ffe
SHA256fded0a976afd0fcb9fc56c0c249f25b2a1a8f529c9a97b4b69e4b3cd710a9e0a
SHA512f6c2aaaefb65ea4d2764c09aa267ee7f0957065ed86e5426cec3f641a0a9cc1818162b855353a2720f50290792d129f45c8604444cc6abfee53f9c8e5cfde187
-
Filesize
200KB
MD58d23cf6716cc8a559557fcb4150f1cfa
SHA1ebc26329c2ece06bf6963a03736534a9d67bddc0
SHA256c380036421fcbaf91ad0eb22dc5eb5deaf215601ab0fe8b72548fa82a349ac54
SHA51217186d3333e741b95f68779454ae4347c35c18b62b7a7e235007e4b9570370474ed0e28447b209c8e88892f4a0fb0e307ae9c41311a4426894c3a374ea9a6bfd
-
Filesize
207KB
MD55bc7165a134f579ed2d310cec9a35c7e
SHA1ce7d7726a9a1d82929a92e70ec4b101a12c663bf
SHA256453528615ca397c9015f6d5099802dec8d5da0adea48ca177641c77e0f8dbf0a
SHA512fcff1554956297fdbe4784eba89eaa565510c127efcf46043047dba44e5096a7ca651cb48213fa30a8ef836ca2af9e0ebfd12542a04831bdafc67cfbfb154c5c
-
Filesize
143KB
MD5e1863fff33f4a7bcc4e2793bb041a8a8
SHA1b033eefb1bd6d8a8f818cf7736b1129032d7a43c
SHA256cdbf7def6a71ecd7bf419df12545e1a0fb85b930febe211455014c3f211724a7
SHA51274d05dc9f8976f79a61488f393632bf30e9dfd0ff9aa6109f268fdbfffa10fd9bced64166cb963c41a5c282e737f26d2f90b1f0d3dc72070aa4259ac112487f6
-
Filesize
214KB
MD5f7e6ac77ffea61e7ec53af63f0e592d4
SHA1835a7f3c4b68b7509c69f8b01ad9d14ebf8672f5
SHA25664a9b75cdd59828919257f7922574cf529a40c9b0e33240c8162462fce3ff5d3
SHA512f4c198a45718c3a13bf559c32ea6114ef39925400db32222a4c2f30f1e0fbb85cec7e0c120ffe2b93598123d8799b08d8f966640dd15520718d822dd93d412e8
-
Filesize
179KB
MD5a4ae099563e458c9c27b678780cef715
SHA1bd2d6b9523602d241f1b977c3530edb9951b55d6
SHA25648dea1d6027ff14b3717bdc471c317cdb92a9a0609fa2a9ed60dd9042243f44a
SHA512f5e49e4e8b068e2ce6720b7be28147600d4e009f1017f2ce72d80d3a3589d4f471a836610f6f6aedc5f9ae94d65f3481e12772ac7b7057f28dc43f42696fc5d2