hxxp://curseforge[.]com

General

Target

http://curseforge.com
Sample

210726-e1qm5f2fan

Score

10^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 5152 created 3376 5152 svchost.exe aswOfferTool.exe
PID 5152 created 4920 5152 svchost.exe aswOfferTool.exe
Downloads MZ/PE file

description	pid	process	target process
PID 5152 created 3376	5152	svchost.exe	aswOfferTool.exe
PID 5152 created 4920	5152	svchost.exe	aswOfferTool.exe

Executes dropped EXE 17 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeavast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exe

pid	process
5364	software_reporter_tool.exe
5132	software_reporter_tool.exe
4244	software_reporter_tool.exe
2208	software_reporter_tool.exe
4956	avast_free_antivirus_setup_online.exe
5048	avast_free_antivirus_setup_online_x64.exe
4528	instup.exe
5264	instup.exe
4292	aswOfferTool.exe
4268	aswOfferTool.exe
5224	aswOfferTool.exe
3376	aswOfferTool.exe
4380	aswOfferTool.exe
4920	aswOfferTool.exe
1832	aswOfferTool.exe
4988	aswOfferTool.exe
4756	sbr.exe

Loads dropped DLL 17 IoCs

Processes:

software_reporter_tool.exeavast_free_antivirus_setup_online.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exe

pid	process
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4244	software_reporter_tool.exe
4956	avast_free_antivirus_setup_online.exe
4528	instup.exe
4528	instup.exe
4528	instup.exe
4528	instup.exe
5264	instup.exe
5224	aswOfferTool.exe
4380	aswOfferTool.exe
1832	aswOfferTool.exe
4988	aswOfferTool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

instup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait"	instup.exe

Checks for any installed AV software in registry 1 TTPs 32 IoCs

Security Software Discovery

T1063

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Setup.log"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile	instup.exe
Key opened	\Registry\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug	instup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 4 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

instup.exeavast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	instup.exe

Drops file in Program Files directory 3 IoCs

Processes:

instup.exe

description	ioc	process
File opened for modification	C:\Program Files\Avast Software\Avast\setup	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Stats.ini.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Stats.ini	instup.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	avast_free_antivirus_setup_online_x64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 64 IoCs

Processes:

instup.exeinstup.exeavast_free_antivirus_setup_online_x64.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "7"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "67"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "76"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "92"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: HTMLayout.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Title = "Installing the product"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "24"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "37"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "2"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "60"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "78"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "40"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "28"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "39"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "68"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "74"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "87"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "13"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Replacing files"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "30"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "53"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "77"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "84"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "36"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "16"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "44"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: instup.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "11"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "55"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "63"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "71"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "75"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "41"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "100"	avast_free_antivirus_setup_online_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "29"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "0"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "12"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "43"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "34"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "65"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "25"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "100"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "22"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Updating package: instup_x64_ais"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: AvBugReport.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswOfferTool.exe"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "17"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "35"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "48"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "99"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Main = "50"	instup.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exechrome.exechrome.exechrome.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

pid	process
3980	chrome.exe
3980	chrome.exe
2668	chrome.exe
2668	chrome.exe
4176	chrome.exe
4176	chrome.exe
4148	chrome.exe
4148	chrome.exe
4844	chrome.exe
4844	chrome.exe
1044	chrome.exe
1044	chrome.exe
4740	chrome.exe
4740	chrome.exe
192	chrome.exe
192	chrome.exe
192	chrome.exe
192	chrome.exe
424	chrome.exe
424	chrome.exe
5456	chrome.exe
5456	chrome.exe
5364	software_reporter_tool.exe
5364	software_reporter_tool.exe
4732	chrome.exe
4732	chrome.exe
4376	chrome.exe
4376	chrome.exe
356	chrome.exe
356	chrome.exe
5048	avast_free_antivirus_setup_online_x64.exe
5048	avast_free_antivirus_setup_online_x64.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe
5264	instup.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

software_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exesvchost.exeaswOfferTool.exe

description	pid	process
Token: 33	5132	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5132	software_reporter_tool.exe
Token: 33	5364	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5364	software_reporter_tool.exe
Token: 33	4244	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4244	software_reporter_tool.exe
Token: 33	2208	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2208	software_reporter_tool.exe
Token: 32	5048	avast_free_antivirus_setup_online_x64.exe
Token: 32	4528	instup.exe
Token: SeDebugPrivilege	4528	instup.exe
Token: SeDebugPrivilege	5264	instup.exe
Token: 32	5264	instup.exe
Token: SeDebugPrivilege	3376	aswOfferTool.exe
Token: SeImpersonatePrivilege	3376	aswOfferTool.exe
Token: SeTcbPrivilege	5152	svchost.exe
Token: SeTcbPrivilege	5152	svchost.exe
Token: SeBackupPrivilege	5152	svchost.exe
Token: SeRestorePrivilege	5152	svchost.exe
Token: SeBackupPrivilege	5152	svchost.exe
Token: SeRestorePrivilege	5152	svchost.exe
Token: SeDebugPrivilege	4920	aswOfferTool.exe
Token: SeImpersonatePrivilege	4920	aswOfferTool.exe
Token: SeBackupPrivilege	5152	svchost.exe
Token: SeRestorePrivilege	5152	svchost.exe
Token: SeBackupPrivilege	5152	svchost.exe
Token: SeRestorePrivilege	5152	svchost.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exeinstup.exe

pid	process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
5264	instup.exe
5264	instup.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exeinstup.exe

pid	process
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
3980	chrome.exe
5264	instup.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

avast_free_antivirus_setup_online.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exe

pid	process
4956	avast_free_antivirus_setup_online.exe
4528	instup.exe
4528	instup.exe
5264	instup.exe
5264	instup.exe
4292	aswOfferTool.exe
4268	aswOfferTool.exe
5224	aswOfferTool.exe
3376	aswOfferTool.exe
4920	aswOfferTool.exe
4988	aswOfferTool.exe
5264	instup.exe
4756	sbr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3980 wrote to memory of 3408	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3408	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 724	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2668	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 2668	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe
PID 3980 wrote to memory of 3588	3980	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://curseforge.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc8,0xcc,0xd0,0xa4,0xd4,0x7fff45354f50,0x7fff45354f60,0x7fff45354f70
2⤵
PID:3408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1724 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2056 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2440 /prefetch:1
2⤵
PID:3712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
2⤵
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
2⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
2⤵
PID:4768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
2⤵
PID:4304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8368 /prefetch:1
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x21c,0x220,0x244,0x218,0x248,0x7ff656a4a890,0x7ff656a4a8a0,0x7ff656a4a8b0
3⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
2⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
2⤵
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
2⤵
PID:4912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6564 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7228 /prefetch:8
2⤵
PID:4076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7268 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7060 /prefetch:8
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8360 /prefetch:8
2⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8348 /prefetch:8
2⤵
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:4752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9516 /prefetch:1
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9536 /prefetch:1
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9464 /prefetch:8
2⤵
PID:5364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8128 /prefetch:8
2⤵
PID:5536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3616 /prefetch:8
2⤵
PID:5556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3868 /prefetch:8
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8120 /prefetch:8
2⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9772 /prefetch:8
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
2⤵
PID:5668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8124 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3844 /prefetch:8
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6924 /prefetch:8
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6112 /prefetch:8
2⤵
PID:6076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7916 /prefetch:8
2⤵
PID:6092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:6112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 /prefetch:8
2⤵
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6404 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9136 /prefetch:8
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9196 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1428 /prefetch:8
2⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7728 /prefetch:8
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10068 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9608 /prefetch:8
2⤵
PID:5200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
PID:5796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:5616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7416 /prefetch:8
2⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6928 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8036 /prefetch:8
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6840 /prefetch:8
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
2⤵
PID:5692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
2⤵
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9540 /prefetch:1
2⤵
PID:732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9576 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9608 /prefetch:1
2⤵
PID:4924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
2⤵
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:1
2⤵
PID:4700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1
2⤵
PID:188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8540 /prefetch:1
2⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8588 /prefetch:1
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
2⤵
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8640 /prefetch:1
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
2⤵
PID:5444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9648 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
2⤵
PID:4860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=768 /prefetch:1
2⤵
PID:5472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
2⤵
PID:2804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
2⤵
PID:4232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3948 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9964 /prefetch:1
2⤵
PID:5344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=8128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
2⤵
PID:5712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:5672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
2⤵
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:5148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
2⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8676 /prefetch:1
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
2⤵
PID:3404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1804 /prefetch:1
2⤵
PID:5212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:5832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:1
2⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=129 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:1
2⤵
PID:6072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=130 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9720 /prefetch:1
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
PID:1220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7712 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9956 /prefetch:8
2⤵
PID:5700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4224 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7824 /prefetch:8
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
2⤵
PID:4620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=140 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6500 /prefetch:8
2⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7412 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=10060 /prefetch:8
2⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:8
2⤵
PID:6120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6488 /prefetch:8
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8580 /prefetch:8
2⤵
PID:5172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=147 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=148 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
2⤵
PID:5488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=149 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4216 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8548 /prefetch:8
2⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5356 /prefetch:8
2⤵
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6108 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7384 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:8
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:6004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4032 /prefetch:8
2⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=160 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
2⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6756 /prefetch:8
2⤵
PID:4232

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\91.266.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\91.266.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=q3B9obixdRiDUzMeVJA1wKWsRols/5mgfh6x8NEr --registry-suffix=ESET --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5364

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=91.266.200 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6392f3270,0x7ff6392f3280,0x7ff6392f3290
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5132

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5364_HZADKOAPESVQHEEG" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=14133961360311038339 --mojo-platform-channel-handle=692 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4244

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\91.266.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5364_HZADKOAPESVQHEEG" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=15612728993430629296 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=164 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4360 /prefetch:8
2⤵
PID:5384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=167 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=168 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9448 /prefetch:1
2⤵
PID:5688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=169 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=170 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
2⤵
PID:5596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=171 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=172 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
2⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=173 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:1
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=174 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9348 /prefetch:1
2⤵
PID:4144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=175 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9112 /prefetch:1
2⤵
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=176 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=177 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3204 /prefetch:8
2⤵
PID:5512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4220 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6588 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1612 /prefetch:8
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=185 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
2⤵
PID:4740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=186 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=187 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
2⤵
PID:1184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=188 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10200 /prefetch:1
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=189 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=190 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=191 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8640 /prefetch:1
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=192 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
2⤵
PID:4280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=193 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10216 /prefetch:1
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=194 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
2⤵
PID:4636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=195 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
2⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=196 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
2⤵
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=197 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:1
2⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=198 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=199 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
2⤵
PID:5240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=200 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1664 /prefetch:1
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=201 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
2⤵
PID:4196

C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe
"C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\Temp\asw.282518f8dd58743d\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.282518f8dd58743d\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_sft_dlp_006_114_i /ga_clientid:15454d8d-38b6-401c-9ab6-88444a1e0f65 /edat_dir:C:\Windows\Temp\asw.282518f8dd58743d
3⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\Temp\asw.fba64c5e94add15c\instup.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.fba64c5e94add15c /edition:1 /prod:ais /guid:27d513c0-4c0c-4d03-95bb-be3fb19e0219 /ga_clientid:15454d8d-38b6-401c-9ab6-88444a1e0f65 /cookie:mmm_sft_dlp_006_114_i /ga_clientid:15454d8d-38b6-401c-9ab6-88444a1e0f65 /edat_dir:C:\Windows\Temp\asw.282518f8dd58743d
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\instup.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.fba64c5e94add15c /edition:1 /prod:ais /guid:27d513c0-4c0c-4d03-95bb-be3fb19e0219 /ga_clientid:15454d8d-38b6-401c-9ab6-88444a1e0f65 /cookie:mmm_sft_dlp_006_114_i /edat_dir:C:\Windows\Temp\asw.282518f8dd58743d /online_installer
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" -checkGToolbar -elevated
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" /check_secure_browser
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4268

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5224

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4380

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\sbr.exe
"C:\Windows\Temp\asw.fba64c5e94add15c\New_150509a6\sbr.exe" 5264 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=202 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:1
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=203 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
2⤵
PID:5572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=204 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9080 /prefetch:1
2⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=205 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2188 /prefetch:1
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=206 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9968 /prefetch:1
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=207 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=209 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
2⤵
PID:5248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7576 /prefetch:8
2⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=211 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
2⤵
PID:5872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1608,7084685837343930852,9047900000583839738,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=212 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9024 /prefetch:1
2⤵
PID:5772

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
1⤵
PID:5436

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:5152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Security Software Discovery

1

T1063

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
MD5
dab475dcd0b3d36d4bf37d0e2e0e9c3f

SHA1
832cfd4173f068c818741d80ba2d6f6ca8390590

SHA256
a2fe12157bdfbb0d02faafadb3206cb09b274b95f26bfdcf0ed10924b8053074

SHA512
884d31b6e01eb26460c533e45b992187a463299abf2ffed2997d049b5b8519911e9274fb55b4a364b78905878eb6172eae69edb42c6a27b73fcbdb70fc5d997d

Download Submit
\??\pipe\crashpad_3980_KCCIZHFTDPLJRGJU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-386-0x0000000000000000-mapping.dmp

Download
memory/500-145-0x0000000000000000-mapping.dmp

Download
memory/724-121-0x0000000000000000-mapping.dmp

Download
memory/724-123-0x00007FFF4B8E0000-0x00007FFF4B8E1000-memory.dmp

Filesize
4KB

Download
memory/1736-380-0x0000000000000000-mapping.dmp

Download
memory/1772-361-0x0000000000000000-mapping.dmp

Download
memory/1864-155-0x0000000000000000-mapping.dmp

Download
memory/1864-406-0x0000000000000000-mapping.dmp

Download
memory/2060-159-0x0000000000000000-mapping.dmp

Download
memory/2076-343-0x0000000000000000-mapping.dmp

Download
memory/2240-442-0x0000000000000000-mapping.dmp

Download
memory/2668-122-0x0000000000000000-mapping.dmp

Download
memory/2732-411-0x0000000000000000-mapping.dmp

Download
memory/2868-150-0x0000000000000000-mapping.dmp

Download
memory/2884-391-0x0000000000000000-mapping.dmp

Download
memory/2884-260-0x0000000000000000-mapping.dmp

Download
memory/3364-235-0x0000000000000000-mapping.dmp

Download
memory/3408-116-0x0000000000000000-mapping.dmp

Download
memory/3588-127-0x0000000000000000-mapping.dmp

Download
memory/3712-140-0x0000000000000000-mapping.dmp

Download
memory/4008-435-0x0000000000000000-mapping.dmp

Download
memory/4008-264-0x0000000000000000-mapping.dmp

Download
memory/4012-133-0x0000000000000000-mapping.dmp

Download
memory/4076-369-0x0000000000000000-mapping.dmp

Download
memory/4140-416-0x0000000000000000-mapping.dmp

Download
memory/4148-447-0x0000000000000000-mapping.dmp

Download
memory/4176-444-0x0000000000000000-mapping.dmp

Download
memory/4180-340-0x0000000000000000-mapping.dmp

Download
memory/4256-240-0x0000000000000000-mapping.dmp

Download
memory/4304-245-0x0000000000000000-mapping.dmp

Download
memory/4352-456-0x0000000000000000-mapping.dmp

Download
memory/4352-179-0x0000000000000000-mapping.dmp

Download
memory/4412-184-0x0000000000000000-mapping.dmp

Download
memory/4432-254-0x0000000000000000-mapping.dmp

Download
memory/4448-300-0x0000000000000000-mapping.dmp

Download
memory/4448-336-0x0000000000000000-mapping.dmp

Download
memory/4456-376-0x0000000000000000-mapping.dmp

Download
memory/4500-302-0x0000000000000000-mapping.dmp

Download
memory/4508-462-0x0000000000000000-mapping.dmp

Download
memory/4528-306-0x0000000000000000-mapping.dmp

Download
memory/4532-288-0x0000000000000000-mapping.dmp

Download
memory/4580-191-0x0000000000000000-mapping.dmp

Download
memory/4632-313-0x0000000000000000-mapping.dmp

Download
memory/4712-348-0x0000000000000000-mapping.dmp

Download
memory/4720-198-0x0000000000000000-mapping.dmp

Download
memory/4744-421-0x0000000000000000-mapping.dmp

Download
memory/4752-400-0x0000000000000000-mapping.dmp

Download
memory/4752-200-0x0000000000000000-mapping.dmp

Download
memory/4768-204-0x0000000000000000-mapping.dmp

Download
memory/4848-396-0x0000000000000000-mapping.dmp

Download
memory/4912-355-0x0000000000000000-mapping.dmp

Download
memory/4912-214-0x0000000000000000-mapping.dmp

Download
memory/4928-274-0x0000000000000000-mapping.dmp

Download
memory/4940-219-0x0000000000000000-mapping.dmp

Download
memory/4980-333-0x0000000000000000-mapping.dmp

Download
memory/4992-279-0x0000000000000000-mapping.dmp

Download
memory/5064-325-0x0000000000000000-mapping.dmp

Download
memory/5072-228-0x0000000000000000-mapping.dmp

Download
memory/5072-428-0x0000000000000000-mapping.dmp

Download
memory/5144-467-0x0000000000000000-mapping.dmp

Download
memory/5364-475-0x0000000000000000-mapping.dmp

Download
memory/5416-478-0x0000000000000000-mapping.dmp

Download
memory/5536-487-0x0000000000000000-mapping.dmp

Download
memory/5556-490-0x0000000000000000-mapping.dmp

Download
memory/5580-495-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads