hxxps://cdn[.]discordapp[.]com/attachments/1248009685584580640/1248009735362580604/balls[.]exe?ex=66641563&is=6662c3e3&hm=bf91204865c982af04a4105f67c4bc4679ae49bc3e40bbd91178bd04aa1633a7&

Analysis

max time kernel
68s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1248009685584580640/1248009735362580604/balls.exe?ex=66641563&is=6662c3e3&hm=bf91204865c982af04a4105f67c4bc4679ae49bc3e40bbd91178bd04aa1633a7&

Score

8^/10

evasion execution

Malware Config

Signatures

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 1 IoCs

pid	Process
3972	balls.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3972	balls.exe
3972	balls.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1752	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1012	taskkill.exe
4928	taskkill.exe
1704	taskkill.exe
4728	taskkill.exe
648	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133622548423401072"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe
3972	balls.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	648	taskkill.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe
Token: SeCreatePagefilePrivilege	3160	chrome.exe
Token: SeShutdownPrivilege	3160	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe
3160	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3972	balls.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3616	3160	chrome.exe	82
PID 3160 wrote to memory of 3616	3160	chrome.exe	82
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 4984	3160	chrome.exe	83
PID 3160 wrote to memory of 1736	3160	chrome.exe	84
PID 3160 wrote to memory of 1736	3160	chrome.exe	84
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85
PID 3160 wrote to memory of 2920	3160	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1248009685584580640/1248009735362580604/balls.exe?ex=66641563&is=6662c3e3&hm=bf91204865c982af04a4105f67c4bc4679ae49bc3e40bbd91178bd04aa1633a7&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31e6ab58,0x7ffb31e6ab68,0x7ffb31e6ab78
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:2
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2976 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4652 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4904 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4696 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:4384
- C:\Users\Admin\Downloads\balls.exe
  "C:\Users\Admin\Downloads\balls.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Downloads\balls.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    PID:4000
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\Downloads\balls.exe" MD5
      4⤵
      PID:1676
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:1404
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
    3⤵
    PID:4048
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerUI.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
    3⤵
    PID:4436
  - - C:\Windows\system32\taskkill.exe
      taskkill /f /im HTTPDebuggerSvc.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2628
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      Launches sc.exe
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
    3⤵
    PID:756
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:4520
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
    3⤵
    PID:3428
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4808 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5232 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5396 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5544 --field-trial-handle=1896,i,8404806040306981843,7310516265283223435,131072 /prefetch:8
  2⤵
  PID:1280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
c0832f32734e2610cf3a2854380bc17c

SHA1
56971974528d06797dc95c33a7a66c4ab392b8b4

SHA256
f58490f1e664f6feb74e88873ce9b44e42b9b3afeb3906fe3af1bcd63d077607

SHA512
9655a81f1a4f732b8f9918a4d11ccca7abb26491bf011a17d7ffcaeb9a0dd744982a077d177df7fd6737b1d86b70c0c74ba1e1da197238c2d2e3690967b5c1e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ac05554de6d8f63d84bd924f5de6cbf8

SHA1
62cf63299a79ea5ed7b299d88e310f1fc36de39f

SHA256
d327ae7e58dee42f17982e72c292302bd3da46a8fafd93213d9d24ec319b66bc

SHA512
e867bb65f86115ec8249b0e6acf37c6cd85b348150513f94e96424e41c80ec751dc17574579bd7e49f9ae26355ff48540e5ec4766d7c51791198d023aa23cde9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8e963c8c3d1b82f03ccf656c049a95d5

SHA1
686db687f47acb4726fada5298fc8406adccf751

SHA256
89f8fd8ac83324226e01503968c26bb9f180edafa94d3cf0036941fb59fa7d77

SHA512
0fe6266f9e861b620154283f6cfd98c766390103d040ce7dcb02cf9be51c560f2466bd06e73abfea1acd2669a2d122f1611fe57adfb11e1fdeeb7e2902ff85b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
b03cd14d01644d138e7d94300f5128e2

SHA1
4ab64b590136ddd4aa11375b73bd27262892850c

SHA256
f1af76baf75b393e84febc75245915aaff28048ae47be4987a8499529d734ecd

SHA512
9f2df40262af5a32bfa35f9301d91d9cebeca4cb19cc7c06aba9a8c7563cd064832e9334dc416486945192487b12196836f5253143ba81e6de2e90ff00b6870c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
a793f12d4697c1dd431db21b104b9f87

SHA1
ea51e8d12b075e168642c1a4030afd90b3820894

SHA256
b9329c5b88b4f21a57dcece29d29ecfc5873f4d50b39938dfa5d8485757b848e

SHA512
c902c49d922a35cfd449d5a5324f35759824d9c0d86b98d961630df566bace865996c9c9f3736106c8accad36644512086827de0873a07ad8a263caae39e8c07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
1c19f891a574c83b6c7784431d6cd936

SHA1
bca2e9e62cc9e636af1335c1f38bb83a5525b9b5

SHA256
dc41fa60a39c1390b4ab1d0a0b93175d4fabf8e9a3a8f6acbc720b4ae7c5b066

SHA512
18a3cfeb04d3a34a770ec470a9802721debdaeaa751fc23c84f33365a2408e1b5a97bdca7f0dd6fce72281bad653b0f12256ed0ebb782460d4319b78b189cd1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57b100.TMP

Filesize
94KB

MD5
87361e2d082741d96192ed2c5afa39b5

SHA1
6e7c6783d6b5043bb585813a3cbf9f7b3ce4274f

SHA256
c9e33d7abac07a63efb450bda8c30ec626f0a0666cc0a26d1d05015a985f5bd7

SHA512
1f30cf96fbc1055d417517ef51c5cebfa6ac4855db3aaddb5b54d23bea550dd0607a034d3b73ec0aa8a06b804e311c5dca0960239a6c9c1331984742133d7ace

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 561382.crdownload

Filesize
5.1MB

MD5
08962d53376091e3387b4ffac36d8cc8

SHA1
39768af1242a332c3d79450feae9fecc768dbc34

SHA256
3b86527b1f49d776b9ec0d2ab87be2bd23069c5c4ada6c2fb46abf62f42262a4

SHA512
5830e607d304a07ec8b73b31ced43355e6a6d434292f6551a3fcf73d190ff4126696ad08ea6b513e6e55a5265ed3271da61c5c805e25e7373d1f8da59799c2e8

Download Submit
memory/3972-69-0x00007FFB40D80000-0x00007FFB40D82000-memory.dmp

Filesize
8KB

Download
memory/3972-68-0x00007FFB40D70000-0x00007FFB40D72000-memory.dmp

Filesize
8KB

Download
memory/3972-70-0x00007FF68A600000-0x00007FF68B00B000-memory.dmp

Filesize
10.0MB

Download
memory/3972-67-0x00007FF68A7FB000-0x00007FF68AAE8000-memory.dmp

Filesize
2.9MB

Download
memory/3972-127-0x00007FF68A7FB000-0x00007FF68AAE8000-memory.dmp

Filesize
2.9MB

Download
memory/3972-128-0x00007FF68A600000-0x00007FF68B00B000-memory.dmp

Filesize
10.0MB

Download