hxxps://github[.]com/Endermanch/MalwareDatabase

pid	Process
5008	msedge.exe
5004	msedge.exe
1300	chrome.exe
4012	chrome.exe
2592	chrome.exe
2176	chrome.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	[email protected]
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Free YouTube Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Free YouTube Downloader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	x2s443bc.cs1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MassiveInstaller.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Downloadly.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	downloadly_installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MassiveInstaller.tmp

Executes dropped EXE 26 IoCs

pid	Process
3564	x2s443bc.cs1.exe
2036	x2s443bc.cs1.tmp
1868	Downloadly.exe
2264	MassiveInstaller.exe
4980	MassiveInstaller.tmp
2152	Massive.exe
4880	downloadly_installer.exe
2336	crashpad_handler.exe
2344	downloadly_installer.tmp
2840	downloadly_installer.exe
2424	downloadly_installer.tmp
4852	Downloadly.exe
4648	MassiveInstaller.exe
2396	MassiveInstaller.tmp
1852	ska2pwej.aeh.exe
2176	ska2pwej.aeh.tmp
2376	walliant.exe
3228	[email protected]
3560	[email protected]
452	Free YouTube Downloader.exe
564	Free YouTube Downloader.exe
3916	00kfi53a.exe
4384	00kfi53a.tmp
720	Walliant.exe
4016	Box.exe
4188	Box.exe

Loads dropped DLL 56 IoCs

pid	Process
1868	Downloadly.exe
1868	Downloadly.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
4852	Downloadly.exe
4852	Downloadly.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
2376	walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe
720	Walliant.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2872-1903-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\Walliant.exe"	Walliant.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_HMBlocker.zip\\[email protected]\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\""	x2s443bc.cs1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\""	downloadly_installer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe"	ska2pwej.aeh.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiVirus Pro 2017 = "C:\\Users\\Admin\\Downloads\\Antivirus Pro 2017\\[email protected]"	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\X:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
147	raw.githubusercontent.com
214	raw.githubusercontent.com
58	raw.githubusercontent.com
59	raw.githubusercontent.com
60	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	[email protected]

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00kfi53a.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Walliant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ska2pwej.aeh.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MassiveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ska2pwej.aeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloadly_installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloadly_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloadly_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MassiveInstaller.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2s443bc.cs1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x2s443bc.cs1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MassiveInstaller.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00kfi53a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	downloadly_installer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	walliant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Box.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MassiveInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	207	Go-http-client/1.1
HTTP User-Agent header	220	Go-http-client/1.1

Kills process with taskkill 6 IoCs

evasion

pid	Process
4948	taskkill.exe
3740	taskkill.exe
4892	taskkill.exe
4976	taskkill.exe
2816	taskkill.exe
1096	taskkill.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673682720083461"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Walliant.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	168	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	211	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	213	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
2036	x2s443bc.cs1.tmp
2036	x2s443bc.cs1.tmp
4980	MassiveInstaller.tmp
4980	MassiveInstaller.tmp
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2152	Massive.exe
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2344	downloadly_installer.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2396	MassiveInstaller.tmp
2816	chrome.exe
2816	chrome.exe
2176	ska2pwej.aeh.tmp
2176	ska2pwej.aeh.tmp
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
1268	chrome.exe
1268	chrome.exe
4384	00kfi53a.tmp
4384	00kfi53a.tmp
4384	00kfi53a.tmp
4384	00kfi53a.tmp
4384	00kfi53a.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe
1268	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
1204	7zG.exe
2036	x2s443bc.cs1.tmp
1868	Downloadly.exe
4980	MassiveInstaller.tmp
1868	Downloadly.exe
2344	downloadly_installer.tmp
4852	Downloadly.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
1868	Downloadly.exe
4852	Downloadly.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2816	chrome.exe
2376	walliant.exe
3228	[email protected]
3228	[email protected]
3228	[email protected]
452	Free YouTube Downloader.exe
3228	[email protected]
3228	[email protected]
3228	[email protected]
564	Free YouTube Downloader.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1868	Downloadly.exe
1868	Downloadly.exe
2376	walliant.exe
2376	walliant.exe
3228	[email protected]
3228	[email protected]
3560	[email protected]
720	Walliant.exe
720	Walliant.exe
2056	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 912	3812	chrome.exe	83
PID 3812 wrote to memory of 912	3812	chrome.exe	83
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 1928	3812	chrome.exe	84
PID 3812 wrote to memory of 5108	3812	chrome.exe	85
PID 3812 wrote to memory of 5108	3812	chrome.exe	85
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86
PID 3812 wrote to memory of 2180	3812	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8cd78cc40,0x7ff8cd78cc4c,0x7ff8cd78cc58
  2⤵
  PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5044,i,2655437679789077097,3024767720452930215,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4392

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Downloadly\" -spe -an -ai#7zMap6223:82:7zEvent12823
1⤵
- Suspicious use of FindShellTrayWindow
PID:1204

C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe
"C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3564
- C:\Users\Admin\AppData\Local\Temp\is-24VDR.tmp\x2s443bc.cs1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-24VDR.tmp\x2s443bc.cs1.tmp" /SL5="$301E0,15784509,779776,C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3740
- - C:\Users\Admin\Programs\Downloadly\Downloadly.exe
    "C:\Users\Admin\Programs\Downloadly\Downloadly.exe" EnablePro
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
      C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2264
    - - C:\Users\Admin\AppData\Local\Temp\is-A6TVO.tmp\MassiveInstaller.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A6TVO.tmp\MassiveInstaller.tmp" /SL5="$601BE,10474064,1082880,C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4980
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Massive.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4892
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im MassiveUI.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4976
      - C:\Users\Admin\Programs\Massive\Massive.exe
        
        "C:\Users\Admin\Programs\Massive\Massive.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2152
        
        C:\Users\Admin\Programs\Massive\crashpad_handler.exe
        
        C:\Users\Admin\Programs\Massive\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\AppData\Local\Massive\crashdumps --metrics-dir=C:\Users\Admin\AppData\Local\Massive\crashdumps --url=https://o428832.ingest.sentry.io:443/api/5375291/minidump/?sentry_client=sentry.native/0.4.9&sentry_key=5647f16acff64576af0bbfb18033c983 --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\b41274c6-3598-4701-9155-11b122825113.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\b41274c6-3598-4701-9155-11b122825113.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\b41274c6-3598-4701-9155-11b122825113.run\__sentry-breadcrumb2 --initial-client-data=0x3f4,0x3f8,0x3fc,0x3d0,0x404,0x7ff7312e2fe0,0x7ff7312e2fa0,0x7ff7312e2fb0
        7⤵
        Executes dropped EXE
        
        PID:2336
  - - C:\Users\Admin\AppData\Local\Temp\Update-d7dbbe5f-363a-42cc-bd14-88027457fdda\downloadly_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Update-d7dbbe5f-363a-42cc-bd14-88027457fdda\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\is-RL9DT.tmp\downloadly_installer.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RL9DT.tmp\downloadly_installer.tmp" /SL5="$701DE,15992205,779776,C:\Users\Admin\AppData\Local\Temp\Update-d7dbbe5f-363a-42cc-bd14-88027457fdda\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2344
      - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:2816
      - C:\Users\Admin\Programs\Downloadly\Downloadly.exe
        
        "C:\Users\Admin\Programs\Downloadly\Downloadly.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:4852
        
        C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
        
        C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\is-COLE4.tmp\MassiveInstaller.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-COLE4.tmp\MassiveInstaller.tmp" /SL5="$100022,10516965,1082880,C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Massive.exe
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:1096
        
        C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im MassiveUI.exe
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\Update-64c7e4c5-81cf-4061-9f86-9181ff0f022f\downloadly_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\Update-64c7e4c5-81cf-4061-9f86-9181ff0f022f\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\is-346D9.tmp\downloadly_installer.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-346D9.tmp\downloadly_installer.tmp" /SL5="$B0030,15992205,779776,C:\Users\Admin\AppData\Local\Temp\Update-64c7e4c5-81cf-4061-9f86-9181ff0f022f\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8cd78cc40,0x7ff8cd78cc4c,0x7ff8cd78cc58
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1872,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1964,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1996 /prefetch:3
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3152,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4884,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3560,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5324,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5576,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:3676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5520,i,591008778210095353,9922873311160482305,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:3216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4256

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Walliant\" -spe -an -ai#7zMap32055:78:7zEvent9334
1⤵
PID:1880

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Antivirus Pro 2017\" -spe -an -ai#7zMap18656:98:7zEvent22396
1⤵
PID:2092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FakeActivation\" -spe -an -ai#7zMap11144:90:7zEvent18155
1⤵
PID:3824

C:\Users\Admin\Downloads\Walliant\ska2pwej.aeh.exe
"C:\Users\Admin\Downloads\Walliant\ska2pwej.aeh.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1852
- C:\Users\Admin\AppData\Local\Temp\is-3D1C9.tmp\ska2pwej.aeh.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3D1C9.tmp\ska2pwej.aeh.tmp" /SL5="$110296,4511977,830464,C:\Users\Admin\Downloads\Walliant\ska2pwej.aeh.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- - C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe
    "C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2376
  - - C:\Users\Admin\AppData\Local\Temp\00kfi53a.exe
      "C:\Users\Admin\AppData\Local\Temp\00kfi53a.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3916
    - - C:\Users\Admin\AppData\Local\Temp\is-9UUJ1.tmp\00kfi53a.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-9UUJ1.tmp\00kfi53a.tmp" /SL5="$40380,5010045,830976,C:\Users\Admin\AppData\Local\Temp\00kfi53a.exe" /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL /NORESTART
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Walliant\Walliant.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:720
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-pings= --no-sandbox= --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109 --disable-hang-monitor= --window-size=1280,800 --remote-debugging-port=0 --disable-dev-shm-usage= --disable-backgrounding-occluded-windows= --disable-features=MediaRouter,Translate,InterestFeedContentSuggestions,AutofillServerCommunication --remote-debugging-host=127.0.0.1 --no-service-autorun= --enable-features=NetworkService,NetworkServiceInProcess --disable-extensions= --disable-setuid-sandbox= --disable-component-update= --disable-breakpad= --no-default-browser-check= --headless=new --noerrdialogs= --disable-domain-reliability= --metrics-recording-only= --no-first-run= --disable-infobars= --disable-component-extensions-with-background-pages= --temp-profile= --disable-renderer-backgrounding= --mute-audio= --disable-background-networking= --no-zygote= --disable-background-timer-throttling= --disable-sync= --ignore-certificate-errors= --ignore-certificate-errors-skip-list= --disable-fre=
        7⤵
        Uses browser remote debugging
        Enumerates system info in registry
        
        PID:1300
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109 /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8cd78cc40,0x7ff8cd78cc4c,0x7ff8cd78cc58
        8⤵
        
        PID:3996
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --disable-breakpad --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:2
        8⤵
        
        PID:2676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --ignore-certificate-errors --mute-audio --ignore-certificate-errors --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --field-trial-handle=1860,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=2092 /prefetch:3
        8⤵
        
        PID:2352
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --ignore-certificate-errors --mute-audio --ignore-certificate-errors --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --field-trial-handle=2160,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=2260 /prefetch:8
        8⤵
        
        PID:1648
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --no-sandbox --disable-background-timer-throttling --disable-breakpad --no-zygote --remote-debugging-port=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2924,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=3000 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --no-sandbox --disable-background-timer-throttling --disable-breakpad --no-zygote --remote-debugging-port=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2932,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=2944 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:4012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\chrome-runner1941622109" --no-appcompat-clear --no-sandbox --disable-background-timer-throttling --disable-breakpad --no-zygote --remote-debugging-port=0 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3892,i,2829957058493620339,16987020393391198441,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=4044 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox= --disable-setuid-sandbox= --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1931394505 --no-default-browser-check= --remote-debugging-host=127.0.0.1 --ignore-certificate-errors-skip-list= --no-service-autorun= --disable-features=MediaRouter,Translate,InterestFeedContentSuggestions,AutofillServerCommunication --metrics-recording-only= --headless=new --noerrdialogs= --disable-component-update= --no-zygote= --disable-dev-shm-usage= --window-size=1280,800 --ignore-certificate-errors= --disable-domain-reliability= --disable-extensions= --no-pings= --mute-audio= --no-first-run= --disable-infobars= --disable-hang-monitor= --disable-renderer-backgrounding= --disable-background-timer-throttling= --disable-component-extensions-with-background-pages= --disable-sync= --disable-backgrounding-occluded-windows= --disable-background-networking= --disable-fre= --enable-features=NetworkService,NetworkServiceInProcess --disable-breakpad= --temp-profile= --remote-debugging-port=0
        7⤵
        Uses browser remote debugging
        
        PID:5008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1931394505 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\chrome-runner1931394505\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\chrome-runner1931394505 --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8b25146f8,0x7ff8b2514708,0x7ff8b2514718
        8⤵
        
        PID:4156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1520,4678345905526608479,654216381545845373,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --no-sandbox --disable-breakpad --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --mojo-platform-channel-handle=1516 /prefetch:2
        8⤵
        
        PID:3448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --disable-background-timer-throttling --disable-breakpad --no-zygote --remote-debugging-port=0 --allow-pre-commit-input --field-trial-handle=1520,4678345905526608479,654216381545845373,131072 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AutofillServerCommunication,InterestFeedContentSuggestions,MediaRouter,PaintHolding,Translate --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=1980 /prefetch:1
        8⤵
        Uses browser remote debugging
        
        PID:5004

C:\Users\Admin\Downloads\Antivirus Pro 2017\[email protected]
"C:\Users\Admin\Downloads\Antivirus Pro 2017\[email protected]"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Users\Admin\Downloads\FakeActivation\[email protected]
"C:\Users\Admin\Downloads\FakeActivation\[email protected]"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3560
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:452
- - C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
    "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4016

C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:564
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4188

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8cd78cc40,0x7ff8cd78cc4c,0x7ff8cd78cc58
  2⤵
  PID:5092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=2252 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3332,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5288,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=832 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5552,i,9706545272579605366,7639178218276985330,262144 --variations-seed-version=20240805-050143.334000 --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:4276

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:896

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:2872
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 6 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4352
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4648
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3444

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e8855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Modify Authentication Process

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Authentication Process

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Modify Authentication Process

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery