azorult | hxxps://keygenit[.]com/d/efe5b207221120n9s2s7[.]html

Resubmissions

10-05-2021 11:26

210510-tr8jnz3mxx 10

10-05-2021 00:00

210510-e3mrqdrdax 10

Analysis

max time kernel
1771s
max time network
1776s
platform
windows7_x64
resource
win7v20210408
submitted
10-05-2021 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://keygenit.com/d/efe5b207221120n9s2s7.html
Sample

210510-tr8jnz3mxx

Score

10^/10

azorult raccoon 4d609553bb4cb0b4f6f0a787148c2d610bd667f7 discovery infostealer spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

raccoon

Botnet

4d609553bb4cb0b4f6f0a787148c2d610bd667f7

Attributes

url4cnc
https://telete.in/j90dadarobin

rc4.plain

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
2692	keygen-pr.exe
2352	keygen-step-1.exe
2276	keygen-step-5.exe
2992	keygen-step-2.exe
2820	keygen-step-3.exe
2216	keygen-step-4.exe
2348	key.exe
544	lZj6_.exe
2420	askinstall20.exe
984	C240.tmp.exe
2872	jg6_6asg.exe
1660	software_reporter_tool.exe
2912	software_reporter_tool.exe
2220	software_reporter_tool.exe
2328	software_reporter_tool.exe

Loads dropped DLL 42 IoCs

pid	Process
900	cmd.exe
900	cmd.exe
900	cmd.exe
900	cmd.exe
900	cmd.exe
900	cmd.exe
900	cmd.exe
2692	keygen-pr.exe
2692	keygen-pr.exe
2692	keygen-pr.exe
2692	keygen-pr.exe
2220	cmd.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2348	key.exe
2956	regsvr32.exe
2992	keygen-step-2.exe
2992	keygen-step-2.exe
984	C240.tmp.exe
984	C240.tmp.exe
984	C240.tmp.exe
984	C240.tmp.exe
984	C240.tmp.exe
984	C240.tmp.exe
984	C240.tmp.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2216	keygen-step-4.exe
2996	chrome.exe
1660	software_reporter_tool.exe
1660	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
2220	software_reporter_tool.exe
1660	software_reporter_tool.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	askinstall20.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2956	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2304	timeout.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2752	taskkill.exe
2060	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	askinstall20.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	askinstall20.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2192	PING.EXE
2752	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1628	chrome.exe
1948	chrome.exe
1948	chrome.exe
1976	chrome.exe
2740	chrome.exe
788	chrome.exe
2996	chrome.exe
2996	chrome.exe
1160	chrome.exe
2844	chrome.exe
2572	chrome.exe
2940	chrome.exe
2996	chrome.exe
2996	chrome.exe
1660	software_reporter_tool.exe
1660	software_reporter_tool.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: 33	2056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2056	AUDIODG.EXE
Token: 33	2056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2056	AUDIODG.EXE
Token: SeCreateTokenPrivilege	2420	askinstall20.exe
Token: SeAssignPrimaryTokenPrivilege	2420	askinstall20.exe
Token: SeLockMemoryPrivilege	2420	askinstall20.exe
Token: SeIncreaseQuotaPrivilege	2420	askinstall20.exe
Token: SeMachineAccountPrivilege	2420	askinstall20.exe
Token: SeTcbPrivilege	2420	askinstall20.exe
Token: SeSecurityPrivilege	2420	askinstall20.exe
Token: SeTakeOwnershipPrivilege	2420	askinstall20.exe
Token: SeLoadDriverPrivilege	2420	askinstall20.exe
Token: SeSystemProfilePrivilege	2420	askinstall20.exe
Token: SeSystemtimePrivilege	2420	askinstall20.exe
Token: SeProfSingleProcessPrivilege	2420	askinstall20.exe
Token: SeIncBasePriorityPrivilege	2420	askinstall20.exe
Token: SeCreatePagefilePrivilege	2420	askinstall20.exe
Token: SeCreatePermanentPrivilege	2420	askinstall20.exe
Token: SeBackupPrivilege	2420	askinstall20.exe
Token: SeRestorePrivilege	2420	askinstall20.exe
Token: SeShutdownPrivilege	2420	askinstall20.exe
Token: SeDebugPrivilege	2420	askinstall20.exe
Token: SeAuditPrivilege	2420	askinstall20.exe
Token: SeSystemEnvironmentPrivilege	2420	askinstall20.exe
Token: SeChangeNotifyPrivilege	2420	askinstall20.exe
Token: SeRemoteShutdownPrivilege	2420	askinstall20.exe
Token: SeUndockPrivilege	2420	askinstall20.exe
Token: SeSyncAgentPrivilege	2420	askinstall20.exe
Token: SeEnableDelegationPrivilege	2420	askinstall20.exe
Token: SeManageVolumePrivilege	2420	askinstall20.exe
Token: SeImpersonatePrivilege	2420	askinstall20.exe
Token: SeCreateGlobalPrivilege	2420	askinstall20.exe
Token: 31	2420	askinstall20.exe
Token: 32	2420	askinstall20.exe
Token: 33	2420	askinstall20.exe
Token: 34	2420	askinstall20.exe
Token: 35	2420	askinstall20.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: 33	2912	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2912	software_reporter_tool.exe
Token: 33	1660	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1660	software_reporter_tool.exe
Token: 33	2220	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2220	software_reporter_tool.exe
Token: 33	2328	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2328	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
1948	chrome.exe
2996	chrome.exe
2996	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1252	1948	chrome.exe	26
PID 1948 wrote to memory of 1252	1948	chrome.exe	26
PID 1948 wrote to memory of 1252	1948	chrome.exe	26
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1504	1948	chrome.exe	27
PID 1948 wrote to memory of 1628	1948	chrome.exe	28
PID 1948 wrote to memory of 1628	1948	chrome.exe	28
PID 1948 wrote to memory of 1628	1948	chrome.exe	28
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29
PID 1948 wrote to memory of 1728	1948	chrome.exe	29

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://keygenit.com/d/efe5b207221120n9s2s7.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef7824f50,0x7fef7824f60,0x7fef7824f70
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1036 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1756 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2584 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3644 /prefetch:2
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
  "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
  2⤵
  PID:1784
- - C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x14018a890,0x14018a8a0,0x14018a8b0
    3⤵
    PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3056 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4496 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1032,7585198301602850174,6541637231750912683,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:2116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\AppData\Local\Temp\Temp2_Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.zip\Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.exe
"C:\Users\Admin\AppData\Local\Temp\Temp2_Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.zip\Comprehensive_Meta_Analysis_keygen_by_KeygenNinja.exe"
1⤵
PID:3020
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - Loads dropped DLL
  PID:900
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2348
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:2836
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
    keygen-step-1.exe
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
    keygen-step-5.exe
    3⤵
    - Executes dropped EXE
    PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TYPE "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe"> ..\lZj6_.exe&& STaRt ..\lZj6_.exe /Pnq2FANrvnB & IF "" == "" for %v iN ( "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe") do taskkill /im "%~NXv" /F> nUL
      4⤵
      Loads dropped DLL
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\lZj6_.exe
        
        ..\lZj6_.exe /Pnq2FANrvnB
        5⤵
        Executes dropped EXE
        
        PID:544
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C TYPE "C:\Users\Admin\AppData\Local\Temp\lZj6_.exe"> ..\lZj6_.exe&& STaRt ..\lZj6_.exe /Pnq2FANrvnB & IF "/Pnq2FANrvnB " == "" for %v iN ( "C:\Users\Admin\AppData\Local\Temp\lZj6_.exe") do taskkill /im "%~NXv" /F> nUL
        6⤵
        
        PID:900
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /C Echo| sET /p = "MZ" > kDzbcYX.PW& cOPy/Y /b kDzbcYX.Pw + HUe1BG.HP + wN~B.cL+ O4qJM.k + pl5712X.th + BvR8wONH.C8K+ DBnNj.r~ ..\XmoU.w41 > NUL & del /q * > nUL& StARt regsvr32 /U -s ..\XMOU.w41
        6⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Echo"
        7⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /p = "MZ" 1>kDzbcYX.PW"
        7⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /U -s ..\XMOU.w41
        7⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        
        PID:2956
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "keygen-step-5.exe" /F
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe
    keygen-step-2.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2992
  - - C:\Users\Admin\AppData\Roaming\C240.tmp.exe
      "C:\Users\Admin\AppData\Roaming\C240.tmp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\C240.tmp.exe"
        5⤵
        
        PID:2220
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        6⤵
        Delays execution with timeout.exe
        
        PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-2.exe" >> NUL
      4⤵
      PID:2656
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:2752
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    PID:2820
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      PID:1368
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        Runs ping.exe
        
        PID:2192
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\askinstall20.exe"
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:2420
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:1560
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\SysWOW64\xcopy.exe
        
        xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
        5⤵
        Enumerates system info in registry
        
        PID:2832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
        5⤵
        Loads dropped DLL
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2996
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef5ae4f50,0x7fef5ae4f60,0x7fef5ae4f70
        6⤵
        
        PID:516
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1336 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:788
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1124 /prefetch:2
        6⤵
        
        PID:1688
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1680 /prefetch:8
        6⤵
        
        PID:1640
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
        6⤵
        
        PID:2540
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
        6⤵
        
        PID:2816
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
        6⤵
        
        PID:1592
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
        6⤵
        
        PID:1908
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1
        6⤵
        
        PID:380
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2664 /prefetch:1
        6⤵
        
        PID:2428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3220 /prefetch:8
        6⤵
        
        PID:2852
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        6⤵
        
        PID:316
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
        6⤵
        
        PID:2544
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3764 /prefetch:2
        6⤵
        
        PID:2780
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5028 /prefetch:8
        6⤵
        
        PID:584
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4120 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1160
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4132 /prefetch:8
        6⤵
        
        PID:2004
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4756 /prefetch:8
        6⤵
        
        PID:1376
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4676 /prefetch:8
        6⤵
        
        PID:2736
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1
        6⤵
        
        PID:2820
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3424 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4732 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3544 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2860 /prefetch:8
        6⤵
        
        PID:2416
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1652 /prefetch:8
        6⤵
        
        PID:2948
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3424 /prefetch:8
        6⤵
        
        PID:856
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1728 /prefetch:8
        6⤵
        
        PID:2428
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3396 /prefetch:8
        6⤵
        
        PID:2568
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3272 /prefetch:8
        6⤵
        
        PID:1048
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4772 /prefetch:8
        6⤵
        
        PID:2072
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2908 /prefetch:8
        6⤵
        
        PID:2100
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1936 /prefetch:8
        6⤵
        
        PID:2796
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2904 /prefetch:8
        6⤵
        
        PID:2140
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1920 /prefetch:8
        6⤵
        
        PID:2288
      - C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\SwReporter\90.261.200\software_reporter_tool.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\SwReporter\90.261.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=3PZikfvF0RHTTlg4JmFepe44ZSDUeaLWi/R9YQsD --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        \??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe
        
        c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=90.261.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13f52a808,0x13f52a818,0x13f52a828
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        \??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe
        
        "c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1660_LJOZRRJJEHYUKHDH" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=1802049465522638453 --mojo-platform-channel-handle=460 --engine=2
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        \??\c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe
        
        "c:\users\admin\appdata\local\temp\cghjgasaaz99\swreporter\90.261.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1660_LJOZRRJJEHYUKHDH" --sandboxed-process-id=3 --init-done-notifier=636 --sandbox-mojo-pipe-token=14960540459935753987 --mojo-platform-channel-handle=632
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=784 /prefetch:8
        6⤵
        
        PID:1000
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3692 /prefetch:8
        6⤵
        
        PID:2256
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3528 /prefetch:8
        6⤵
        
        PID:2632
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3516 /prefetch:8
        6⤵
        
        PID:2396
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3528 /prefetch:8
        6⤵
        
        PID:3012
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1108,13766160019552787133,1761715623412244989,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2872 /prefetch:8
        6⤵
        
        PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jg6_6asg.exe"
      4⤵
      Executes dropped EXE
      PID:2872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-205-0x00000000002E0000-0x0000000000371000-memory.dmp

Filesize
580KB

Download
memory/984-206-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/1504-65-0x00000000770E0000-0x00000000770E1000-memory.dmp

Filesize
4KB

Download
memory/1784-127-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1948-76-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/2220-225-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2220-215-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2220-231-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-233-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-230-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2220-224-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/2220-226-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2220-229-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2220-228-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2220-209-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-227-0x0000000000C40000-0x0000000000C80000-memory.dmp

Filesize
256KB

Download
memory/2220-210-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-222-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-221-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-212-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/2220-232-0x0000000000190000-0x00000000001D0000-memory.dmp

Filesize
256KB

Download
memory/2220-217-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/2220-219-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-220-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-218-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2220-211-0x0000000000150000-0x0000000000190000-memory.dmp

Filesize
256KB

Download
memory/2220-216-0x0000000000C80000-0x0000000000CC0000-memory.dmp

Filesize
256KB

Download
memory/2220-214-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2220-213-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2348-202-0x0000000002500000-0x000000000269C000-memory.dmp

Filesize
1.6MB

Download
memory/2872-208-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/2956-204-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/2956-203-0x0000000001EE0000-0x0000000002067000-memory.dmp

Filesize
1.5MB

Download
memory/2996-207-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download