f3360f4841b3f4ed6e6c7d42315248473002bcd4f7262db1c813d6074b50240e

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
Size

3.0MB
MD5

c9bfd91a0597d00185737ce65a753be9
SHA1

2658367b5f88891d970392f153595fdb87bdec91
SHA256

f3360f4841b3f4ed6e6c7d42315248473002bcd4f7262db1c813d6074b50240e
SHA512

aa458b785e7f417fd07ee007f96bd290c526e1a4ed22d1cccd713179ec3f8ee2ff81303036c45a4a92b012b3094e06a773a79fad1b1dc9dd390e0711d5ee2236
SSDEEP

49152:axTtE+G757NEqpmvgIMwoUNZq2aLOed/zc7NLD5O7OpJwHMMvKIDYE+pERcPE645:ayFH0Zoywqeta15OapGsMDupERmEtVUQ

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
488	map.exe
4624	cmddd.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lViiqXTxJJTAAtYZAjKm\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lViiqXTxJJTAAtYZAjKm"	map.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4788-132-0x00007FF73C730000-0x00007FF73CF7D000-memory.dmp	themida
behavioral2/memory/4788-146-0x00007FF73C730000-0x00007FF73CF7D000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\cmddd.exe	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
File created	C:\Windows\System32\Driver.sys	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
File created	C:\Windows\System32\map.exe	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4788	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4464	chrome.exe
4464	chrome.exe
3204	chrome.exe
3204	chrome.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
1048	chrome.exe
1048	chrome.exe
4624	cmddd.exe
4624	cmddd.exe
4308	chrome.exe
4308	chrome.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe
4624	cmddd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
488	map.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	488	map.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4588	4788	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	82
PID 4788 wrote to memory of 4588	4788	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	82
PID 4588 wrote to memory of 488	4588	cmd.exe	83
PID 4588 wrote to memory of 488	4588	cmd.exe	83
PID 4788 wrote to memory of 3112	4788	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	84
PID 4788 wrote to memory of 3112	4788	ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe	84
PID 3112 wrote to memory of 4624	3112	cmd.exe	85
PID 3112 wrote to memory of 4624	3112	cmd.exe	85
PID 4624 wrote to memory of 4784	4624	cmddd.exe	86
PID 4624 wrote to memory of 4784	4624	cmddd.exe	86
PID 4624 wrote to memory of 4060	4624	cmddd.exe	87
PID 4624 wrote to memory of 4060	4624	cmddd.exe	87
PID 4624 wrote to memory of 4668	4624	cmddd.exe	88
PID 4624 wrote to memory of 4668	4624	cmddd.exe	88
PID 4624 wrote to memory of 2056	4624	cmddd.exe	89
PID 4624 wrote to memory of 2056	4624	cmddd.exe	89
PID 4624 wrote to memory of 4336	4624	cmddd.exe	90
PID 4624 wrote to memory of 4336	4624	cmddd.exe	90
PID 4624 wrote to memory of 3148	4624	cmddd.exe	91
PID 4624 wrote to memory of 3148	4624	cmddd.exe	91
PID 4624 wrote to memory of 2288	4624	cmddd.exe	92
PID 4624 wrote to memory of 2288	4624	cmddd.exe	92
PID 4624 wrote to memory of 1776	4624	cmddd.exe	93
PID 4624 wrote to memory of 1776	4624	cmddd.exe	93
PID 4624 wrote to memory of 4016	4624	cmddd.exe	94
PID 4624 wrote to memory of 4016	4624	cmddd.exe	94
PID 4624 wrote to memory of 3452	4624	cmddd.exe	95
PID 4624 wrote to memory of 3452	4624	cmddd.exe	95
PID 4624 wrote to memory of 4556	4624	cmddd.exe	96
PID 4624 wrote to memory of 4556	4624	cmddd.exe	96
PID 4624 wrote to memory of 2036	4624	cmddd.exe	97
PID 4624 wrote to memory of 2036	4624	cmddd.exe	97
PID 4624 wrote to memory of 3316	4624	cmddd.exe	100
PID 4624 wrote to memory of 3316	4624	cmddd.exe	100
PID 4624 wrote to memory of 4984	4624	cmddd.exe	103
PID 4624 wrote to memory of 4984	4624	cmddd.exe	103
PID 4624 wrote to memory of 2848	4624	cmddd.exe	104
PID 4624 wrote to memory of 2848	4624	cmddd.exe	104
PID 4624 wrote to memory of 816	4624	cmddd.exe	106
PID 4624 wrote to memory of 816	4624	cmddd.exe	106
PID 4624 wrote to memory of 444	4624	cmddd.exe	108
PID 4624 wrote to memory of 444	4624	cmddd.exe	108
PID 4624 wrote to memory of 3984	4624	cmddd.exe	109
PID 4624 wrote to memory of 3984	4624	cmddd.exe	109
PID 4624 wrote to memory of 4392	4624	cmddd.exe	112
PID 4624 wrote to memory of 4392	4624	cmddd.exe	112
PID 4624 wrote to memory of 3812	4624	cmddd.exe	113
PID 4624 wrote to memory of 3812	4624	cmddd.exe	113
PID 4624 wrote to memory of 3160	4624	cmddd.exe	115
PID 4624 wrote to memory of 3160	4624	cmddd.exe	115
PID 4624 wrote to memory of 3788	4624	cmddd.exe	116
PID 4624 wrote to memory of 3788	4624	cmddd.exe	116
PID 4624 wrote to memory of 4072	4624	cmddd.exe	117
PID 4624 wrote to memory of 4072	4624	cmddd.exe	117
PID 4624 wrote to memory of 3760	4624	cmddd.exe	118
PID 4624 wrote to memory of 3760	4624	cmddd.exe	118
PID 4624 wrote to memory of 2816	4624	cmddd.exe	119
PID 4624 wrote to memory of 2816	4624	cmddd.exe	119
PID 4624 wrote to memory of 3332	4624	cmddd.exe	120
PID 4624 wrote to memory of 3332	4624	cmddd.exe	120
PID 4624 wrote to memory of 1976	4624	cmddd.exe	121
PID 4624 wrote to memory of 1976	4624	cmddd.exe	121
PID 4624 wrote to memory of 4032	4624	cmddd.exe	122
PID 4624 wrote to memory of 4032	4624	cmddd.exe	122

C:\Users\Admin\AppData\Local\Temp\ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe
"C:\Users\Admin\AppData\Local\Temp\ADS87a4d784A87D487a487A4D87D8sHGIUYgiuyGiyugIUGoijuhiufgtUHouguis.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\map.exe C:\Windows\System32\Driver.sys
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Windows\System32\map.exe
    C:\Windows\System32\map.exe C:\Windows\System32\Driver.sys
    3⤵
    - Executes dropped EXE
    - Sets service image path in registry
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmddd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\System32\cmddd.exe
    C:\Windows\System32\cmddd.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4784
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3316
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3984
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:308
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1468
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:3532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4732
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff83b924f50,0x7ff83b924f60,0x7ff83b924f70
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6488 /prefetch:8
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1668,13366831644968681581,3560453531740055697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:1780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x300
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
efeb76106b4a42dcfe9d9b9eb2b268cc

SHA1
9bd7be857e1940a5e69a3ca18a8337e888c2a92e

SHA256
d895832dee7a8b1bd1ff870bc4de166b78b7949a5cfb48e7b899bd6da89f0d45

SHA512
0aa00542e041b6afb8b3b9861777700992d2e8c272d832e018a68f1004e956ded740dad89aeb05e635454d2c9e9f8f9dfc66d21e0d5f51a44d5a8f14559ac5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
41a02720229bf024ce5f9273d903d224

SHA1
81dadaa460e3534a90e3dc0bfc1f5bff6aded780

SHA256
5da408b4cdeb1a9aa6c35414b04b1866efaa20b945d367cec41d592e715f64e6

SHA512
ec31d676b3ffafb0422ec260136310668c837f6665f350a6f53e62c4164959cf6f36125047751e2324375a887520a11bd1c6470f8c5b46e63c89ba57e8ec0afc

Download Submit
C:\Windows\System32\cmddd.exe

Filesize
244KB

MD5
d0330639eccb977654e6cb58ef5dd691

SHA1
26278a1a65e587dc1fb0c117bacaa1084a1c1221

SHA256
44591e400baa45e98832ba4706c1c55f5fe3b2cc86225d1ed0b30a92f125a941

SHA512
d684811d7ad2fb0e223574ab70ddc50ed1cee24564b81890d13d7457395c87a04d5937a2e11959e3c74c4f9a9fc6d94ac4a91ee673640c95884fbc8bfae54f29

Download Submit
C:\Windows\System32\cmddd.exe

Filesize
244KB

MD5
d0330639eccb977654e6cb58ef5dd691

SHA1
26278a1a65e587dc1fb0c117bacaa1084a1c1221

SHA256
44591e400baa45e98832ba4706c1c55f5fe3b2cc86225d1ed0b30a92f125a941

SHA512
d684811d7ad2fb0e223574ab70ddc50ed1cee24564b81890d13d7457395c87a04d5937a2e11959e3c74c4f9a9fc6d94ac4a91ee673640c95884fbc8bfae54f29

Download Submit
C:\Windows\System32\map.exe

Filesize
134KB

MD5
e1cbb6cc58f3ed1bc81f59bea5b1db3c

SHA1
a9ce68cc285c5794546adeddfbdefb4328151511

SHA256
60972c9864e6edb571f6d8cfa93853ff48c2c1e07f36f2b6ff0673dfbc4b010a

SHA512
660487d13692b13130c199f52b5713799349610df16a0287655947654d643162593382abc1ccb9e7e3a867377bc2aa239f0973dd0223276e12cc2b00d51f3950

Download Submit
C:\Windows\System32\map.exe

Filesize
134KB

MD5
e1cbb6cc58f3ed1bc81f59bea5b1db3c

SHA1
a9ce68cc285c5794546adeddfbdefb4328151511

SHA256
60972c9864e6edb571f6d8cfa93853ff48c2c1e07f36f2b6ff0673dfbc4b010a

SHA512
660487d13692b13130c199f52b5713799349610df16a0287655947654d643162593382abc1ccb9e7e3a867377bc2aa239f0973dd0223276e12cc2b00d51f3950

Download Submit
memory/4788-133-0x00007FF85AE10000-0x00007FF85B005000-memory.dmp

Filesize
2.0MB

Download
memory/4788-147-0x00007FF85AE10000-0x00007FF85B005000-memory.dmp

Filesize
2.0MB

Download
memory/4788-146-0x00007FF73C730000-0x00007FF73CF7D000-memory.dmp

Filesize
8.3MB

Download
memory/4788-132-0x00007FF73C730000-0x00007FF73CF7D000-memory.dmp

Filesize
8.3MB

Download