blacknet | hxxps://github[.]com

max time kernel
411s
max time network
467s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 21:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com

Score

10^/10

blacknet darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

upx_compresser.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Executes dropped EXE 6 IoCs

Processes:

ChromeRecovery.exesvshost.exejusched.exeWinlockerBuilderv5.exeupx_compresser.exeupx_compresser.exe

pid process

4172 ChromeRecovery.exe
3716 svshost.exe
3596 jusched.exe
4716 WinlockerBuilderv5.exe
2188 upx_compresser.exe
2752 upx_compresser.exe

pid	process
4172	ChromeRecovery.exe
3716	svshost.exe
3596	jusched.exe
4716	WinlockerBuilderv5.exe
2188	upx_compresser.exe
2752	upx_compresser.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4716-176-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/3720-186-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4716-189-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/3720-192-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/3720-193-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4716-196-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

upx_compresser.exejusched.exesvshost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	upx_compresser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	svshost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WinlockerBuilderv5.exeupx_compresser.exejusched.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

upx_compresser.exe

description pid process target process

PID 2188 set thread context of 2752 2188 upx_compresser.exe upx_compresser.exe

description	pid	process	target process
PID 2188 set thread context of 2752	2188	upx_compresser.exe	upx_compresser.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\ChromeRecoveryCRX.crx	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeupx_compresser.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	upx_compresser.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeWinlockerBuilderv5.exeupx_compresser.exejusched.exe

pid	process
5016	chrome.exe
5016	chrome.exe
2064	chrome.exe
2064	chrome.exe
4748	chrome.exe
4748	chrome.exe
4420	chrome.exe
4420	chrome.exe
1996	chrome.exe
1996	chrome.exe
1104	chrome.exe
1104	chrome.exe
4380	chrome.exe
4380	chrome.exe
1224	chrome.exe
1224	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1376	chrome.exe
1772	chrome.exe
1772	chrome.exe
4708	chrome.exe
4708	chrome.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
2188	upx_compresser.exe
2188	upx_compresser.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe
3596	jusched.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

upx_compresser.exe

pid process

2188 upx_compresser.exe

pid	process
2188	upx_compresser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exe

pid	process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

svchost.exeWinlockerBuilderv5.exeupx_compresser.exejusched.exe

description	pid	process
Token: SeTcbPrivilege	4032	svchost.exe
Token: SeRestorePrivilege	4032	svchost.exe
Token: SeDebugPrivilege	3812	WinlockerBuilderv5.exe
Token: SeIncreaseQuotaPrivilege	2752	upx_compresser.exe
Token: SeSecurityPrivilege	2752	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	2752	upx_compresser.exe
Token: SeLoadDriverPrivilege	2752	upx_compresser.exe
Token: SeSystemProfilePrivilege	2752	upx_compresser.exe
Token: SeSystemtimePrivilege	2752	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	2752	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	2752	upx_compresser.exe
Token: SeCreatePagefilePrivilege	2752	upx_compresser.exe
Token: SeBackupPrivilege	2752	upx_compresser.exe
Token: SeRestorePrivilege	2752	upx_compresser.exe
Token: SeShutdownPrivilege	2752	upx_compresser.exe
Token: SeDebugPrivilege	2752	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	2752	upx_compresser.exe
Token: SeChangeNotifyPrivilege	2752	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	2752	upx_compresser.exe
Token: SeUndockPrivilege	2752	upx_compresser.exe
Token: SeManageVolumePrivilege	2752	upx_compresser.exe
Token: SeImpersonatePrivilege	2752	upx_compresser.exe
Token: SeCreateGlobalPrivilege	2752	upx_compresser.exe
Token: 33	2752	upx_compresser.exe
Token: 34	2752	upx_compresser.exe
Token: 35	2752	upx_compresser.exe
Token: 36	2752	upx_compresser.exe
Token: SeDebugPrivilege	3596	jusched.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

chrome.exe

pid	process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exe

pid	process
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe
2064	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

WinlockerBuilderv5.exejusched.exeWinlockerBuilderv5.exe

pid process

3812 WinlockerBuilderv5.exe
3812 WinlockerBuilderv5.exe
3596 jusched.exe
3596 jusched.exe
4716 WinlockerBuilderv5.exe

pid	process
3812	WinlockerBuilderv5.exe
3812	WinlockerBuilderv5.exe
3596	jusched.exe
3596	jusched.exe
4716	WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2064 wrote to memory of 832	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 832	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 3700	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 5016	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 5016	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe
PID 2064 wrote to memory of 4348	2064	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7fff48634f50,0x7fff48634f60,0x7fff48634f70
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1620 /prefetch:2
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1964 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2360 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
PID:4476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1084 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=808 /prefetch:1
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=900 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3216 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3228 /prefetch:8
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5464 /prefetch:8
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:3596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4548 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5352 /prefetch:8
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:8
2⤵
PID:5056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:8
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
2⤵
PID:4868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:8
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5736 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3020 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1548 /prefetch:1
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
2⤵
PID:484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5704 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4276 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6228 /prefetch:8
2⤵
PID:3176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3644 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
2⤵
PID:4764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
2⤵
PID:4056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3204 /prefetch:8
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:8
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6100 /prefetch:8
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6300 /prefetch:8
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,13241749301161050704,3327365933616673085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3472 /prefetch:8
2⤵
PID:1968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\dashost.exe
dashost.exe {f4d3c5f6-8663-4ec0-a141eb1ec819753c}
2⤵
PID:1884

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4764

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4764_2129489556\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={d06d660e-067d-4e8d-9b3b-2a549c00bd6c} --system
2⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3716

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4716

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2188

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
5⤵
PID:5096

C:\Users\Admin\Documents\AudioDriver\taskhost.exe
"C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
6⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Users\Admin\AppData\Local\Temp\svshost.exe
"C:\Users\Admin\AppData\Local\Temp\svshost.exe"
3⤵
PID:4708

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
4⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
4⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
"C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
5⤵
PID:4456

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1880

C:\Users\Admin\Desktop\Build.exe
"C:\Users\Admin\Desktop\Build.exe"
1⤵
PID:3160

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d5855 /state1:0x41c64e6d
1⤵
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\AddRead.asx
Filesize
328KB

MD5
a87c2e4b6f36e74bace8d7aa60ecaa8f

SHA1
efc293de99ab366e82bd1199fc9be1c68f55d674

SHA256
7b7b5898bedea2d2f1fd2e7e60a35407f7a6fc1673f4509294d6948dfe1fa0be

SHA512
59a26a3ea614651b2e0daa8142ad45eb28763e380c71b9354e2f8ed01e6bf488b8b2da0215d8fd75654ca7f57ab17603ac4fa92cb8f33a8c7bd397abdbdbf056

Download Submit
C:\Users\Admin\Desktop\ApproveFormat.kix
Filesize
542KB

MD5
7bebf76fd801e8de1f2109e9cb81f49c

SHA1
1ae6dd53fe24c4eb39569070c0ee58819baa2f72

SHA256
0ebc1d313433158794312605db84ead6f1584304fff24a9ec9a15577082ee3a0

SHA512
d751a517403e4e675bf01f091a912666c7f19ecf4f7b4dd351156a36f99a1e7b0cad1c3d2289ca5b410f4e1b25b4b20a5d579829bf317239eca401657651230e

Download Submit
C:\Users\Admin\Desktop\BackupSave.vsx
Filesize
502KB

MD5
4cff48323e9574217242da86f4230b6d

SHA1
d27592745e6a9dfe0db0eff3b08f30d1f5d5ec6e

SHA256
a55fa90a3c94e18e3f8190222fd361b46559a9e9cdbd96e02eb09dadf5a62f94

SHA512
0622f913b72ba0feef60ba2835fcd05aa180990ad9d16ed936308a074dbdf8107bffe48d34c80cf1cd7360c483dbae6dcc0904da8e92f776ce3e802d4bd3ab0c

Download Submit
C:\Users\Admin\Desktop\ClearDebug.potm
Filesize
435KB

MD5
e3e681dd2d77fd4306a582acab4fb4d6

SHA1
f856ef59a35a73170d488b5cf6e3e2bdd71d9681

SHA256
85bafb86bc35c232ca4c5109a7f0ed0dd707828b38675e992005f60edf5ff503

SHA512
0a32002df86034f2cbf2cf556130cc5e8a5b16b72c886ed7f02476e5983d2b1e68145db6110ce43d5a49e11ad4dee641c88d5a6e74099d169abf69baa0d2c1ff

Download Submit
C:\Users\Admin\Desktop\CloseReset.vsd
Filesize
395KB

MD5
a2a0a91c4efaeda87e1e3dfbe934deb6

SHA1
4b57424bc3c5b84f70ca87becea3fdac21e23212

SHA256
228f5a74faccdb51c2c315d69d509a8ec59358e630480898ec6de0f5e3ea7626

SHA512
85813756e1359842a7ffda48e47ec96d2c0b083b3ce50e4026cf3fdaa44fb0f0a69f9b637a60449de73e38be4f98e716266313333155605a94856ec9b8a54a37

Download Submit
C:\Users\Admin\Desktop\CloseResize.rtf
Filesize
261KB

MD5
23336ad3d8cdc89d080f623f7e7a3cf7

SHA1
b9c1baef70064628d2081e06ec09983ef1603917

SHA256
a9cd96b1a0b51293b94c3c127805c008d9f8572dfa9e6b01b5264d1782da9f35

SHA512
afab11e786a20457051a43b9847ee65c56756a5049184280e8c876ad6ecbf659ef9a355b9133fe61071c76991fd51a48d5d6127aa08faf6e82ce62dd991e8668

Download Submit
C:\Users\Admin\Desktop\EnterConfirm.ADT
Filesize
448KB

MD5
3ac418dc241a6225a6629bf2ae43b73d

SHA1
bfeebe32c6708429156805e92bee021e76f6dde1

SHA256
5d39996a1c70d9e65f7cb8575d58bc9a3729224bc9ec0ddf330b099d40cacb04

SHA512
7f784b15e84ef6609bb43d371534ab72c42c7da2948867cdf2269a6ec6c858e59c83fd8da09159c705e0beb9ed7091bcc3b973752795d3b7b72c92d4b86048cc

Download Submit
C:\Users\Admin\Desktop\ExitWatch.mht
Filesize
194KB

MD5
f0f8e5d0382a2690003189e8ef882efd

SHA1
a09529f53cc40af090ef80064f1ded518d1777ac

SHA256
fdc6df01b4d4b7a3fbcaf2e9b6cfce44e0ebee03b7feb574965bd026f0e8d457

SHA512
28766651e9754da09d67203689a4a7f648793bfd83ed4b336f833f3c0acbb3580eaec9ab33bdde45adc2cb854f6e58efe7db9c3823b600929771b3b7091b125d

Download Submit
C:\Users\Admin\Desktop\GetLock.ico
Filesize
421KB

MD5
d989af28039d9ed2754273fa94df39eb

SHA1
f15d74249b440ca6cd99f43e28bdadca4ffaa8f6

SHA256
5a501d94e9f1f2c470bd280d48d505d9147c9953da000278ba8f97aed1b2cc14

SHA512
e4bd434f76de6b21e24932ef56e68be425503fae2886c6ade0b3f31534adbb36e162e7a777b29377ef8c0844083d14572f4868f76410d90638929c4bb6005d24

Download Submit
C:\Users\Admin\Desktop\InstallComplete.pptx
Filesize
314KB

MD5
5de62fa7ab653c493b2a3f584974abe3

SHA1
6a1c7a36bcbff6bf6aba0da5d1ee8a704f680fc1

SHA256
49a21c2a664815f2d92b9b970d30bf8350a3b649551bab9915f909bacea9f313

SHA512
590f5634d9b77ef87615c49337860590c60bb7dae4ffa7138c4470326d821a343d4a305335b7178a74808bb78532f582b02e1e285c6ec9247954bc53156e0310

Download Submit
C:\Users\Admin\Desktop\InstallWrite.raw
Filesize
354KB

MD5
611a984cd0b5b9ce5927c9abe1604c98

SHA1
dae7994ab9c3cd63f9623ccc7b3e209beb7135b2

SHA256
2fad1dce2dc8b1df62a84d4252f93955a50f7864fb712bc0854bac0de400b84c

SHA512
323fe35dd578a96b384ce0376d6a20b0a6e286810f6ab0ad3fcc622976297a73d0688fd518dfbc75e817ce0b60df81692ccafed98b18d02a9819420e26d6bba5

Download Submit
C:\Users\Admin\Desktop\LockClear.xlsm
Filesize
368KB

MD5
172584068b706294b98d6d436c583e4f

SHA1
85a04a7822bc040ef4a006e50207494ce49c3c76

SHA256
ddd8a81a2409b2f69bbf2a8e11fc033e9c040e31adb2a2c53d87f3f10b38e0dc

SHA512
559d53628e962d4fe7e308d5576bb3d21afa645964c54e08ddc9478062f20ff3ef48e91fe8d7bde90eb645c524d75f9623f8b0b19c5c113e3a157e526062e7da

Download Submit
C:\Users\Admin\Desktop\MergeDisconnect.cr2
Filesize
301KB

MD5
48748e96aa4a1bde85ec58cbfad42cf1

SHA1
403fbf8e5fed0ccccabbf52d0e52749b533da995

SHA256
16131e24a75a069601350d3e674172f0e97d44b14acc8eda00056989d92de595

SHA512
1c80e67c56a500831e7162748391c264df4595b5de07e446bace5108daaef12ba5375c3f5d4ccf979bbb9b9b660bcd2d7e2c503c0493abc52309f57818d5369f

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
06096cbc2aa0bbece13e69cf45858c9b

SHA1
e1bcea24705c71f3ca2446e6440b947f8fd267b6

SHA256
66bb4c6d2d68f1f60b278810d92f020710ed2cf7bbd94a6dce286f74e3b10cd3

SHA512
69910ac6ee57a0c12ab54c31c1bfe04c26e9e550f9a92618c9d86a19e1cb36b93490e58b35dd581257747057867c0f8e1c9e7cf560e3cf8ea5605174b4c7c220

Download Submit
C:\Users\Admin\Desktop\MountRestore.zip
Filesize
381KB

MD5
67b1b2390e52c0b9c957c4ed5165cdc3

SHA1
fd0c8e5b3ec2aa4dc08f52be5785af91408225de

SHA256
62bf78ce3d71f782a7d7d9e78bad5a0634d2470b8626be11ef9c29b4f30fb6ed

SHA512
2b80d118b7e98030f53de39ffb35f4362c1cd145caf817637f41404d8c4fc0868bf5a36ea247481a019aece08ae0e19425272cc8c0661994bb14a571a53cffc0

Download Submit
C:\Users\Admin\Desktop\OptimizeRedo.vssx
Filesize
555KB

MD5
4c1bf9e91e13b96727a576c1c69c0cc8

SHA1
b4850a2882b41a7f688e357edd3c46775d9edc8c

SHA256
352541fa31968aa0cc6917ff9411156b46721798c8f830f230ff7c1c39e657a3

SHA512
2d662f1581ea513f98d87705cdfa63cc0b87e06fb2c974c99abf8b19b0dcb773b6125400101ccbb55987b1793e9b71957a76189764e85a3c2f91589cdb9c937e

Download Submit
C:\Users\Admin\Desktop\OptimizeWrite.wmf
Filesize
475KB

MD5
db64005e9d4afd45f6b6d1afc5837e39

SHA1
2de66a10b447fb2976af0e3672778efc7418a13a

SHA256
9bb8107bc438b6ac395d07cfb13aae83267ae785c537540f5175ee95cbeb5f92

SHA512
349e209e27f350c69d4c8b3125dec1b43c44412419961623a635933e6db7fd4e4300c87d77233f9dea5c3cb582195cd92e9d3d1d2990ac32c2c88fe93e5f3a68

Download Submit
C:\Users\Admin\Desktop\RegisterInstall.001
Filesize
207KB

MD5
bafdc9f0cf38276aa1e7b8b0ebcf5dcd

SHA1
b9b4e005a0662598c0e57f2136ebf506f249c232

SHA256
01c2d9344a34a413f0136ff2c57b0e0ae8a9d74071c6cfad6947d48e87f767a0

SHA512
75051da464e03fc84082adf2b2733af5192002c1b5f7fe5da0d5a2d968a159ea43d9c356f3c12c748d47c19d3f3a1ac3799694989940164ee0c146f7e8811ae6

Download Submit
C:\Users\Admin\Desktop\RemoveExport.ini
Filesize
247KB

MD5
1e0375e051f81827322e083f6cbeaff6

SHA1
72658bb25233e89742b2154d608a5d13cd81e6cc

SHA256
2cb0db07649e1b6160923c8b891b344ab955e58f5e31b99b1157e74988a74fda

SHA512
7df062b67bedcc95d760dcf26df5b8d8863e59218d70f7d959051b751294721fdeb7cd6db4f83e32f966a037d7e6de81b4bc405b43e6a133307ced2595930d99

Download Submit
C:\Users\Admin\Desktop\RepairConvertFrom.mp4
Filesize
462KB

MD5
7b5848ad46bac5d982576025b0dad835

SHA1
879a3d05efccd8abfaca0f9acec4e5a1c4630b28

SHA256
9537ffe0117aa3907f4a9ab9d8605a03fc861440d0fb44941d5ad30bf7914497

SHA512
c981d18f864d76dc851d61fc724ec138d20755dccb69d1e8eba95dda98772a4307d43bba5838e740afaa968d1f7bfad84bdf39029605b8455d0723dc6981cf69

Download Submit
C:\Users\Admin\Desktop\RepairJoin.vdw
Filesize
220KB

MD5
33a2a84f36a158935651bade78ed1ff1

SHA1
af03cf825d91743474a260d85b1ba54ecfc6de8e

SHA256
48923ae362b660d45d0b2fead5e80f2809a78e371b0e5cc9662fd1d435fcc362

SHA512
593f5090fbad31680ce8aea76e7a27ad600209d2f51ec025e9660afad326799cbb4908ef2c61ca574a4106e0cb0e1ceedcf98bed6837034550a41fa9018da517

Download Submit
C:\Users\Admin\Desktop\ResetAssert.ico
Filesize
287KB

MD5
449c0ad6c8b1cb10bc33ac461ca3f9e7

SHA1
c715592721d74066c370c177d6021e1a0dd7597b

SHA256
0c891de784185b65fc38ecd544f761316c206a01fbd03f20c9f2708bdb1d6a45

SHA512
4440b9e6605c96ac2d7732106253f00fa6f6455a437e1bd288792fd131e32f7ac92252ddc53d9f23423f78aaaa37bf135d0f92d77e4934867e1313768bbb8c34

Download Submit
C:\Users\Admin\Desktop\SaveApprove.csv
Filesize
274KB

MD5
17f2eae07715e0cb298c03710150ad05

SHA1
46a3eab38577ff4bb41602b20913becf7cd5720f

SHA256
91dc9eedb6245a7c9ca85ea425dc874b7ec30da822e204cfba66eeed26dcdd30

SHA512
ecb23d5083a91890a0fd340cc00c7d32ab9a17f858621bf3fc34bf618c5b2d442e774dd85104441e0a7316b366ee3ec42a88a3bc6cad1de2a3c03dd24628bd5d

Download Submit
C:\Users\Admin\Desktop\ShowMove.mpg
Filesize
341KB

MD5
f90ed1d5a0f149af77574da868c10d5b

SHA1
f844ccd0acf322dcda69b214b55d8b53834b0535

SHA256
5f1aa0a318dcd1200bc9458f4665ce7a916405666b4d24e1a18460fc5e429912

SHA512
1dba89ad410b5718a007beda8b99e6d282876ec873673a28b94ec9b99ff7bdd94a938c143b5a36141e3f63da63105d5a21b39b1a3186193941a14bf5a45535e6

Download Submit
C:\Users\Admin\Desktop\SplitCheckpoint.xla
Filesize
763KB

MD5
563082f58a88e0a96bbd740ae8ed0540

SHA1
711de50fb6b99b72788908dee3087886274ac7a4

SHA256
ee98d9ce23a4354c5810e1713d154acd07560118f0a368992cd2cacf95ee3e69

SHA512
153c433bcc5ad9ea6452d59097abcb9261aff08f8c44b6a82c8b996e09576c7f563b20253fe6808863437b23d1279ceffe1859f6c9e36d72786159934248b6e5

Download Submit
C:\Users\Admin\Desktop\SuspendSplit.vst
Filesize
234KB

MD5
238a671b19445f99b0dfbc19b6a49198

SHA1
3ef04a46cb1ca0cc7e441696f1fe2409d3cbc026

SHA256
cdbf604de2e7d758db7a990f0ec800d65e8c197a2234d5a5b363778c8f2edc10

SHA512
4f475bb645712f8920eeb35e3aaf9c2aa76ece1bc182f4bdf88166d75cf86f5726df446c852f8cf3b6985c6e430921b22cebad85455d9066569ad973a91b3bd3

Download Submit
C:\Users\Admin\Desktop\UninstallResolve.otf
Filesize
515KB

MD5
bbf1bae23081ca4d3199d76d17602d28

SHA1
df940ce923e97f8ae737996f4e2096726314e68f

SHA256
440eda32ca819194279c6b2cdc04b1695b286e3d443269fb137f9ecad6dc2e2a

SHA512
e71f541e5e31ee4f7a50226588fb04c9afb38d53ac2bf439c74e35e615f28018f2736024c21fdeea23dd6379577549e274b334bd4498860ac09cc12647b234f4

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
Filesize
2KB

MD5
2756e9400ef776f1ba38b79f41f5444c

SHA1
6219b22ccb955882b1b71a683e333769629bab21

SHA256
a4d67b093974fa41108488d25d5d2e181e8131b2c6f7d4d015c903376f93c49d

SHA512
c1f1fa66de4ebb6208c4234e11d12692e8f84219da3efcf9125309207b2cf0a2d13d6e7fec4d12e0246cd267ce185fd24587284a97f7449b3e29a636c9d70ce6

Download Submit
C:\Users\Public\Desktop\Firefox.lnk
Filesize
1000B

MD5
b277ba2f77df5ebb6987699939364605

SHA1
02a5379bf3b5faa3064689a4b472b88b8bfc8589

SHA256
a9f4437c30124fc4a874561a5e6114acc12c1f2a9bfa1721158e11c87ea3cf70

SHA512
e78579e38e231753372a8195aeec4aa369444338c77cd8e0e77ca92fd102f5ab5c2e92b8e964fabff2cb710efea4da7253168ea4f2237f806dcd0566134c7de9

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
21aaab7cc36424c419f732ee8641ba50

SHA1
7e119ec8296d7d40dfc711c03b8e7893a179da5a

SHA256
4dbab86c1fbd74e42665a82fe8b5ebe4ae7e1876e9af0f739c989de2a9230a07

SHA512
50da0bee2eb04d29c02d8dca35e7984fdf74ee7bcf42b0e78fe8513c2c4023f863012dbf41af2d4fa08e3cda8c510576b2ccd46b6c2f5f876e5690c85f80c145

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
923B

MD5
b1c55dae0d3bf7edfd4330ac047935aa

SHA1
b59b8d0d36a547329b797040022653ef6792fc4a

SHA256
c50b1763a7b366ad89ffb1f77a6e64ad9abaf2389f5fcb8a76887ec6bd47e40c

SHA512
f967b25bcc1e922ef78394533a0a3c50f72c0f3e3fdc8ff0e293003631282fb6221e4eddc61f18443f7660fe3c982e8165d364c22119f7694cf932742659af0c

Download Submit
\??\pipe\crashpad_2064_NYYPPTADRPGKHWUR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/224-185-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/224-195-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/224-181-0x0000000000000000-mapping.dmp

Download
memory/224-191-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1884-157-0x0000000000000000-mapping.dmp

Download
memory/2188-175-0x00000000021D0000-0x00000000021D9000-memory.dmp

Filesize
36KB

Download
memory/2188-173-0x0000000000000000-mapping.dmp

Download
memory/2752-178-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2752-174-0x0000000000000000-mapping.dmp

Download
memory/2752-187-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3596-170-0x00007FFF34020000-0x00007FFF34A56000-memory.dmp

Filesize
10.2MB

Download
memory/3596-169-0x0000000000000000-mapping.dmp

Download
memory/3596-177-0x00000000020BA000-0x00000000020BF000-memory.dmp

Filesize
20KB

Download
memory/3596-190-0x00000000020BA000-0x00000000020BF000-memory.dmp

Filesize
20KB

Download
memory/3596-194-0x00000000020BA000-0x00000000020BF000-memory.dmp

Filesize
20KB

Download
memory/3716-168-0x0000000000000000-mapping.dmp

Download
memory/3720-192-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/3720-193-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/3720-182-0x0000000000000000-mapping.dmp

Download
memory/3720-186-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/3812-171-0x000000000104A000-0x000000000104F000-memory.dmp

Filesize
20KB

Download
memory/3812-167-0x000000000104A000-0x000000000104F000-memory.dmp

Filesize
20KB

Download
memory/3812-166-0x00007FFF34020000-0x00007FFF34A56000-memory.dmp

Filesize
10.2MB

Download
memory/4004-183-0x0000000000000000-mapping.dmp

Download
memory/4172-165-0x0000000000000000-mapping.dmp

Download
memory/4456-184-0x0000000000000000-mapping.dmp

Download
memory/4456-188-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4708-179-0x0000000000000000-mapping.dmp

Download
memory/4716-189-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4716-176-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4716-172-0x0000000000000000-mapping.dmp

Download
memory/4716-196-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/5096-180-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads