hxxps://dropmefiles[.]com/DJ8ju

Analysis

max time kernel
436s
max time network
453s
platform
windows10_x64
resource
win10-en-20211208
submitted
20-02-2022 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dropmefiles.com/DJ8ju

Score

9^/10

evasion themida trojan vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

Nemesis.exeAAA.exe

pid process

1224 Nemesis.exe
4916 AAA.exe

pid	process
1224	Nemesis.exe
4916	AAA.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Release\AAA.exe	vmprotect
C:\Users\Admin\Desktop\Release\AAA.exe	vmprotect
behavioral1/memory/4916-136-0x0000000000B70000-0x000000000145C000-memory.dmp	vmprotect
behavioral1/memory/4916-137-0x0000000000B70000-0x000000000145C000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AAA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AAA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AAA.exe

Loads dropped DLL 1 IoCs

Processes:

Nemesis.exe

pid process

1224 Nemesis.exe

pid	process
1224	Nemesis.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Release\AAA.exe	themida
C:\Users\Admin\Desktop\Release\AAA.exe	themida
behavioral1/memory/4916-136-0x0000000000B70000-0x000000000145C000-memory.dmp	themida
behavioral1/memory/4916-137-0x0000000000B70000-0x000000000145C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AAA.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AAA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AAA.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 36 IoCs

Processes:

Nemesis.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Nemesis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Nemesis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Nemesis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 56003100000000005454606c100052656c6561736500400009000400efbe54544c6c5454606c2e0000000fae010000000600000000000000000000000000000086e6d800520065006c006500610073006500000016000000	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4"	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Nemesis.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Nemesis.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Nemesis.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = ffffffff	Nemesis.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeNemesis.exeAAA.exechrome.exechrome.exechrome.exe

pid	process
3808	chrome.exe
3808	chrome.exe
5092	chrome.exe
5092	chrome.exe
416	chrome.exe
416	chrome.exe
1376	chrome.exe
1376	chrome.exe
2860	chrome.exe
2860	chrome.exe
3136	chrome.exe
3136	chrome.exe
1212	chrome.exe
1212	chrome.exe
3324	chrome.exe
3324	chrome.exe
4076	chrome.exe
4076	chrome.exe
3800	chrome.exe
3800	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
4948	chrome.exe
1224	Nemesis.exe
4916	AAA.exe
4916	AAA.exe
4916	AAA.exe
1224	Nemesis.exe
1772	chrome.exe
1772	chrome.exe
1112	chrome.exe
1112	chrome.exe
1312	chrome.exe
1312	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Nemesis.exe

pid process

1224 Nemesis.exe

pid	process
1224	Nemesis.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

Processes:

chrome.exe

pid	process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7zFM.exeNemesis.exeAAA.exe7zFM.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	4576	7zFM.exe
Token: 35	4576	7zFM.exe
Token: SeSecurityPrivilege	4576	7zFM.exe
Token: SeDebugPrivilege	1224	Nemesis.exe
Token: SeDebugPrivilege	4916	AAA.exe
Token: SeRestorePrivilege	5020	7zFM.exe
Token: 35	5020	7zFM.exe
Token: SeRestorePrivilege	2340	7zG.exe
Token: 35	2340	7zG.exe
Token: SeSecurityPrivilege	2340	7zG.exe
Token: SeSecurityPrivilege	2340	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zFM.exe7zFM.exe7zG.exe

pid	process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
4576	7zFM.exe
4576	7zFM.exe
5020	7zFM.exe
2340	7zG.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

chrome.exe

pid	process
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe
5092	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AAA.exeNemesis.exe

pid process

4916 AAA.exe
1224 Nemesis.exe

pid	process
4916	AAA.exe
1224	Nemesis.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5092 wrote to memory of 5104	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 5104	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3392	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3808	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 3808	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe
PID 5092 wrote to memory of 1792	5092	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://dropmefiles.com/DJ8ju
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff862b54f50,0x7ff862b54f60,0x7ff862b54f70
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1528 /prefetch:2
2⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1760 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
2⤵
PID:1792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1552 /prefetch:1
2⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2844 /prefetch:1
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4128 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5852 /prefetch:8
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5380 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5408 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:8
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5124 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
2⤵
PID:1780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:1288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:8
2⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2252 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6016 /prefetch:8
2⤵
PID:3148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4984 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6096 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
PID:3324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3236 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6116 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4792 /prefetch:8
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:1444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:1668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1420,17518557072418238186,14525321722885114143,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4272

