Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
57d3f7529a5839dde7f8b7cc16681bc2
-
SHA1
efc16c86fc9fc3c9b0d3677e9d9c0d28b34b7115
-
SHA256
e00905ea366cb3bab0ed0d5cac3a3b2fac8be857477cd12e0888ceb778e51ddd
-
SHA512
980ef29568044993b3e1c6c8e3f531325c691befd1936851c1945c15aadce82d87caefe8d1273cd54b6781792d734f86a753bfdc507c05282389fb7a9eb12350
-
SSDEEP
24576:X/ldrejcz69oQ0zto3Zo6hq2HOGyVfCsvodqKCfdK8GR1:Hejck30o3W6hHefXvY8GR1
Malware Config
Extracted
xtremerat
boubacs2.no-ip.biz
zf23.no-ip.info
蠀C:\Users\Publicboubq1.no-ip.biz
Signatures
-
Detect XtremeRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2300-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2652-9-0x0000000004B90000-0x0000000004E5F000-memory.dmp family_xtremerat behavioral1/memory/2300-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2300-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral1/memory/2804-18-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exesvchost.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe -
Executes dropped EXE 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 3048 Winrar.exe 2156 Winrar.exe 2756 Winrar.exe 2760 Winrar.exe 2492 Winrar.exe 2096 Winrar.exe 1060 Winrar.exe 1756 Winrar.exe 1640 Winrar.exe 2328 Winrar.exe 2128 Winrar.exe 2464 Winrar.exe 2544 Winrar.exe 696 Winrar.exe 264 Winrar.exe 2744 Winrar.exe 1308 Winrar.exe 2976 Winrar.exe 576 Winrar.exe 948 Winrar.exe 1640 Winrar.exe 960 Winrar.exe 2660 Winrar.exe 2776 Winrar.exe 484 Winrar.exe 2360 Winrar.exe 3012 Winrar.exe 2484 Winrar.exe 1740 Winrar.exe 948 Winrar.exe 644 Winrar.exe 236 Winrar.exe 2524 Winrar.exe 408 Winrar.exe 1380 Winrar.exe 3056 Winrar.exe 3008 Winrar.exe 2032 Winrar.exe 1304 Winrar.exe 932 Winrar.exe 1640 Winrar.exe 2824 Winrar.exe 2432 Winrar.exe 1680 Winrar.exe 2876 Winrar.exe 1628 Winrar.exe 3100 Winrar.exe 3184 Winrar.exe 3364 Winrar.exe 3524 Winrar.exe 3548 Winrar.exe 3712 Winrar.exe 3768 Winrar.exe 3908 Winrar.exe 4016 Winrar.exe 848 Winrar.exe 3092 Winrar.exe 3148 Winrar.exe 2960 Winrar.exe 3456 Winrar.exe 3540 Winrar.exe 3668 Winrar.exe 3800 Winrar.exe 3824 Winrar.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Wine Winrar.exe -
Loads dropped DLL 30 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exesvchost.exepid Process 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe 2804 svchost.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exesvchost.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 3048 Winrar.exe 2756 Winrar.exe 2760 Winrar.exe 1060 Winrar.exe 1640 Winrar.exe 2128 Winrar.exe 2544 Winrar.exe 1308 Winrar.exe 576 Winrar.exe 948 Winrar.exe 2660 Winrar.exe 484 Winrar.exe 2360 Winrar.exe 1740 Winrar.exe 948 Winrar.exe 2524 Winrar.exe 408 Winrar.exe 3008 Winrar.exe 1304 Winrar.exe 1640 Winrar.exe 2824 Winrar.exe 2432 Winrar.exe 2876 Winrar.exe 3364 Winrar.exe 3548 Winrar.exe 3768 Winrar.exe 4016 Winrar.exe 3092 Winrar.exe 2960 Winrar.exe 3540 Winrar.exe 3800 Winrar.exe 3824 Winrar.exe 2328 Winrar.exe 3532 Winrar.exe 2056 Winrar.exe 3680 Winrar.exe 3164 Winrar.exe 3604 Winrar.exe 3996 Winrar.exe 848 Winrar.exe 3088 Winrar.exe 2112 Winrar.exe 3928 Winrar.exe 3144 Winrar.exe 4080 Winrar.exe 4172 Winrar.exe 4196 Winrar.exe 4520 Winrar.exe 4788 Winrar.exe 5032 Winrar.exe 2188 Winrar.exe 4492 Winrar.exe 4672 Winrar.exe 4224 Winrar.exe 4296 Winrar.exe 4616 Winrar.exe 4268 Winrar.exe 5096 Winrar.exe 4296 Winrar.exe 3460 Winrar.exe 4832 Winrar.exe 4724 Winrar.exe 2876 Winrar.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription pid Process procid_target PID 2652 set thread context of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 3048 set thread context of 2156 3048 Winrar.exe 41 PID 2760 set thread context of 2492 2760 Winrar.exe 52 PID 2756 set thread context of 2096 2756 Winrar.exe 53 PID 1060 set thread context of 1756 1060 Winrar.exe 63 PID 1640 set thread context of 2328 1640 Winrar.exe 66 PID 2128 set thread context of 696 2128 Winrar.exe 85 PID 2544 set thread context of 2744 2544 Winrar.exe 89 PID 1308 set thread context of 2976 1308 Winrar.exe 102 PID 576 set thread context of 1640 576 Winrar.exe 114 PID 948 set thread context of 960 948 Winrar.exe 116 PID 2660 set thread context of 2776 2660 Winrar.exe 126 PID 484 set thread context of 3012 484 Winrar.exe 142 PID 2360 set thread context of 2484 2360 Winrar.exe 145 PID 1740 set thread context of 644 1740 Winrar.exe 156 PID 948 set thread context of 236 948 Winrar.exe 160 PID 2524 set thread context of 1380 2524 Winrar.exe 180 PID 408 set thread context of 3056 408 Winrar.exe 182 PID 3008 set thread context of 2032 3008 Winrar.exe 189 PID 1304 set thread context of 932 1304 Winrar.exe 194 PID 1640 set thread context of 1680 1640 Winrar.exe 216 PID 2824 set thread context of 1628 2824 Winrar.exe 221 PID 2432 set thread context of 3100 2432 Winrar.exe 222 PID 2876 set thread context of 3184 2876 Winrar.exe 225 PID 3364 set thread context of 3524 3364 Winrar.exe 249 PID 3548 set thread context of 3712 3548 Winrar.exe 255 PID 3768 set thread context of 3908 3768 Winrar.exe 261 PID 4016 set thread context of 848 4016 Winrar.exe 273 PID 3092 set thread context of 3148 3092 Winrar.exe 280 PID 2960 set thread context of 3456 2960 Winrar.exe 289 PID 3540 set thread context of 3668 3540 Winrar.exe 295 PID 3800 set thread context of 2456 3800 Winrar.exe 309 PID 3824 set thread context of 2168 3824 Winrar.exe 312 PID 2328 set thread context of 2116 2328 Winrar.exe 320 PID 3532 set thread context of 4020 3532 Winrar.exe 340 PID 2056 set thread context of 3744 2056 Winrar.exe 343 PID 3680 set thread context of 2000 3680 Winrar.exe 344 PID 3164 set thread context of 2456 3164 Winrar.exe 351 PID 3604 set thread context of 1656 3604 Winrar.exe 362 PID 3996 set thread context of 3016 3996 Winrar.exe 369 PID 848 set thread context of 3636 848 Winrar.exe 377 PID 3088 set thread context of 3164 3088 Winrar.exe 393 PID 2112 set thread context of 848 2112 Winrar.exe 395 PID 3928 set thread context of 3996 3928 Winrar.exe 403 PID 3144 set thread context of 3864 3144 Winrar.exe 413 PID 4080 set thread context of 4152 4080 Winrar.exe 429 PID 4172 set thread context of 4472 4172 Winrar.exe 438 PID 4196 set thread context of 4512 4196 Winrar.exe 440 PID 4520 set thread context of 4712 4520 Winrar.exe 446 PID 4788 set thread context of 4936 4788 Winrar.exe 456 PID 5032 set thread context of 4176 5032 Winrar.exe 472 PID 2188 set thread context of 4288 2188 Winrar.exe 474 PID 4492 set thread context of 4516 4492 Winrar.exe 481 PID 4672 set thread context of 4868 4672 Winrar.exe 496 PID 4224 set thread context of 4248 4224 Winrar.exe 505 PID 4296 set thread context of 5064 4296 Winrar.exe 511 PID 4616 set thread context of 4316 4616 Winrar.exe 529 PID 4268 set thread context of 4348 4268 Winrar.exe 539 PID 5096 set thread context of 4920 5096 Winrar.exe 540 PID 4296 set thread context of 1124 4296 Winrar.exe 542 PID 3460 set thread context of 1028 3460 Winrar.exe 556 PID 4832 set thread context of 5100 4832 Winrar.exe 565 PID 4724 set thread context of 4812 4724 Winrar.exe 567 PID 2876 set thread context of 5172 2876 Winrar.exe 586 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 3048 Winrar.exe 2756 Winrar.exe 2760 Winrar.exe 1060 Winrar.exe 1640 Winrar.exe 2128 Winrar.exe 2544 Winrar.exe 1308 Winrar.exe 576 Winrar.exe 948 Winrar.exe 2660 Winrar.exe 484 Winrar.exe 484 Winrar.exe 2360 Winrar.exe 2360 Winrar.exe 1740 Winrar.exe 1740 Winrar.exe 948 Winrar.exe 948 Winrar.exe 948 Winrar.exe 2524 Winrar.exe 2524 Winrar.exe 2524 Winrar.exe 408 Winrar.exe 408 Winrar.exe 408 Winrar.exe 3008 Winrar.exe 3008 Winrar.exe 3008 Winrar.exe 1304 Winrar.exe 1304 Winrar.exe 1304 Winrar.exe 1304 Winrar.exe 1640 Winrar.exe 1640 Winrar.exe 1640 Winrar.exe 1640 Winrar.exe 2824 Winrar.exe 2824 Winrar.exe 2824 Winrar.exe 2824 Winrar.exe 2824 Winrar.exe 2432 Winrar.exe 2432 Winrar.exe 2432 Winrar.exe 2432 Winrar.exe 2432 Winrar.exe 2876 Winrar.exe 2876 Winrar.exe 2876 Winrar.exe 2876 Winrar.exe 2876 Winrar.exe 3364 Winrar.exe 3364 Winrar.exe 3364 Winrar.exe 3364 Winrar.exe 3364 Winrar.exe 3364 Winrar.exe 3548 Winrar.exe 3548 Winrar.exe 3548 Winrar.exe 3548 Winrar.exe 3548 Winrar.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 3048 Winrar.exe 2760 Winrar.exe 2756 Winrar.exe 1060 Winrar.exe 1640 Winrar.exe 2128 Winrar.exe 2544 Winrar.exe 1308 Winrar.exe 576 Winrar.exe 948 Winrar.exe 2660 Winrar.exe 484 Winrar.exe 2360 Winrar.exe 1740 Winrar.exe 948 Winrar.exe 2524 Winrar.exe 408 Winrar.exe 3008 Winrar.exe 1304 Winrar.exe 1640 Winrar.exe 2824 Winrar.exe 2432 Winrar.exe 2876 Winrar.exe 3364 Winrar.exe 3548 Winrar.exe 3768 Winrar.exe 4016 Winrar.exe 3092 Winrar.exe 2960 Winrar.exe 3540 Winrar.exe 3800 Winrar.exe 3824 Winrar.exe 2328 Winrar.exe 3532 Winrar.exe 2056 Winrar.exe 3680 Winrar.exe 3164 Winrar.exe 3604 Winrar.exe 3996 Winrar.exe 848 Winrar.exe 3088 Winrar.exe 2112 Winrar.exe 3928 Winrar.exe 3144 Winrar.exe 4080 Winrar.exe 4172 Winrar.exe 4196 Winrar.exe 4520 Winrar.exe 4788 Winrar.exe 5032 Winrar.exe 2188 Winrar.exe 4492 Winrar.exe 4672 Winrar.exe 4224 Winrar.exe 4296 Winrar.exe 4616 Winrar.exe 4268 Winrar.exe 5096 Winrar.exe 4296 Winrar.exe 3460 Winrar.exe 4832 Winrar.exe 4724 Winrar.exe 2876 Winrar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exedescription pid Process procid_target PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2652 wrote to memory of 2300 2652 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 30 PID 2300 wrote to memory of 2804 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2804 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2804 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2804 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2804 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 31 PID 2300 wrote to memory of 2536 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 32 PID 2300 wrote to memory of 2536 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 32 PID 2300 wrote to memory of 2536 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 32 PID 2300 wrote to memory of 2536 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 32 PID 2300 wrote to memory of 2536 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 32 PID 2300 wrote to memory of 2608 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2608 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2608 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2608 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 33 PID 2300 wrote to memory of 2608 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 33 PID 2300 wrote to memory of 808 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 34 PID 2300 wrote to memory of 808 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 34 PID 2300 wrote to memory of 808 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 34 PID 2300 wrote to memory of 808 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 34 PID 2300 wrote to memory of 808 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 34 PID 2300 wrote to memory of 3032 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 35 PID 2300 wrote to memory of 3032 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 35 PID 2300 wrote to memory of 3032 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 35 PID 2300 wrote to memory of 3032 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 35 PID 2300 wrote to memory of 3032 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 35 PID 2300 wrote to memory of 2232 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 36 PID 2300 wrote to memory of 2232 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 36 PID 2300 wrote to memory of 2232 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 36 PID 2300 wrote to memory of 2232 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 36 PID 2300 wrote to memory of 2232 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 36 PID 2300 wrote to memory of 2580 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 37 PID 2300 wrote to memory of 2580 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 37 PID 2300 wrote to memory of 2580 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 37 PID 2300 wrote to memory of 2580 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 37 PID 2300 wrote to memory of 2580 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 37 PID 2300 wrote to memory of 2276 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 38 PID 2300 wrote to memory of 2276 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 38 PID 2300 wrote to memory of 2276 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 38 PID 2300 wrote to memory of 2276 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 38 PID 2300 wrote to memory of 2276 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 38 PID 2300 wrote to memory of 2064 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 39 PID 2300 wrote to memory of 2064 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 39 PID 2300 wrote to memory of 2064 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 39 PID 2300 wrote to memory of 2064 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 39 PID 2300 wrote to memory of 3048 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 40 PID 2300 wrote to memory of 3048 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 40 PID 2300 wrote to memory of 3048 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 40 PID 2300 wrote to memory of 3048 2300 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 40 PID 3048 wrote to memory of 2156 3048 Winrar.exe 41 PID 3048 wrote to memory of 2156 3048 Winrar.exe 41
Processes
-
C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"1⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"2⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Loads dropped DLL
- Adds Run key to start application
PID:2804 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2760 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
PID:2492
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1756 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1904
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
PID:2464 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:264 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1292
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2420
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1328
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:576 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1640 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:596
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:484 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Executes dropped EXE
PID:3012 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:1816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:2324
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2524 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Executes dropped EXE
PID:1380 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:2004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:1700
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2128 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:696 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2856
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1308 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2976 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:840
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2660 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
PID:2776 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2984
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1400
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1756
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:236 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:872
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1740 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:644 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2872
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:316
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1000
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
PID:932 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1968
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3052
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2032
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3184 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3252
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3356
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3588
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3008 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2032 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:344
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1740
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2372
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3348
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3388
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3732
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3768 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3908 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3128
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2824 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1628 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3120
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3380
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3364 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3524 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3780
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4016 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Executes dropped EXE
PID:848 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3112
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:3456 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2128
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3748
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3808
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3824 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:2168
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:772
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3396
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3148
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3596
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2056 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3672
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2808
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3800 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:2456 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:324
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2220
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3464
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3676
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:2000
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3532 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:4020 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4084
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3624
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1608
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3996 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:3016 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2764
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3928 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Adds Run key to start application
PID:3996 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4464
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4520 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Adds Run key to start application
PID:4712 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3840
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3604 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵PID:1656
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3080
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2112 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:848 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3960
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3828
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3712
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4184
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4196 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵PID:4512
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3088 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:3164 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4020
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:912
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4132
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4172 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Adds Run key to start application
PID:4472 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4704
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4996
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4308
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4492 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4516 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4588
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4660
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4848
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4104
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4080 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4152 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4216
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4804
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4956
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5056
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2188 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:4288 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4428
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4524
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5032 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:4176 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4980
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3820
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4296 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Adds Run key to start application
PID:5064 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4352
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4384
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4864
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4904
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5080
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4536
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4296 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:1124 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4496
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5112
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4160
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4840
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4724 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵PID:4812
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:108
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:3068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4316
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:4140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5260
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"12⤵PID:5324
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
PID:5344 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5620 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5760
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5800
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:5976
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"14⤵PID:4176
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4224 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:4248 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4532
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4692
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4940
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4880
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4240
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5096 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:4920
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4268 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵PID:4348
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4824
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5064
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:1060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4272
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4576
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4832 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5100 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4208
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4424
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4288
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5204
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5296
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5316 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Adds Run key to start application
PID:5580 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5636
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5708
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5744
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5928
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6116
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3460 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:1028 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4328
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4672
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:2308
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4832
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
PID:3200 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5232 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5280
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5552
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5668
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5752
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5968
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies Wine through registry keys
PID:5988 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5220 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:1776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:3200
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:4856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5340
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5596
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5460
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2876 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5172 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5304
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5768
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5908
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
PID:5960 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:3864 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:1124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5644
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
PID:5784 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4284
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4732
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4812
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5352
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵PID:5628
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5828 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5876
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5900
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5248
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6004
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5964
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6124
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies Wine through registry keys
PID:4340 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵PID:5788
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5588 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5688 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5836
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5892
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5196
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6136 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5436 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5488
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5868
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6060
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4264
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies Wine through registry keys
PID:4196 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5472 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:2268
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5860
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6024
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
PID:5160 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5164 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4492
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5416
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5508
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5544
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5944
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5856
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4944
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:2188 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4304 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5564
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3644
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6132
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:2188
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5824 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:6084 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6076
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5168
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:5920
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:4924 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵PID:6140
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5584
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5432
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5180
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6028
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4528
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5992 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:5960
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
PID:6040 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:5664 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6136
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5648
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:3144
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5472
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5412
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5676
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6072 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
PID:5480 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5604
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5684
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:3816
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6092
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:5376
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6156
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies Wine through registry keys
PID:6184 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
PID:6476 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6540
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"10⤵PID:6592
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5852 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5948 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6016
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5936
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4100
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5188
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:5360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:4764
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6148 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:6436 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6512
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:6584
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:5368 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:6176 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵PID:6576
-
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2608
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:808
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:3032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2232
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2580
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2276
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:2064
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2156 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:1520
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2908
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2728
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2916
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2720
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵PID:2648
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2096 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2404
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:1572
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2164
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2480
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2152
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"7⤵PID:2964
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1640 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2328 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:336
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2320
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2444
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1284
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:1500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"9⤵PID:2428
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2544 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2744 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2172
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2592
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1040
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:2364
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1780
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"11⤵PID:1508
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Executes dropped EXE
PID:960 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:796
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1600
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:1736
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2896
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"13⤵PID:2528
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"14⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:2484 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2196
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:576
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2784
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2700
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2516
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"15⤵PID:2884
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"15⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:408 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"16⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3056 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1140
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2524
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2360
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1536
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:2448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"17⤵PID:1712
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"17⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1640 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"18⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:1680 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:2724
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:932
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3228
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3264
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3296
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3372
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"19⤵PID:3516
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"19⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3548 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"20⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3712 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:3756
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:3888
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:3952
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:3972
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:3988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:4008
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:4032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"21⤵PID:2844
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"21⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3092 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"22⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3148 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2568
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:948
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2300
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:3012
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:2044
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:3448
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"23⤵PID:3364
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"23⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3540 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"24⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3668 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3548
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3176
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3224
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3884
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3792
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:3832
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1844
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"25⤵PID:1744
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"25⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2328 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"26⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2116 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:776
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3408
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3436
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3484
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3664
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:3764
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:4056
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"27⤵PID:2520
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"27⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3164 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"28⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2456 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:4048
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1628
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3500
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3612
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3528
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1244
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:3440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"29⤵PID:1672
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"29⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:848 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"30⤵PID:3636
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1240
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3924
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3632
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:4072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:2440
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:3688
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"31⤵PID:1676
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"31⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3144 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"32⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:3864 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2116
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:3852
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:2000
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:4124
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:4332
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:4504
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:4696
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"33⤵PID:4768
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"33⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4788 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"34⤵
- Adds Run key to start application
PID:4936 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:4988
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:5024
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:5068
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:4456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:3192
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:4556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:4620
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"35⤵PID:4652
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"35⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4672 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"36⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4868 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4788
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:3456
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:3088
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4716
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4368
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4392
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4560
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"37⤵PID:4972
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"37⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4616 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"38⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:4316 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:5036
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:236
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"39⤵PID:4476
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59437d4af2cf75e0c17d40925479075dd
SHA14fea688090d756e07f22e129a5180f254d99d2f2
SHA256bb1fd08583008d3d2a5216919f2c3b7854628e74c20999361674463ad364f29a
SHA512adee95b1c77019513902f36cc973cc591d4bbbae3641d08a8aa9d2a35d34b88574dc2d307c115c9201e245059011b8d46f5f887d99a0181057147815cbb8ab95
-
Filesize
1.3MB
MD557d3f7529a5839dde7f8b7cc16681bc2
SHA1efc16c86fc9fc3c9b0d3677e9d9c0d28b34b7115
SHA256e00905ea366cb3bab0ed0d5cac3a3b2fac8be857477cd12e0888ceb778e51ddd
SHA512980ef29568044993b3e1c6c8e3f531325c691befd1936851c1945c15aadce82d87caefe8d1273cd54b6781792d734f86a753bfdc507c05282389fb7a9eb12350