Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 14:47
Static task
static1
Behavioral task
behavioral1
Sample
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
57d3f7529a5839dde7f8b7cc16681bc2
-
SHA1
efc16c86fc9fc3c9b0d3677e9d9c0d28b34b7115
-
SHA256
e00905ea366cb3bab0ed0d5cac3a3b2fac8be857477cd12e0888ceb778e51ddd
-
SHA512
980ef29568044993b3e1c6c8e3f531325c691befd1936851c1945c15aadce82d87caefe8d1273cd54b6781792d734f86a753bfdc507c05282389fb7a9eb12350
-
SSDEEP
24576:X/ldrejcz69oQ0zto3Zo6hq2HOGyVfCsvodqKCfdK8GR1:Hejck30o3W6hHefXvY8GR1
Malware Config
Extracted
xtremerat
boubacs2.no-ip.biz
zf23.no-ip.info
蠀C:\Users\Publicboubq1.no-ip.biz
Signatures
-
Detect XtremeRAT payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/1004-7-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1004-6-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1004-8-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/2904-14-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/1500-25-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat behavioral2/memory/4228-38-0x0000000000C80000-0x0000000000C93000-memory.dmp family_xtremerat -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Winrar.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exesvchost.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} svchost.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP} Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{U26Y3RL8-7V25-1E0S-S40X-5O6O20TO3XRP}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe restart" Winrar.exe -
Checks computer location settings 2 TTPs 48 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Winrar.exe -
Executes dropped EXE 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 2776 Winrar.exe 1500 Winrar.exe 5016 Winrar.exe 3052 Winrar.exe 4228 Winrar.exe 4272 Winrar.exe 4028 Winrar.exe 4960 Winrar.exe 2172 Winrar.exe 2008 Winrar.exe 4836 Winrar.exe 2360 Winrar.exe 4472 Winrar.exe 2744 Winrar.exe 4872 Winrar.exe 972 Winrar.exe 4116 Winrar.exe 4216 Winrar.exe 2036 Winrar.exe 1476 Winrar.exe 3272 Winrar.exe 668 Winrar.exe 1420 Winrar.exe 4504 Winrar.exe 3768 Winrar.exe 3656 Winrar.exe 4440 Winrar.exe 4676 Winrar.exe 4036 Winrar.exe 2572 Winrar.exe 456 Winrar.exe 2496 Winrar.exe 776 Winrar.exe 5104 Winrar.exe 2808 Winrar.exe 2292 Winrar.exe 860 Winrar.exe 1332 Winrar.exe 3656 Winrar.exe 3384 Winrar.exe 4572 Winrar.exe 1676 Winrar.exe 5232 Winrar.exe 5272 Winrar.exe 5352 Winrar.exe 5488 Winrar.exe 5592 Winrar.exe 5736 Winrar.exe 5848 Winrar.exe 5988 Winrar.exe 6060 Winrar.exe 1740 Winrar.exe 5244 Winrar.exe 5080 Winrar.exe 5384 Winrar.exe 5744 Winrar.exe 5688 Winrar.exe 5892 Winrar.exe 6032 Winrar.exe 5752 Winrar.exe 5312 Winrar.exe 5388 Winrar.exe 5624 Winrar.exe 5724 Winrar.exe -
Identifies Wine through registry keys 2 TTPs 64 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe Key opened \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Wine Winrar.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
Winrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winrar\\Winrar.exe" Winrar.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 2776 Winrar.exe 5016 Winrar.exe 3052 Winrar.exe 4028 Winrar.exe 2172 Winrar.exe 4836 Winrar.exe 2360 Winrar.exe 4872 Winrar.exe 4116 Winrar.exe 2036 Winrar.exe 3272 Winrar.exe 668 Winrar.exe 3768 Winrar.exe 4440 Winrar.exe 4036 Winrar.exe 456 Winrar.exe 776 Winrar.exe 5104 Winrar.exe 860 Winrar.exe 3656 Winrar.exe 4572 Winrar.exe 1676 Winrar.exe 5352 Winrar.exe 5592 Winrar.exe 5848 Winrar.exe 6060 Winrar.exe 5244 Winrar.exe 5384 Winrar.exe 5688 Winrar.exe 6032 Winrar.exe 5752 Winrar.exe 5624 Winrar.exe 3384 Winrar.exe 5992 Winrar.exe 5008 Winrar.exe 5688 Winrar.exe 3244 Winrar.exe 5396 Winrar.exe 2356 Winrar.exe 6040 Winrar.exe 5008 Winrar.exe 5668 Winrar.exe 5160 Winrar.exe 6040 Winrar.exe 3548 Winrar.exe 6324 Winrar.exe 6356 Winrar.exe 6792 Winrar.exe 6980 Winrar.exe 6132 Winrar.exe 6284 Winrar.exe 6388 Winrar.exe 7020 Winrar.exe 6564 Winrar.exe 6660 Winrar.exe 5168 Winrar.exe 6448 Winrar.exe 7132 Winrar.exe 6696 Winrar.exe 6492 Winrar.exe 6188 Winrar.exe 6520 Winrar.exe 6408 Winrar.exe -
Suspicious use of SetThreadContext 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exedescription pid Process procid_target PID 4068 set thread context of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 2776 set thread context of 1500 2776 Winrar.exe 102 PID 5016 set thread context of 4228 5016 Winrar.exe 115 PID 3052 set thread context of 4272 3052 Winrar.exe 117 PID 4028 set thread context of 4960 4028 Winrar.exe 127 PID 2172 set thread context of 2008 2172 Winrar.exe 132 PID 4836 set thread context of 4472 4836 Winrar.exe 148 PID 2360 set thread context of 2744 2360 Winrar.exe 151 PID 4872 set thread context of 972 4872 Winrar.exe 155 PID 4116 set thread context of 4216 4116 Winrar.exe 168 PID 2036 set thread context of 1476 2036 Winrar.exe 176 PID 3272 set thread context of 1420 3272 Winrar.exe 190 PID 668 set thread context of 4504 668 Winrar.exe 193 PID 3768 set thread context of 3656 3768 Winrar.exe 205 PID 4440 set thread context of 4676 4440 Winrar.exe 215 PID 4036 set thread context of 2572 4036 Winrar.exe 222 PID 456 set thread context of 2496 456 Winrar.exe 233 PID 776 set thread context of 2808 776 Winrar.exe 246 PID 5104 set thread context of 2292 5104 Winrar.exe 248 PID 860 set thread context of 1332 860 Winrar.exe 254 PID 3656 set thread context of 3384 3656 Winrar.exe 272 PID 4572 set thread context of 5232 4572 Winrar.exe 280 PID 1676 set thread context of 5272 1676 Winrar.exe 282 PID 5352 set thread context of 5488 5352 Winrar.exe 286 PID 5592 set thread context of 5736 5592 Winrar.exe 297 PID 5848 set thread context of 5988 5848 Winrar.exe 307 PID 6060 set thread context of 1740 6060 Winrar.exe 312 PID 5244 set thread context of 5080 5244 Winrar.exe 322 PID 5384 set thread context of 5744 5384 Winrar.exe 332 PID 5688 set thread context of 5892 5688 Winrar.exe 339 PID 6032 set thread context of 5312 6032 Winrar.exe 352 PID 5752 set thread context of 5388 5752 Winrar.exe 355 PID 5624 set thread context of 5724 5624 Winrar.exe 365 PID 3384 set thread context of 5896 3384 Winrar.exe 377 PID 5992 set thread context of 4332 5992 Winrar.exe 380 PID 5008 set thread context of 5420 5008 Winrar.exe 389 PID 5688 set thread context of 2340 5688 Winrar.exe 398 PID 3244 set thread context of 6004 3244 Winrar.exe 404 PID 5396 set thread context of 5696 5396 Winrar.exe 420 PID 2356 set thread context of 60 2356 Winrar.exe 423 PID 6040 set thread context of 5128 6040 Winrar.exe 428 PID 5008 set thread context of 5440 5008 Winrar.exe 449 PID 5668 set thread context of 5280 5668 Winrar.exe 453 PID 5160 set thread context of 2868 5160 Winrar.exe 455 PID 6040 set thread context of 6196 6040 Winrar.exe 477 PID 3548 set thread context of 6232 3548 Winrar.exe 479 PID 6356 set thread context of 6608 6356 Winrar.exe 486 PID 6324 set thread context of 6600 6324 Winrar.exe 485 PID 6792 set thread context of 6936 6792 Winrar.exe 500 PID 6980 set thread context of 7136 6980 Winrar.exe 504 PID 6132 set thread context of 5156 6132 Winrar.exe 511 PID 6284 set thread context of 6516 6284 Winrar.exe 524 PID 6388 set thread context of 6324 6388 Winrar.exe 527 PID 7020 set thread context of 5432 7020 Winrar.exe 540 PID 6564 set thread context of 464 6564 Winrar.exe 555 PID 6660 set thread context of 5216 6660 Winrar.exe 558 PID 5168 set thread context of 5128 5168 Winrar.exe 577 PID 6448 set thread context of 5776 6448 Winrar.exe 580 PID 7132 set thread context of 6400 7132 Winrar.exe 582 PID 6696 set thread context of 6364 6696 Winrar.exe 597 PID 6492 set thread context of 7064 6492 Winrar.exe 603 PID 6188 set thread context of 6392 6188 Winrar.exe 617 PID 6520 set thread context of 6456 6520 Winrar.exe 619 PID 6408 set thread context of 4392 6408 Winrar.exe 636 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 2776 Winrar.exe 2776 Winrar.exe 5016 Winrar.exe 5016 Winrar.exe 3052 Winrar.exe 3052 Winrar.exe 4028 Winrar.exe 4028 Winrar.exe 2172 Winrar.exe 2172 Winrar.exe 4836 Winrar.exe 4836 Winrar.exe 2360 Winrar.exe 2360 Winrar.exe 4872 Winrar.exe 4872 Winrar.exe 4116 Winrar.exe 4116 Winrar.exe 2036 Winrar.exe 2036 Winrar.exe 3272 Winrar.exe 3272 Winrar.exe 668 Winrar.exe 668 Winrar.exe 3768 Winrar.exe 3768 Winrar.exe 4440 Winrar.exe 4440 Winrar.exe 4036 Winrar.exe 4036 Winrar.exe 456 Winrar.exe 456 Winrar.exe 776 Winrar.exe 776 Winrar.exe 5104 Winrar.exe 5104 Winrar.exe 860 Winrar.exe 860 Winrar.exe 3656 Winrar.exe 3656 Winrar.exe 4572 Winrar.exe 4572 Winrar.exe 1676 Winrar.exe 1676 Winrar.exe 5352 Winrar.exe 5352 Winrar.exe 5592 Winrar.exe 5592 Winrar.exe 5848 Winrar.exe 5848 Winrar.exe 6060 Winrar.exe 6060 Winrar.exe 5244 Winrar.exe 5244 Winrar.exe 5384 Winrar.exe 5384 Winrar.exe 5688 Winrar.exe 5688 Winrar.exe 6032 Winrar.exe 6032 Winrar.exe 5752 Winrar.exe 5752 Winrar.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exeWinrar.exepid Process 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 2776 Winrar.exe 5016 Winrar.exe 3052 Winrar.exe 4028 Winrar.exe 2172 Winrar.exe 4836 Winrar.exe 2360 Winrar.exe 4872 Winrar.exe 4116 Winrar.exe 2036 Winrar.exe 3272 Winrar.exe 668 Winrar.exe 3768 Winrar.exe 4440 Winrar.exe 4036 Winrar.exe 456 Winrar.exe 776 Winrar.exe 5104 Winrar.exe 860 Winrar.exe 3656 Winrar.exe 4572 Winrar.exe 1676 Winrar.exe 5352 Winrar.exe 5592 Winrar.exe 5848 Winrar.exe 6060 Winrar.exe 5244 Winrar.exe 5384 Winrar.exe 5688 Winrar.exe 6032 Winrar.exe 5752 Winrar.exe 5624 Winrar.exe 3384 Winrar.exe 5992 Winrar.exe 5008 Winrar.exe 5688 Winrar.exe 3244 Winrar.exe 5396 Winrar.exe 2356 Winrar.exe 6040 Winrar.exe 5008 Winrar.exe 5668 Winrar.exe 5160 Winrar.exe 6040 Winrar.exe 3548 Winrar.exe 6324 Winrar.exe 6356 Winrar.exe 6792 Winrar.exe 6980 Winrar.exe 6132 Winrar.exe 6284 Winrar.exe 6388 Winrar.exe 7020 Winrar.exe 6564 Winrar.exe 6660 Winrar.exe 5168 Winrar.exe 6448 Winrar.exe 7132 Winrar.exe 6696 Winrar.exe 6492 Winrar.exe 6188 Winrar.exe 6520 Winrar.exe 6408 Winrar.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exeWinrar.exeWinrar.exedescription pid Process procid_target PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 4068 wrote to memory of 1004 4068 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 87 PID 1004 wrote to memory of 2904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 88 PID 1004 wrote to memory of 2904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 88 PID 1004 wrote to memory of 2904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 88 PID 1004 wrote to memory of 2904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 88 PID 1004 wrote to memory of 2364 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 89 PID 1004 wrote to memory of 2364 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 89 PID 1004 wrote to memory of 2364 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 89 PID 1004 wrote to memory of 2624 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 90 PID 1004 wrote to memory of 2624 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 90 PID 1004 wrote to memory of 2624 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 90 PID 1004 wrote to memory of 3904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 91 PID 1004 wrote to memory of 3904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 91 PID 1004 wrote to memory of 3904 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 91 PID 1004 wrote to memory of 4168 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 94 PID 1004 wrote to memory of 4168 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 94 PID 1004 wrote to memory of 4168 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 94 PID 1004 wrote to memory of 4976 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 97 PID 1004 wrote to memory of 4976 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 97 PID 1004 wrote to memory of 4976 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 97 PID 1004 wrote to memory of 3700 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 98 PID 1004 wrote to memory of 3700 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 98 PID 1004 wrote to memory of 3700 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 98 PID 1004 wrote to memory of 1560 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 99 PID 1004 wrote to memory of 1560 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 99 PID 1004 wrote to memory of 1560 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 99 PID 1004 wrote to memory of 1832 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 100 PID 1004 wrote to memory of 1832 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 100 PID 1004 wrote to memory of 2776 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 101 PID 1004 wrote to memory of 2776 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 101 PID 1004 wrote to memory of 2776 1004 57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe 101 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 2776 wrote to memory of 1500 2776 Winrar.exe 102 PID 1500 wrote to memory of 4312 1500 Winrar.exe 104 PID 1500 wrote to memory of 4312 1500 Winrar.exe 104 PID 1500 wrote to memory of 4312 1500 Winrar.exe 104 PID 1500 wrote to memory of 1396 1500 Winrar.exe 105 PID 1500 wrote to memory of 1396 1500 Winrar.exe 105 PID 1500 wrote to memory of 1396 1500 Winrar.exe 105 PID 1500 wrote to memory of 3572 1500 Winrar.exe 106 PID 1500 wrote to memory of 3572 1500 Winrar.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\57d3f7529a5839dde7f8b7cc16681bc2_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\svchost.exesvchost.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
PID:2904 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3052 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4272 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:984
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2172 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
PID:2008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:684
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4872 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2404
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:1476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:2264
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3768 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:3656 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:348
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:456 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"15⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4028 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
PID:4960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2776
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:2744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1148
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4836 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:4472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4284
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4116 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:4216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4688
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:668 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:4504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3752
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4036 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1104
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:860 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5260
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5352 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5488 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5980
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6060 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"15⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1740 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5632
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"16⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5688 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"17⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:5892 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"18⤵PID:5768
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:1420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3036
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4440 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4676 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3524
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5104 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2292 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1492
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1676 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Executes dropped EXE
PID:5272
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:776 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:2808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2272
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:5232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5808
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5848 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:5988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:3924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5484
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5384 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Executes dropped EXE
PID:5744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5512
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5624 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2676
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"14⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5008 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"15⤵
- Adds Run key to start application
PID:5420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:3868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:5920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"16⤵PID:1548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:3384 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1084
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5592 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
PID:5736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6076
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5244 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6064
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5752 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
PID:5388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5676
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6032 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:5312 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5244
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5992 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6116
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3244 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:6004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4332
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6040 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5128 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:5756
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3384 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:5896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5140
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5688 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:2340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:776
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2356 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Checks computer location settings
- Adds Run key to start application
PID:60 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1016
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5160 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:2868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6316
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6356 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵PID:6608
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5396 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:5696 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5252
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5668 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:5280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6224
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6324 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Checks computer location settings
PID:6600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6100
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6132 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Checks computer location settings
- Adds Run key to start application
PID:5156 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:3016
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7020 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"13⤵
- Adds Run key to start application
PID:5432 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"14⤵PID:6996
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5008 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:5440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5668
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3548 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:6232
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6040 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:6196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6912
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6980 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:7136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5696
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6792 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:6936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5732
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6388 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:6324 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7036
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6284 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:6516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6480
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6660 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:5216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6444
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:7132 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:6400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2324
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6492 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:7064 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6104
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6564 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Checks computer location settings
PID:464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5280
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6448 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:5776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6148
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5168 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵PID:5128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6172
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6696 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Checks computer location settings
PID:6364 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:4084
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6520 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:6456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7084
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6596 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:2840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7076
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6188 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:6392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7068
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6676 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Adds Run key to start application
PID:6984 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6420
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:6408 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
PID:4392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:3960
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:6240 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
PID:6672 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7308
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:7428 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:7628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7984
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:8132 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Checks computer location settings
PID:6392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7916
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"10⤵PID:7904
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"11⤵
- Boot or Logon Autostart Execution: Active Setup
PID:8148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:8188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:6900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"12⤵PID:7660
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"12⤵PID:7784
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
PID:7292 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:7456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7804
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:7932 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:8160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:6360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7616
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"8⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:7604 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"9⤵
- Adds Run key to start application
PID:7980 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:6396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"10⤵PID:7464
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:7780 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
PID:7956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:8008
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies Wine through registry keys
PID:7400 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
PID:7540 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:8096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:7204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6800
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:2876 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"7⤵PID:7732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"8⤵PID:7920
-
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Identifies Wine through registry keys
PID:1912 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Adds Run key to start application
PID:7520 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:8180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"6⤵PID:6392
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"3⤵PID:1832
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1108
-
-
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5016 -
C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"C:\Users\Admin\AppData\Roaming\Winrar\Winrar.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"7⤵PID:2964
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59437d4af2cf75e0c17d40925479075dd
SHA14fea688090d756e07f22e129a5180f254d99d2f2
SHA256bb1fd08583008d3d2a5216919f2c3b7854628e74c20999361674463ad364f29a
SHA512adee95b1c77019513902f36cc973cc591d4bbbae3641d08a8aa9d2a35d34b88574dc2d307c115c9201e245059011b8d46f5f887d99a0181057147815cbb8ab95
-
Filesize
1.3MB
MD557d3f7529a5839dde7f8b7cc16681bc2
SHA1efc16c86fc9fc3c9b0d3677e9d9c0d28b34b7115
SHA256e00905ea366cb3bab0ed0d5cac3a3b2fac8be857477cd12e0888ceb778e51ddd
SHA512980ef29568044993b3e1c6c8e3f531325c691befd1936851c1945c15aadce82d87caefe8d1273cd54b6781792d734f86a753bfdc507c05282389fb7a9eb12350