Resubmissions
01/02/2022, 09:10
220201-k4279scee5 1015/01/2022, 13:42
220115-qztyzsefhn 1012/01/2022, 12:30
220112-ppk3nacfbl 1010/01/2022, 10:49
220110-mwsd7sebe3 1007/01/2022, 20:35
220107-zc2jzsdaeq 1007/01/2022, 10:05
220107-l4rxzacba8 1006/01/2022, 22:46
220106-2qch5abff5 1006/01/2022, 19:07
220106-xsnxqabhfl 1006/01/2022, 15:26
220106-svedvabda5 1006/01/2022, 15:25
220106-st3p2sbgcq 10Analysis
-
max time kernel
190s -
max time network
189s -
platform
windows7_x64 -
resource
win7-ja-20211208 -
submitted
10/01/2022, 10:49
Static task
static1
Behavioral task
behavioral1
Sample
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
Resource
win7-ja-20211208
General
-
Target
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe
-
Size
339KB
-
MD5
b75726b4b619811b4c50d917822a4083
-
SHA1
ed8b418d7357609ce03c4f7123c0bb711b9d227d
-
SHA256
4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf
-
SHA512
59516fdf6334f4005c7881322eb9a057939804e18ba8f13d0cb48fdc460aab19570c482e87700c6884807e1c885864ed422646f3150d9df731a10ecf5a7e05c9
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
tofsee
patmushta.info
parubey.info
Extracted
raccoon
1.8.4-hotfixs
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Arkei Stealer Payload 4 IoCs
resource yara_rule behavioral1/memory/1104-101-0x00000000011C0000-0x00000000014C6000-memory.dmp family_arkei behavioral1/memory/1104-102-0x00000000011C0000-0x00000000014C6000-memory.dmp family_arkei behavioral1/memory/1280-122-0x0000000000240000-0x000000000025C000-memory.dmp family_arkei behavioral1/memory/1280-123-0x0000000000400000-0x000000000045A000-memory.dmp family_arkei -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
pid Process 1824 25F8.exe 1944 jretatj 1760 jretatj 1280 81B3.exe 288 850E.exe 1040 915E.exe 1104 B218.exe 908 CB82.exe 1632 lsnejoah.exe 240 915E.exe 1560 21C2.exe -
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B218.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B218.exe -
Deletes itself 1 IoCs
pid Process 1296 Process not Found -
Loads dropped DLL 16 IoCs
pid Process 1040 915E.exe 1104 B218.exe 1104 B218.exe 1104 B218.exe 1104 B218.exe 1104 B218.exe 1296 Process not Found 1776 taskmgr.exe 1776 taskmgr.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe 920 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 38 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B218.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 172 api.ipify.org -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1104 B218.exe 1104 B218.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 840 set thread context of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 1944 set thread context of 1760 1944 jretatj 33 PID 1040 set thread context of 240 1040 915E.exe 51 PID 1632 set thread context of 472 1632 lsnejoah.exe 65 -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 920 908 WerFault.exe 38 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jretatj Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jretatj Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25F8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25F8.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 25F8.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jretatj -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 21C2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 B218.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString B218.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 21C2.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1892 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Process not Found Set value (data) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1784 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 1784 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1296 Process not Found 1776 taskmgr.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1784 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 1824 25F8.exe 1760 jretatj 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1040 915E.exe Token: SeShutdownPrivilege 1296 Process not Found Token: SeDebugPrivilege 1776 taskmgr.exe Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeDebugPrivilege 920 WerFault.exe Token: SeDebugPrivilege 240 915E.exe Token: SeDebugPrivilege 1560 21C2.exe Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found Token: SeShutdownPrivilege 1296 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1296 Process not Found 1296 Process not Found 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1296 Process not Found 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1296 Process not Found 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe 1776 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 840 wrote to memory of 1784 840 4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe 30 PID 1296 wrote to memory of 1824 1296 Process not Found 31 PID 1296 wrote to memory of 1824 1296 Process not Found 31 PID 1296 wrote to memory of 1824 1296 Process not Found 31 PID 1296 wrote to memory of 1824 1296 Process not Found 31 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1944 wrote to memory of 1760 1944 jretatj 33 PID 1296 wrote to memory of 1280 1296 Process not Found 34 PID 1296 wrote to memory of 1280 1296 Process not Found 34 PID 1296 wrote to memory of 1280 1296 Process not Found 34 PID 1296 wrote to memory of 1280 1296 Process not Found 34 PID 1296 wrote to memory of 288 1296 Process not Found 35 PID 1296 wrote to memory of 288 1296 Process not Found 35 PID 1296 wrote to memory of 288 1296 Process not Found 35 PID 1296 wrote to memory of 288 1296 Process not Found 35 PID 1296 wrote to memory of 1040 1296 Process not Found 36 PID 1296 wrote to memory of 1040 1296 Process not Found 36 PID 1296 wrote to memory of 1040 1296 Process not Found 36 PID 1296 wrote to memory of 1040 1296 Process not Found 36 PID 1296 wrote to memory of 1104 1296 Process not Found 37 PID 1296 wrote to memory of 1104 1296 Process not Found 37 PID 1296 wrote to memory of 1104 1296 Process not Found 37 PID 1296 wrote to memory of 1104 1296 Process not Found 37 PID 1296 wrote to memory of 908 1296 Process not Found 38 PID 1296 wrote to memory of 908 1296 Process not Found 38 PID 1296 wrote to memory of 908 1296 Process not Found 38 PID 1296 wrote to memory of 908 1296 Process not Found 38 PID 1296 wrote to memory of 1632 1296 Process not Found 39 PID 1296 wrote to memory of 1632 1296 Process not Found 39 PID 1296 wrote to memory of 1632 1296 Process not Found 39 PID 1296 wrote to memory of 1632 1296 Process not Found 39 PID 1296 wrote to memory of 1632 1296 Process not Found 39 PID 1296 wrote to memory of 1380 1296 Process not Found 40 PID 1296 wrote to memory of 1380 1296 Process not Found 40 PID 1296 wrote to memory of 1380 1296 Process not Found 40 PID 1296 wrote to memory of 1380 1296 Process not Found 40 PID 288 wrote to memory of 840 288 850E.exe 42 PID 288 wrote to memory of 840 288 850E.exe 42 PID 288 wrote to memory of 840 288 850E.exe 42 PID 288 wrote to memory of 840 288 850E.exe 42 PID 288 wrote to memory of 1924 288 850E.exe 45 PID 288 wrote to memory of 1924 288 850E.exe 45 PID 288 wrote to memory of 1924 288 850E.exe 45 PID 288 wrote to memory of 1924 288 850E.exe 45 PID 288 wrote to memory of 1248 288 850E.exe 47 PID 288 wrote to memory of 1248 288 850E.exe 47 PID 288 wrote to memory of 1248 288 850E.exe 47 PID 288 wrote to memory of 1248 288 850E.exe 47 PID 288 wrote to memory of 1900 288 850E.exe 49 PID 288 wrote to memory of 1900 288 850E.exe 49 PID 288 wrote to memory of 1900 288 850E.exe 49 PID 288 wrote to memory of 1900 288 850E.exe 49 PID 1040 wrote to memory of 240 1040 915E.exe 51 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 21C2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"C:\Users\Admin\AppData\Local\Temp\4446186b0133b453f35a839b841ba453377c9a5638c1d81ee2313bb3adc22aaf.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1784
-
-
C:\Users\Admin\AppData\Local\Temp\25F8.exeC:\Users\Admin\AppData\Local\Temp\25F8.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1824
-
C:\Users\Admin\AppData\Roaming\jretatjC:\Users\Admin\AppData\Roaming\jretatj1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Users\Admin\AppData\Roaming\jretatjC:\Users\Admin\AppData\Roaming\jretatj2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1760
-
-
C:\Users\Admin\AppData\Local\Temp\81B3.exeC:\Users\Admin\AppData\Local\Temp\81B3.exe1⤵
- Executes dropped EXE
PID:1280
-
C:\Users\Admin\AppData\Local\Temp\850E.exeC:\Users\Admin\AppData\Local\Temp\850E.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\fpgzxbnd\2⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lsnejoah.exe" C:\Windows\SysWOW64\fpgzxbnd\2⤵PID:1924
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" create fpgzxbnd binPath= "C:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exe /d\"C:\Users\Admin\AppData\Local\Temp\850E.exe\"" type= own start= auto DisplayName= "wifi support"2⤵PID:1248
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" description fpgzxbnd "wifi internet conection"2⤵PID:1900
-
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\System32\sc.exe" start fpgzxbnd2⤵PID:1132
-
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul2⤵PID:1916
-
-
C:\Users\Admin\AppData\Local\Temp\915E.exeC:\Users\Admin\AppData\Local\Temp\915E.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Users\Admin\AppData\Local\Temp\915E.exeC:\Users\Admin\AppData\Local\Temp\915E.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:240
-
-
C:\Users\Admin\AppData\Local\Temp\B218.exeC:\Users\Admin\AppData\Local\Temp\B218.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\B218.exe" & exit2⤵PID:1100
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:1892
-
-
-
C:\Users\Admin\AppData\Local\Temp\CB82.exeC:\Users\Admin\AppData\Local\Temp\CB82.exe1⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 4242⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
PID:1632
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1380
-
C:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exeC:\Windows\SysWOW64\fpgzxbnd\lsnejoah.exe /d"C:\Users\Admin\AppData\Local\Temp\850E.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1632 -
C:\Windows\SysWOW64\svchost.exesvchost.exe2⤵PID:472
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1776
-
C:\Users\Admin\AppData\Local\Temp\21C2.exeC:\Users\Admin\AppData\Local\Temp\21C2.exe1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1560
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
PID:1676 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1fb4f50,0x7fef1fb4f60,0x7fef1fb4f702⤵PID:1588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1316 /prefetch:82⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1148 /prefetch:22⤵PID:1956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:82⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:12⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:12⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:2184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1160 /prefetch:22⤵PID:2304
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:12⤵PID:2348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:82⤵PID:2412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3304 /prefetch:82⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:82⤵PID:2492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3880 /prefetch:82⤵PID:2500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3924 /prefetch:82⤵PID:2532
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:82⤵PID:2524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:82⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2472 /prefetch:82⤵PID:2508
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4456 /prefetch:82⤵PID:2712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4228 /prefetch:82⤵PID:2756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:82⤵PID:2764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:82⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:82⤵PID:2856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4196 /prefetch:82⤵PID:2864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:82⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:82⤵PID:3004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:82⤵PID:3020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4528 /prefetch:82⤵PID:3012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:82⤵PID:1916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3736 /prefetch:82⤵PID:2276
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4632 /prefetch:82⤵PID:2444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4136 /prefetch:82⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:12⤵PID:240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:2600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:12⤵PID:2664
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:12⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:12⤵PID:2724
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:12⤵PID:2840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,5480953464975073264,15435427142781617129,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:12⤵PID:2896
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1New Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Disabling Security Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1