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Release.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4576

C:\Users\Admin\Desktop\Release\Nemesis.exe
"C:\Users\Admin\Desktop\Release\Nemesis.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Users\Admin\Desktop\Release\AAA.exe
"C:\Users\Admin\Desktop\Release\AAA.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Release\AAA_dump.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap8408:68:7zEvent4424 -ad -saa -- "C:\Users\Admin\Desktop\Release\1"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\Release\AAA.exe

MD5
24f0b0f4ad4c75433cdfdfc34a997299

SHA1
2617a89f20fa0766f510e74c1da9df2d6680e1f9

SHA256
2042197da141d1004fdc2d00413c3d35cf5c14b99964cfb4540b5bd790bd3e3f

SHA512
924edbcd86678f14e984a9fc6738d4b72be45bc3304e913347dbcb73acc6d34d23f47c3875dd33504dd86875ea663559b148e9dca7cbf1f485a9ab8ff211474d

Download Submit
C:\Users\Admin\Desktop\Release\AAA.exe

MD5
24f0b0f4ad4c75433cdfdfc34a997299

SHA1
2617a89f20fa0766f510e74c1da9df2d6680e1f9

SHA256
2042197da141d1004fdc2d00413c3d35cf5c14b99964cfb4540b5bd790bd3e3f

SHA512
924edbcd86678f14e984a9fc6738d4b72be45bc3304e913347dbcb73acc6d34d23f47c3875dd33504dd86875ea663559b148e9dca7cbf1f485a9ab8ff211474d

Download Submit
C:\Users\Admin\Desktop\Release\ExtremeDumper-x86.exe

MD5
b0263ec13f0334d4414df2155470071f

SHA1
69eb3d09640fe8820b0ffb26e71a4689dabde89a

SHA256
7b56b972b734ff9b60c6dbea340a7d4977d9d60f9f86b40a37125a9afa0cb356

SHA512
bd085d6ff5820e12ad40187b5518e25f2b0e4b44a9b7ad9acc37b8016866ef0dc3b8f50e07bddd5f4bbf155aa812cdf677ae170487ad753c49bdd1e6541e0185

Download Submit
C:\Users\Admin\Desktop\Release\ExtremeDumper.exe

MD5
ca49c13bcbe96f09a3bdd5dbab11f339

SHA1
e466d055f77297cadd0e6dbaf3b48de7066e8a95

SHA256
cc4a8e0e974efacc458dadeabff37ab9bd33579149ff4a5f3ecabf1518ca4b7c

SHA512
3ad08ffed32365f452183a2d4205557a1f00b4ce94ca5a1e287b641b5f70004204662489eb6cd19b43a691f51de84774091136e96717a1ceb86b72c7fce5c399

Download Submit
C:\Users\Admin\Desktop\Release\MetroFramework.Fonts.dll

MD5
65ef4b23060128743cef937a43b82aa3

SHA1
cc72536b84384ec8479b9734b947dce885ef5d31

SHA256
c843869aaca5135c2d47296985f35c71ca8af4431288d04d481c4e46cc93ee26

SHA512
d06690f9aac0c6500aed387f692b3305dfc0708b08fc2f27eaa44b108908ccd8267b07f8fb8608eef5c803039caeabf8f88a18b7e5b1d850f32bbb72bcd3b0b7

Download Submit
C:\Users\Admin\Desktop\Release\MetroFramework.dll

MD5
34ea7f7d66563f724318e322ff08f4db

SHA1
d0aa8038a92eb43def2fffbbf4114b02636117c5

SHA256
c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49

SHA512
dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148

Download Submit
C:\Users\Admin\Desktop\Release\Nemesis.dll

MD5
cb105d3e5eb5a8f6ecedb6d8f4b757a1

SHA1
16f7830713eac8874bd04db23bed21c4197613ff

SHA256
55db85679a03270f13c82afac7c09d61743b087c7337297ffd77a27d393a5f8e

SHA512
d282bbc66eac7102cebf6bdefa1ed44874a3759f234116efb1f9bbaf1eab84f55cbab9b91fe76e64a5b332f5cdcef6658db6626b51a81179d72fc5a650ed9f07

Download Submit
C:\Users\Admin\Desktop\Release\Nemesis.exe

MD5
9635d5391c79b7dd9836211e7782bd95

SHA1
5b611f7014ec17a2ded672a7c9f9c3cf32ba88cf

SHA256
c794abac9761a004f8c2821fa745591d2bd641380fb17d020f6452f0a6b24328

SHA512
66ae80c2d89eb8cc865562423f84992d155f8204e19c8b079de4265a1550ad4e857debbb1ef0c32489f0049692a4be649b56291aa2064ab0f312ab5cc373366b

Download Submit
C:\Users\Admin\Desktop\Release\Nemesis.exe

MD5
9635d5391c79b7dd9836211e7782bd95

SHA1
5b611f7014ec17a2ded672a7c9f9c3cf32ba88cf

SHA256
c794abac9761a004f8c2821fa745591d2bd641380fb17d020f6452f0a6b24328

SHA512
66ae80c2d89eb8cc865562423f84992d155f8204e19c8b079de4265a1550ad4e857debbb1ef0c32489f0049692a4be649b56291aa2064ab0f312ab5cc373366b

Download Submit
\??\pipe\crashpad_5092_AWJHZJETVMUEGCFE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Desktop\Release\Nemesis.dll

MD5
cb105d3e5eb5a8f6ecedb6d8f4b757a1

SHA1
16f7830713eac8874bd04db23bed21c4197613ff

SHA256
55db85679a03270f13c82afac7c09d61743b087c7337297ffd77a27d393a5f8e

SHA512
d282bbc66eac7102cebf6bdefa1ed44874a3759f234116efb1f9bbaf1eab84f55cbab9b91fe76e64a5b332f5cdcef6658db6626b51a81179d72fc5a650ed9f07

Download Submit
memory/1224-123-0x00007FF856B73000-0x00007FF856B74000-memory.dmp

Filesize
4KB

Download
memory/1224-124-0x0000025333210000-0x0000025333212000-memory.dmp

Filesize
8KB

Download
memory/1224-127-0x0000025333212000-0x0000025333214000-memory.dmp

Filesize
8KB

Download
memory/1224-128-0x0000025333215000-0x0000025333217000-memory.dmp

Filesize
8KB

Download
memory/1224-129-0x0000025333214000-0x0000025333215000-memory.dmp

Filesize
4KB

Download
memory/1224-130-0x0000025333217000-0x0000025333219000-memory.dmp

Filesize
8KB

Download
memory/1224-122-0x0000025334F30000-0x0000025334FDA000-memory.dmp

Filesize
680KB

Download
memory/1224-120-0x0000025331FE0000-0x0000025332002000-memory.dmp

Filesize
136KB

Download
memory/1224-117-0x0000025317BF0000-0x0000025317C00000-memory.dmp

Filesize
64KB

Download
memory/1224-119-0x0000025317FA0000-0x0000025317FFC000-memory.dmp

Filesize
368KB

Download
memory/1224-154-0x0000025333219000-0x000002533321F000-memory.dmp

Filesize
24KB

Download
memory/4916-138-0x0000000074916000-0x0000000074917000-memory.dmp

Filesize
4KB

Download
memory/4916-149-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/4916-136-0x0000000000B70000-0x000000000145C000-memory.dmp

Filesize
8.9MB

Download
memory/4916-139-0x000000007323E000-0x000000007323F000-memory.dmp

Filesize
4KB

Download
memory/4916-140-0x0000000003470000-0x0000000003482000-memory.dmp

Filesize
72KB

Download
memory/4916-145-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/4916-146-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/4916-147-0x0000000006320000-0x000000000681E000-memory.dmp

Filesize
5.0MB

Download
memory/4916-148-0x0000000005E90000-0x0000000005EF6000-memory.dmp

Filesize
408KB

Download
memory/4916-137-0x0000000000B70000-0x000000000145C000-memory.dmp

Filesize
8.9MB

Download
memory/4916-150-0x0000000006B60000-0x0000000006B9E000-memory.dmp

Filesize
248KB

Download
memory/4916-151-0x0000000005F63000-0x0000000005F65000-memory.dmp

Filesize
8KB

Download
memory/4916-152-0x0000000005F65000-0x0000000005F66000-memory.dmp

Filesize
4KB

Download
memory/4916-153-0x0000000005F66000-0x0000000005F67000-memory.dmp

Filesize
4KB

Download
memory/4916-135-0x0000000074916000-0x0000000074917000-memory.dmp

Filesize
4KB

Download
memory/4916-134-0x0000000073CE6000-0x0000000073CE7000-memory.dmp

Filesize
4KB

Download
memory/4916-133-0x0000000073CE6000-0x0000000073CE7000-memory.dmp

Filesize
4KB

Download