formbook | 35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

General

Target

INV21029.exe
Size

577KB
MD5

740dd9c14dea0b98df6ad434abfe789e
SHA1

cbec4d898e68c12fb7dcaddb17d0aca16e8e0e7b
SHA256

35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6
SHA512

66041e42091e83889a6da93c4242a01a0a3122774dc2db8baf909fb0ec6b0d6e847183ac92a24f2ca99f99de7dd4abddddda4a908887f354e3a333202bc0a66e

Score

10^/10

formbook xloader ahc8 discovery loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-62-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/1248-71-0x0000000000090000-0x00000000000B9000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MJBHC08P2TV = "C:\\Program Files (x86)\\Flnuxv\\autochkfbwtyxbp.exe"	rundll32.exe

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

669 588 msiexec.exe
670 588 msiexec.exe
671 588 msiexec.exe
Downloads MZ/PE file

flow	pid	process
669	588	msiexec.exe
670	588	msiexec.exe
671	588	msiexec.exe

Executes dropped EXE 30 IoCs

Processes:

reqbqonire.exereqbqonire.exevpn_installer.exeautochkfbwtyxbp.exepython-3.10.2-amd64.exepython-3.10.2-amd64.exepythonw.exepython-3.7.5.exepython-3.7.5.exepython-3.7.5.exepython.exepython.exepip.exepython.exepip.exepython.exepip.exepython.exepip.exepython.exepip3.exepython.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exepip3.exepython.exepip3.exepython.exe

pid	process
588	reqbqonire.exe
784	reqbqonire.exe
1956	vpn_installer.exe
1576	autochkfbwtyxbp.exe
916	python-3.10.2-amd64.exe
1136	python-3.10.2-amd64.exe
3348	pythonw.exe
2328	python-3.7.5.exe
2704	python-3.7.5.exe
3164	python-3.7.5.exe
2576	python.exe
3384	python.exe
3304	pip.exe
2248	python.exe
3884	pip.exe
3652	python.exe
2716	pip.exe
932	python.exe
3892	pip.exe
3844	python.exe
2292	pip3.exe
3132	python.exe
3024	software_reporter_tool.exe
3648	software_reporter_tool.exe
1784	software_reporter_tool.exe
2624	software_reporter_tool.exe
2104	pip3.exe
1384	python.exe
3388	pip3.exe
4008	python.exe

Loads dropped DLL 64 IoCs

Processes:

INV21029.exereqbqonire.exevpn_installer.exeWerFault.exepython-3.10.2-amd64.exepython-3.10.2-amd64.exeExplorer.EXEpython-3.7.5.exepython-3.7.5.exeMsiExec.exepython.exepython.exepython.exepython.exe

pid	process
1996	INV21029.exe
588	reqbqonire.exe
1956	vpn_installer.exe
1956	vpn_installer.exe
1956	vpn_installer.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
916	python-3.10.2-amd64.exe
1136	python-3.10.2-amd64.exe
1280	Explorer.EXE
2328	python-3.7.5.exe
2704	python-3.7.5.exe
2704	python-3.7.5.exe
3200	MsiExec.exe
3200	MsiExec.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
2576	python.exe
3384	python.exe
3384	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
2248	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe
3652	python.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

python-3.7.5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	python-3.7.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\{06afccdd-1cb2-43eb-aeee-ac82e2915b8d} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{06afccdd-1cb2-43eb-aeee-ac82e2915b8d}\\python-3.7.5.exe\" /burn.runonce"	python-3.7.5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

reqbqonire.exereqbqonire.exerundll32.exe

description	pid	process	target process
PID 588 set thread context of 784	588	reqbqonire.exe	reqbqonire.exe
PID 784 set thread context of 1280	784	reqbqonire.exe	Explorer.EXE
PID 1248 set thread context of 1280	1248	rundll32.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

rundll32.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Flnuxv\autochkfbwtyxbp.exe	rundll32.exe
File created	C:\Program Files (x86)\Flnuxv\autochkfbwtyxbp.exe	Explorer.EXE

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f7daf2b.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf30.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf33.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf35.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf35.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf53.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf2b.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf53.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7daf29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF250.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf4b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1795.tmp	msiexec.exe
File created	C:\Windows\py.exe	msiexec.exe
File created	C:\Windows\pyshellext.amd64.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf51.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf28.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\f7daf33.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf3d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF704.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf49.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf51.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI1F19.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf58.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1C.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf3c.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf44.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf47.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf2d.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf3a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf3d.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf3f.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf42.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf47.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf2e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf30.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf41.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf4e.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E9A.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf5a.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf32.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf3a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf3f.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf42.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf4c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf4c.msi	msiexec.exe
File created	C:\Windows\Installer\{4E5F47AD-2588-4BE3-9DC2-0F9CD283A3DF}\ARPIcon	msiexec.exe
File created	C:\Windows\Installer\f7daf26.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf37.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf46.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB513.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf4e.ipi	msiexec.exe
File created	C:\Windows\Installer\f7daf50.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7daf24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8DD.tmp	msiexec.exe
File created	C:\Windows\Installer\f7daf2e.msi	msiexec.exe
File created	C:\Windows\Installer\f7daf49.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 1576 WerFault.exe autochkfbwtyxbp.exe

pid	pid_target	process	target process
1780	1576	WerFault.exe	autochkfbwtyxbp.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXEmshta.exemshta.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\Registry\User\S-1-5-21-1405931862-909307831-4085185274-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	rundll32.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

DrvInst.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXEpython-3.7.5.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{E9512FCB-B9F7-46B9-9EC8-CBCF70CB0FDE}\Version = "3.7.5150.0"	python-3.7.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\CPython-3.7-32\DisplayName = "Python 3.7.5 (32-bit)"	python-3.7.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{FCE75ACE-7850-4A09-AB21-EB82F070E6DF}\DisplayName = "Python 3.7.5 Executables (32-bit)"	python-3.7.5.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{E9512FCB-B9F7-46B9-9EC8-CBCF70CB0FDE}\Dependents	python-3.7.5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DA74F5E488523EB4D92CF0C92D383AFD	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\ = "Compiled Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shellex\DropHandler\ = "{BEA218D2-6950-497B-9434-61683EC065FE}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyz	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA74F5E488523EB4D92CF0C92D383AFD\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{4E5F47AD-2588-4BE3-9DC2-0F9CD283A3DF}v3.7.6860.0\\"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{4730034C-1AE0-4D2E-8E11-3FBD5C28F826}\DisplayName = "Python 3.7.5 Add to Path (32-bit)"	python-3.7.5.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{4730034C-1AE0-4D2E-8E11-3FBD5C28F826}\Dependents	python-3.7.5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\DefaultIcon	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.ArchiveFile\shell	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{FCE75ACE-7850-4A09-AB21-EB82F070E6DF}\ = "{FCE75ACE-7850-4A09-AB21-EB82F070E6DF}"	python-3.7.5.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Python.File\Shell\editwithidle\shell\edit37-32\MUIVerb = "Edit with IDLE 3.7 (32-bit)"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyc	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\ = "Python Zip Application File (no console)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BEA218D2-6950-497B-9434-61683EC065FE}	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DA74F5E488523EB4D92CF0C92D383AFD\Clients = 3a0000000000	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\Sort = 000000000000000000000000000000000200000030f125b7ef471a10a5f102608c9eebac0a0000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\CPython-3.7-32\Dependents	python-3.7.5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{EDE18748-30A3-481E-8885-F7AC7B5CB982}\DisplayName = "Python 3.7.5 Standard Library (32-bit)"	python-3.7.5.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{1E41824B-B535-4859-A162-EE01229458EC}\Dependents\{06afccdd-1cb2-43eb-aeee-ac82e2915b8d}	python-3.7.5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyo	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f4225481e03947bc34db131e946b44c8dd50000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{E9512FCB-B9F7-46B9-9EC8-CBCF70CB0FDE}\Dependents\{06afccdd-1cb2-43eb-aeee-ac82e2915b8d}	python-3.7.5.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConArchiveFile\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConArchiveFile\shellex	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Python.File	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{1E41824B-B535-4859-A162-EE01229458EC}\ = "{1E41824B-B535-4859-A162-EE01229458EC}"	python-3.7.5.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Python.NoConFile\Shell\editwithidle\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\FFlags = "1092616209"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\{5A48D02B-7A22-40B6-9D66-64518310F050}\DisplayName = "Python 3.7.5 pip Bootstrap (32-bit)"	python-3.7.5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyz\Content Type = "application/x-zip-compressed"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 700032000000000000000000200076706e5f696e7374616c6c65722e7a697000500008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000760070006e005f0069006e007300740061006c006c00650072002e007a0069007000000020000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1405931862-909307831-4085185274-1000_CLASSES\Installer\Dependencies\CPython-3.7-32\ = "{06afccdd-1cb2-43eb-aeee-ac82e2915b8d}"	python-3.7.5.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 3 IoCs

Processes:

pip3.exepip3.exepip3.exe

pid process

2292 pip3.exe
2104 pip3.exe
3388 pip3.exe

pid	process
2292	pip3.exe
2104	pip3.exe
3388	pip3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

reqbqonire.exerundll32.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
784	reqbqonire.exe
784	reqbqonire.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1116	chrome.exe
1696	chrome.exe
1696	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
2540	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
2128	chrome.exe
1248	rundll32.exe
2796	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
2216	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1696	chrome.exe
1696	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
2480	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
320	chrome.exe
2628	chrome.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe
1248	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

reqbqonire.exerundll32.exe

pid process

784 reqbqonire.exe
784 reqbqonire.exe
784 reqbqonire.exe
1248 rundll32.exe
1248 rundll32.exe
1248 rundll32.exe
1248 rundll32.exe

pid	process
1280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

reqbqonire.exerundll32.exeExplorer.EXEAUDIODG.EXEWerFault.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	784	reqbqonire.exe
Token: SeDebugPrivilege	1248	rundll32.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	1780	WerFault.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeExplorer.EXE

pid	process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1280	Explorer.EXE
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exeExplorer.EXE

pid	process
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1696	chrome.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

INV21029.exereqbqonire.exeExplorer.EXErundll32.exechrome.exe

description	pid	process	target process
PID 1996 wrote to memory of 588	1996	INV21029.exe	reqbqonire.exe
PID 1996 wrote to memory of 588	1996	INV21029.exe	reqbqonire.exe
PID 1996 wrote to memory of 588	1996	INV21029.exe	reqbqonire.exe
PID 1996 wrote to memory of 588	1996	INV21029.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 588 wrote to memory of 784	588	reqbqonire.exe	reqbqonire.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1280 wrote to memory of 1248	1280	Explorer.EXE	rundll32.exe
PID 1248 wrote to memory of 1764	1248	rundll32.exe	cmd.exe
PID 1248 wrote to memory of 1764	1248	rundll32.exe	cmd.exe
PID 1248 wrote to memory of 1764	1248	rundll32.exe	cmd.exe
PID 1248 wrote to memory of 1764	1248	rundll32.exe	cmd.exe
PID 1280 wrote to memory of 1696	1280	Explorer.EXE	chrome.exe
PID 1280 wrote to memory of 1696	1280	Explorer.EXE	chrome.exe
PID 1280 wrote to memory of 1696	1280	Explorer.EXE	chrome.exe
PID 1696 wrote to memory of 852	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 852	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 852	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe
PID 1696 wrote to memory of 1044	1696	chrome.exe	chrome.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	rundll32.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\INV21029.exe
"C:\Users\Admin\AppData\Local\Temp\INV21029.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:588

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1248

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe"
3⤵
PID:1764

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7124f50,0x7fef7124f60,0x7fef7124f70
3⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1248 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=928 /prefetch:2
3⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1772 /prefetch:8
3⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
3⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
3⤵
PID:1916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2516 /prefetch:2
3⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
3⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
3⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3428 /prefetch:8
3⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
3⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1
3⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
3⤵
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
3⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3260 /prefetch:8
3⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:8
3⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:8
3⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
3⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3828 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3840 /prefetch:8
3⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3164 /prefetch:8
3⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
3⤵
PID:2652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3172 /prefetch:8
3⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:8
3⤵
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
3⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
3⤵
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
3⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
3⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
3⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:1
3⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1
3⤵
PID:1640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
3⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
3⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
3⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
3⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
3⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
3⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
3⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
3⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
3⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1524 /prefetch:8
3⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
3⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
3⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2440 /prefetch:8
3⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
3⤵
PID:1548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2384 /prefetch:8
3⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
3⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
3⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
3⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:8
3⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1672 /prefetch:8
3⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
3⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
3⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2704 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
3⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
3⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
3⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
3⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
3⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:8
3⤵
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
3⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
3⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
3⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
3⤵
PID:2432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1
3⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
3⤵
PID:1620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
3⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
3⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
3⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
3⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2444 /prefetch:1
3⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
3⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
3⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
3⤵
PID:3132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
3⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
3⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
3⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
3⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
3⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
3⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
3⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
3⤵
PID:3528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
3⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
3⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
3⤵
PID:3560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
3⤵
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1668 /prefetch:1
3⤵
PID:3544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,5055528999205071027,2750160474183666062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6964 /prefetch:8
3⤵
PID:4044

C:\Users\Admin\Desktop\vpn_installer.exe
"C:\Users\Admin\Desktop\vpn_installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:3728

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\ClearStart.pcx
2⤵
PID:2248

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ResolveMove.hta"
2⤵
- Modifies Internet Explorer settings
PID:3084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\ResolveMove.hta"
2⤵
- Modifies Internet Explorer settings
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7124f50,0x7fef7124f60,0x7fef7124f70
3⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1044 /prefetch:2
3⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1316 /prefetch:8
3⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1760 /prefetch:8
3⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
3⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
3⤵
PID:3788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
3⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2720 /prefetch:2
3⤵
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
3⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8
3⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3480 /prefetch:8
3⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
3⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:8
3⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
3⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=992,13988950351926403693,845183095570131316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1816 /prefetch:8
3⤵
PID:1644

C:\Program Files (x86)\Flnuxv\autochkfbwtyxbp.exe
"C:\Program Files (x86)\Flnuxv\autochkfbwtyxbp.exe"
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 160
3⤵
- Loads dropped DLL
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7124f50,0x7fef7124f60,0x7fef7124f70
3⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
3⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1440 /prefetch:8
3⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
3⤵
PID:3744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
3⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2152 /prefetch:1
3⤵
PID:3584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
3⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2032 /prefetch:2
3⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
3⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
3⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
3⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
3⤵
PID:1680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
3⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:1
3⤵
PID:280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
3⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
3⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
3⤵
PID:4024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 /prefetch:8
3⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
3⤵
PID:2092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
3⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
3⤵
PID:3916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3888 /prefetch:8
3⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3568 /prefetch:8
3⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:8
3⤵
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2020 /prefetch:8
3⤵
PID:3204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2420 /prefetch:8
3⤵
PID:2164

C:\Users\Admin\Downloads\python-3.10.2-amd64.exe
"C:\Users\Admin\Downloads\python-3.10.2-amd64.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916

C:\Windows\Temp\{831670C2-EE1C-4334-B20B-BAF3C7085C00}\.cr\python-3.10.2-amd64.exe
"C:\Windows\Temp\{831670C2-EE1C-4334-B20B-BAF3C7085C00}\.cr\python-3.10.2-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.10.2-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
3⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:8
3⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 /prefetch:8
3⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4448 /prefetch:8
3⤵
PID:3780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4084 /prefetch:8
3⤵
PID:3860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 /prefetch:8
3⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4440 /prefetch:8
3⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3552 /prefetch:8
3⤵
PID:3828

C:\Users\Admin\Downloads\python-3.7.5.exe
"C:\Users\Admin\Downloads\python-3.7.5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328

C:\Windows\Temp\{9EEA43A0-E03B-4352-B20C-04DE01389902}\.cr\python-3.7.5.exe
"C:\Windows\Temp\{9EEA43A0-E03B-4352-B20C-04DE01389902}\.cr\python-3.7.5.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.7.5.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:2704

C:\Windows\Temp\{5AFDA8CD-AAD5-4BD9-A1FE-B0B8CBBEEF6D}\.be\python-3.7.5.exe
"C:\Windows\Temp\{5AFDA8CD-AAD5-4BD9-A1FE-B0B8CBBEEF6D}\.be\python-3.7.5.exe" -q -burn.elevated BurnPipe.{31DEE98B-1E76-428D-A839-20BFFC389C39} {53724BD7-D130-406D-989F-B60043850A4E} 2704
5⤵
- Executes dropped EXE
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1516 /prefetch:8
3⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:8
3⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1516 /prefetch:8
3⤵
PID:1112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
3⤵
PID:2056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2424 /prefetch:8
3⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
3⤵
PID:528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2372 /prefetch:8
3⤵
PID:2244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
3⤵
PID:2268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1528 /prefetch:8
3⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1532 /prefetch:8
3⤵
PID:3256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1040,9415940135403037573,15953306001850197569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
3⤵
PID:3612

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\96.276.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=dkUYg6tDGYfO6aGJcrFtYnJ5jm9IH9XlKT6+h7LJ --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
3⤵
- Executes dropped EXE
PID:3024

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=96.276.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13fc0f510,0x13fc0f520,0x13fc0f530
4⤵
- Executes dropped EXE
PID:3648

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3024_SAOZOFHVAOOZWTUY" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=6649400331640964329 --mojo-platform-channel-handle=460 --engine=2
4⤵
- Executes dropped EXE
PID:1784

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\96.276.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3024_SAOZOFHVAOOZWTUY" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=4497399351120162847 --mojo-platform-channel-handle=640
4⤵
- Executes dropped EXE
PID:2624

C:\Users\Admin\AppData\Local\Temp\Temp1_python-3.7.5-embed-amd64.zip\pythonw.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_python-3.7.5-embed-amd64.zip\pythonw.exe"
2⤵
- Executes dropped EXE
PID:3348

C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe"
2⤵
PID:3916

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\python.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\python.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3384

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe"
3⤵
- Executes dropped EXE
PID:3304

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe" install git
3⤵
- Executes dropped EXE
PID:3884

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe" install git
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3652

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe" install --upgrade
3⤵
- Executes dropped EXE
PID:2716

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe" install --upgrade
4⤵
- Executes dropped EXE
PID:932

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe"
3⤵
- Executes dropped EXE
PID:3892

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip.exe"
4⤵
- Executes dropped EXE
PID:3844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
2⤵
PID:808

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe
pip3
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2292

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe"
4⤵
- Executes dropped EXE
PID:3132

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe
pip3 install
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2104

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe" install
4⤵
- Executes dropped EXE
PID:1384

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe
pip3 install git
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3388

\??\c:\users\admin\appdata\local\programs\python\python37-32\python.exe
"c:\users\admin\appdata\local\programs\python\python37-32\python.exe" "C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\Scripts\pip3.exe" install git
4⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4056

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000004D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:588

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D03205A1186EAA244D85ADE1D01CC271
2⤵
- Loads dropped DLL
PID:3200

C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\python.exe
"C:\Users\Admin\AppData\Local\Programs\Python\Python37-32\python.exe" -E -s -m ensurepip -U --default-pip
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

