Resubmissions
01/02/2022, 09:10
220201-k4279scee5 1015/01/2022, 13:42
220115-qztyzsefhn 1012/01/2022, 12:30
220112-ppk3nacfbl 1010/01/2022, 10:49
220110-mwsd7sebe3 1007/01/2022, 20:35
220107-zc2jzsdaeq 1007/01/2022, 10:05
220107-l4rxzacba8 1006/01/2022, 22:46
220106-2qch5abff5 1006/01/2022, 19:07
220106-xsnxqabhfl 1006/01/2022, 15:26
220106-svedvabda5 1006/01/2022, 15:25
220106-st3p2sbgcq 10Analysis
-
max time kernel
1800s -
max time network
1690s -
platform
windows7_x64 -
resource
win7-ja-20211208 -
submitted
06/01/2022, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
Resource
win7-ja-20211208
General
-
Target
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
-
Size
339KB
-
MD5
b75726b4b619811b4c50d917822a4083
-
SHA1
ed8b418d7357609ce03c4f7123c0bb711b9d227d
-
SHA256
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf
-
SHA512
59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
raccoon
10da56e7e71e97bdc1f36eb76813bbc3231de7e4
-
url4cnc
http://194.180.174.53/capibar
http://91.219.236.18/capibar
http://194.180.174.41/capibar
http://91.219.236.148/capibar
https://t.me/capibar
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Arkei Stealer Payload 4 IoCs
resource yara_rule behavioral1/memory/2752-80-0x0000000000020000-0x000000000003C000-memory.dmp family_arkei behavioral1/memory/2752-81-0x0000000000400000-0x0000000000462000-memory.dmp family_arkei behavioral1/memory/2632-125-0x0000000000810000-0x0000000000905000-memory.dmp family_arkei behavioral1/memory/2632-127-0x0000000000810000-0x0000000000905000-memory.dmp family_arkei -
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
pid Process 2632 7C22.exe 2676 8F59.exe 2704 8F59.exe 2752 A625.exe 2824 BAA0.exe 2872 BAA0.exe 2980 BAA0.exe 2632 241D.exe 2604 39DF.exe 2888 6CB7.exe 2040 rhrjafb 1740 esrjafb 2568 esrjafb 2784 software_reporter_tool.exe 652 software_reporter_tool.exe 2244 software_reporter_tool.exe 1472 software_reporter_tool.exe 1468 rhrjafb 1916 esrjafb 2572 esrjafb 2812 esrjafb 2652 esrjafb -
Deletes itself 1 IoCs
pid Process 1276 Process not Found -
Loads dropped DLL 24 IoCs
pid Process 2676 8F59.exe 2824 BAA0.exe 2824 BAA0.exe 2752 A625.exe 2752 A625.exe 2752 A625.exe 2752 A625.exe 2752 A625.exe 2632 241D.exe 2632 241D.exe 2632 241D.exe 2632 241D.exe 2632 241D.exe 672 chrome.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2244 software_reporter_tool.exe 2040 WerFault.exe 2040 WerFault.exe 2040 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2632 241D.exe 2888 6CB7.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 516 set thread context of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 2676 set thread context of 2704 2676 8F59.exe 53 PID 2824 set thread context of 2980 2824 BAA0.exe 59 PID 1740 set thread context of 2568 1740 esrjafb 85 PID 1916 set thread context of 2572 1916 esrjafb 107 PID 2812 set thread context of 2652 2812 esrjafb 110 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2040 1468 WerFault.exe 106 -
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7C22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rhrjafb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rhrjafb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI rhrjafb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7C22.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 7C22.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI esrjafb -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 A625.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString A625.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 241D.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 241D.exe -
Delays execution with timeout.exe 2 IoCs
pid Process 2732 timeout.exe 2928 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 460 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 460 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 428 chrome.exe 672 chrome.exe 672 chrome.exe 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2040 WerFault.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 460 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 2632 7C22.exe 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 2040 rhrjafb 2572 esrjafb 2652 esrjafb -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeShutdownPrivilege 1276 Process not Found Token: SeDebugPrivilege 2824 BAA0.exe Token: SeDebugPrivilege 2980 BAA0.exe Token: SeShutdownPrivilege 1276 Process not Found Token: SeDebugPrivilege 2888 6CB7.exe Token: SeShutdownPrivilege 1276 Process not Found Token: 33 652 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 652 software_reporter_tool.exe Token: 33 2784 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 2784 software_reporter_tool.exe Token: 33 2244 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 2244 software_reporter_tool.exe Token: 33 1472 software_reporter_tool.exe Token: SeIncBasePriorityPrivilege 1472 software_reporter_tool.exe Token: SeShutdownPrivilege 1276 Process not Found Token: SeShutdownPrivilege 1276 Process not Found Token: SeDebugPrivilege 2040 WerFault.exe Token: SeShutdownPrivilege 1276 Process not Found Token: SeShutdownPrivilege 1276 Process not Found Token: SeShutdownPrivilege 1276 Process not Found Token: SeShutdownPrivilege 1276 Process not Found -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 1276 Process not Found 1276 Process not Found -
Suspicious use of SendNotifyMessage 34 IoCs
pid Process 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 672 chrome.exe 1276 Process not Found 1276 Process not Found -
Suspicious use of UnmapMainImage 64 IoCs
pid Process 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found 1276 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 516 wrote to memory of 460 516 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 27 PID 672 wrote to memory of 1116 672 chrome.exe 29 PID 672 wrote to memory of 1116 672 chrome.exe 29 PID 672 wrote to memory of 1116 672 chrome.exe 29 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 1108 672 chrome.exe 31 PID 672 wrote to memory of 428 672 chrome.exe 30 PID 672 wrote to memory of 428 672 chrome.exe 30 PID 672 wrote to memory of 428 672 chrome.exe 30 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 PID 672 wrote to memory of 1676 672 chrome.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:460
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7034f50,0x7fef7034f60,0x7fef7034f702⤵PID:1116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1092 /prefetch:22⤵PID:1108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:82⤵PID:1676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:12⤵PID:956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:12⤵PID:1836
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2888 /prefetch:22⤵PID:1868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1088 /prefetch:82⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2648 /prefetch:12⤵PID:1784
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:82⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:82⤵PID:2056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4036 /prefetch:82⤵PID:2172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:82⤵PID:2208
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:82⤵PID:2224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:82⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4040 /prefetch:82⤵PID:2320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:82⤵PID:2328
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:82⤵PID:2392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3392 /prefetch:82⤵PID:2428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3416 /prefetch:82⤵PID:2464
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:12⤵PID:2560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 /prefetch:82⤵PID:2780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 /prefetch:82⤵PID:2884
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:82⤵PID:2432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4032 /prefetch:82⤵PID:2492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1468 /prefetch:82⤵PID:2200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:2380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=988 /prefetch:82⤵PID:2240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:82⤵PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:82⤵PID:2556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1984 /prefetch:82⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1872 /prefetch:82⤵PID:2616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1776 /prefetch:82⤵PID:924
-
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\94.273.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=kemyoYTqosDNOBf7YVyvVAtBhlmIgQEsQDF+OI5d --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=94.273.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x1401ec4b8,0x1401ec4c8,0x1401ec4d83⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:652
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2784_LLEFNTWNSKNZLKUQ" --sandboxed-process-id=2 --init-done-notifier=468 --sandbox-mojo-pipe-token=12642503802866909302 --mojo-platform-channel-handle=440 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2244
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\94.273.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2784_LLEFNTWNSKNZLKUQ" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=4311856091931439458 --mojo-platform-channel-handle=6403⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1472
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:2064
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1784 /prefetch:82⤵PID:2376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 /prefetch:82⤵PID:1976
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:82⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:82⤵PID:2860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=628 /prefetch:82⤵PID:1588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4000 /prefetch:82⤵PID:2956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3452 /prefetch:82⤵PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1000,6241201856956439403,10498533748939493880,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1792 /prefetch:82⤵PID:2828
-
-
C:\Users\Admin\AppData\Local\Temp\7C22.exeC:\Users\Admin\AppData\Local\Temp\7C22.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2632
-
C:\Users\Admin\AppData\Local\Temp\8F59.exeC:\Users\Admin\AppData\Local\Temp\8F59.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2676 -
C:\Users\Admin\AppData\Local\Temp\8F59.exeC:\Users\Admin\AppData\Local\Temp\8F59.exe2⤵
- Executes dropped EXE
PID:2704
-
-
C:\Users\Admin\AppData\Local\Temp\A625.exeC:\Users\Admin\AppData\Local\Temp\A625.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\A625.exe" & exit2⤵PID:2500
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2732
-
-
-
C:\Users\Admin\AppData\Local\Temp\BAA0.exeC:\Users\Admin\AppData\Local\Temp\BAA0.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\BAA0.exeC:\Users\Admin\AppData\Local\Temp\BAA0.exe2⤵
- Executes dropped EXE
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\BAA0.exeC:\Users\Admin\AppData\Local\Temp\BAA0.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2236
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2504
-
C:\Users\Admin\AppData\Local\Temp\241D.exeC:\Users\Admin\AppData\Local\Temp\241D.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:2632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\241D.exe" & exit2⤵PID:2816
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2928
-
-
-
C:\Users\Admin\AppData\Local\Temp\39DF.exeC:\Users\Admin\AppData\Local\Temp\39DF.exe1⤵
- Executes dropped EXE
PID:2604
-
C:\Users\Admin\AppData\Local\Temp\6CB7.exeC:\Users\Admin\AppData\Local\Temp\6CB7.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
C:\Windows\system32\taskeng.exetaskeng.exe {A2C3A026-2A39-45D7-82DE-8343095E6D9D} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:3016
-
C:\Users\Admin\AppData\Roaming\rhrjafbC:\Users\Admin\AppData\Roaming\rhrjafb2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2040
-
-
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1740 -
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb3⤵
- Executes dropped EXE
PID:2568
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9753CD37-DE62-4F70-9D60-1CE1AC78BC5D} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2520
-
C:\Windows\system32\taskeng.exetaskeng.exe {1663C6C7-9945-482E-8BD1-6A39EB0EFD78} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵PID:2400
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:940
-
-
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916 -
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2572
-
-
-
C:\Users\Admin\AppData\Roaming\rhrjafbC:\Users\Admin\AppData\Roaming\rhrjafb2⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1243⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2812 -
C:\Users\Admin\AppData\Roaming\esrjafbC:\Users\Admin\AppData\Roaming\esrjafb3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2652
-
-