T1060

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1djuqculeikkmhtz2x2
MD5
199f72b6103b1ad570f3a810d06c332a

SHA1
43b9341301394deec3c674cf98fc3c6cc629ee2b

SHA256
a61bbd1659ba2338fe6e4df411d709834285b54991c403ba07bc9459af5320fc

SHA512
0ce6be58193b0bcdccd003218597ce8f6bd0de35563c32d28c2e111903445f12ece5fa0a536dd2b79153b9c265c10a6ec17f8ef67b11edb95d155c0f502adeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\truuumm
MD5
0a99632c69bc8d3fe6231d0a50bff785

SHA1
ad875f4428f17d0474be5ee8667158bd14d10f22

SHA256
0a11eae20268581b0ad9c67defaf1a4dc4bf183ede922eca10c5da698eec8078

SHA512
93905216a40975163edfcc94cf3c55c40a27e4cf7143d028ef6c5caead6ceaaa1504bd4c5a05d043d61be3df08991ea7e1e8c98cdfafd9d8744ccacdc5d7de2f

Download Submit
\??\pipe\crashpad_1696_SJWHTGGDMHAHPHNS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
memory/784-65-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/784-62-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/784-66-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/784-67-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1136-96-0x0000000073B71000-0x0000000073B73000-memory.dmp

Filesize
8KB

Download
memory/1248-73-0x0000000001EA0000-0x0000000001F30000-memory.dmp

Filesize
576KB

Download
memory/1248-72-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1248-70-0x0000000000900000-0x000000000090E000-memory.dmp

Filesize
56KB

Download
memory/1248-71-0x0000000000090000-0x00000000000B9000-memory.dmp

Filesize
164KB

Download
memory/1280-68-0x0000000004680000-0x0000000004782000-memory.dmp

Filesize
1.0MB

Download
memory/1280-74-0x0000000006370000-0x0000000006422000-memory.dmp

Filesize
712KB

Download
memory/1780-84-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1956-77-0x0000000000370000-0x00000000003D0000-memory.dmp

Filesize
384KB

Download
memory/1996-54-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download
memory/2204-86-0x000007FEEE5C0000-0x000007FEEF11D000-memory.dmp

Filesize
11.4MB

Download
memory/2204-87-0x000007FEF36FE000-0x000007FEF36FF000-memory.dmp

Filesize
4KB

Download
memory/2204-88-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2204-89-0x00000000024B2000-0x00000000024B4000-memory.dmp

Filesize
8KB

Download
memory/2204-90-0x00000000024B4000-0x00000000024B7000-memory.dmp

Filesize
12KB

Download
memory/2204-91-0x000000001B7B0000-0x000000001BAAF000-memory.dmp

Filesize
3.0MB

Download
memory/2204-92-0x00000000024BB000-0x00000000024DA000-memory.dmp

Filesize
124KB

Download
memory/2204-93-0x00000000024DC000-0x00000000024DD000-memory.dmp

Filesize
4KB

Download
memory/2704-99-0x0000000073B11000-0x0000000073B13000-memory.dmp

Filesize
8KB

Download
memory/3728-78-0x000007FEFC231000-0x000007FEFC233000-memory.dmp

Filesize
8KB

Download
memory/3916-104-0x000007FEED6E0000-0x000007FEEE23D000-memory.dmp

Filesize
11.4MB

Download
memory/3916-105-0x0000000002820000-0x0000000002822000-memory.dmp

Filesize
8KB

Download
memory/3916-106-0x0000000002822000-0x0000000002824000-memory.dmp

Filesize
8KB

Download
memory/3916-107-0x0000000002824000-0x0000000002827000-memory.dmp

Filesize
12KB

Download
memory/3916-108-0x000000000282B000-0x000000000284A000-memory.dmp

Filesize
124KB

Download
memory/3916-109-0x000000000284C000-0x000000000284D000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads