hxxps://sapo[.]sharefilexecutue[.]xyz/#john[.]doe@mail[.]com

General

Target

https://sapo.sharefilexecutue.xyz/#john.doe@mail.com
Sample

211021-s4qhgabdbn

Score

10^/10

persistence spyware stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

ChromeRecovery.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateSetup.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
4956	ChromeRecovery.exe
4996	GoogleUpdateSetup.exe
4884	GoogleUpdate.exe
5052	GoogleUpdate.exe
4756	GoogleUpdate.exe
5104	GoogleUpdateComRegisterShell64.exe
3856	GoogleUpdateComRegisterShell64.exe
4128	GoogleUpdateComRegisterShell64.exe
4868	GoogleUpdate.exe
4208	GoogleUpdate.exe
4384	GoogleUpdate.exe
2148	GoogleUpdateSetup.exe
2392	GoogleCrashHandler.exe
4536	GoogleCrashHandler64.exe
3032	GoogleUpdate.exe
2072	GoogleUpdate.exe
4396	GoogleUpdate.exe
4136	GoogleUpdate.exe
4644	GoogleUpdateComRegisterShell64.exe
4688	GoogleUpdateComRegisterShell64.exe
4284	GoogleUpdateComRegisterShell64.exe
4200	GoogleUpdate.exe
5004	software_reporter_tool.exe
4992	software_reporter_tool.exe
5112	software_reporter_tool.exe
4848	software_reporter_tool.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 32 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesoftware_reporter_tool.exe

pid	process
4884	GoogleUpdate.exe
5052	GoogleUpdate.exe
4756	GoogleUpdate.exe
5104	GoogleUpdateComRegisterShell64.exe
4756	GoogleUpdate.exe
3856	GoogleUpdateComRegisterShell64.exe
4756	GoogleUpdate.exe
4128	GoogleUpdateComRegisterShell64.exe
4756	GoogleUpdate.exe
4868	GoogleUpdate.exe
4208	GoogleUpdate.exe
4384	GoogleUpdate.exe
4384	GoogleUpdate.exe
4208	GoogleUpdate.exe
3032	GoogleUpdate.exe
2072	GoogleUpdate.exe
4396	GoogleUpdate.exe
4136	GoogleUpdate.exe
4644	GoogleUpdateComRegisterShell64.exe
4136	GoogleUpdate.exe
4688	GoogleUpdateComRegisterShell64.exe
4136	GoogleUpdate.exe
4284	GoogleUpdateComRegisterShell64.exe
4136	GoogleUpdate.exe
4200	GoogleUpdate.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe
5112	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdateSetup.exeGoogleUpdate.exeGoogleUpdate.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\psuser.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_te.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_kn.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\GoogleUpdateComRegisterShell64.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_zh-CN.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\psuser_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_ar.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_pl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\psmachine_64.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_pl.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_pt-BR.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_no.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_kn.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_te.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_hi.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_ko.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_ms.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_bg.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_it.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_pl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_uk.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdate.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_bn.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ko.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_iw.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_pt-BR.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\GoogleUpdateSetup.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateCore.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_bg.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_tr.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ja.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_ta.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\psmachine.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_da.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_iw.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7FABB9B0-0653-48D7-97B7-C324D08D5C23}\GoogleUpdateSetup.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_th.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_zh-CN.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_pl.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_pt-PT.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_zh-TW.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_id.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_es.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_fr.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\goopdateres_ja.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_mr.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_ru.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_hu.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\goopdateres_ja.dll	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.111\goopdateres_fa.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\GoogleUpdateOnDemand.exe	GoogleUpdateSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.112\goopdateres_am.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\ChromeRecovery.exe	elevation_service.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 4 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	GoogleUpdate.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\LOCALSERVER32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\ = "IJobObserver"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\ = "IAppWeb"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BCDCB538-01C0-46D1-A6A7-52F4D021C272}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\Elevation\Enabled = "1"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ = "IApp2"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\ = "IPolicyStatus3"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "GoogleUpdate.OnDemandCOMClassMachineFallback.1.0"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\ = "ICurrentState"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{247954F9-9EDC-4E68-8CC3-150C2B89EADF}\NumMethods\ = "24"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ = "IGoogleUpdate3WebSecurity"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\ = "IAppCommand2"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F63F6F8B-ACD5-413C-A44B-0409136D26CB}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3A47570-0A85-4AEA-8270-529D47899603}\ = "ICredentialDialog"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D05F64F-71E3-48A5-BF6B-83315BC8AE1F}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\NumMethods\ = "11"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\ = "13"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods\ = "10"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ = "IJobObserver2"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F8BD55B-E83D-4A47-85BE-81FFA8057A69}\LocalServer32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachine.1.0\CLSID\ = "{521FDB42-7130-4806-822A-FC5163FAD983}"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ = "IGoogleUpdate3Web"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\ProxyStubClsid32	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ = "IGoogleUpdateCore"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8476CE12-AE1F-4198-805C-BA0F9B783F57}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8324F243-250C-4E97-915C-8220BAE15E18}\InprocHandler32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32\ = "{A3ADC43E-56D9-4EC1-ADDA-49C5B9069B07}"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ = "IBrowserHttpRequest2"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusSvc.1.0\CLSID\ = "{1C4CDEFF-756A-4804-9E77-3E8EB9361016}"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ = "IRegistrationUpdateHook"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}\ = "IRegistrationUpdateHook"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{76F7B787-A67C-4C73-82C7-31F5E3AABC5C}\NumMethods\ = "41"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DB17455-4E85-46E7-9D23-E555E4B005AF}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exesoftware_reporter_tool.exe

pid	process
780	chrome.exe
780	chrome.exe
2696	chrome.exe
2696	chrome.exe
1148	chrome.exe
1148	chrome.exe
3624	chrome.exe
3624	chrome.exe
1552	chrome.exe
1552	chrome.exe
3556	chrome.exe
3556	chrome.exe
1676	chrome.exe
1676	chrome.exe
3620	chrome.exe
3620	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
4780	chrome.exe
4780	chrome.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4884	GoogleUpdate.exe
4868	GoogleUpdate.exe
4868	GoogleUpdate.exe
4208	GoogleUpdate.exe
4208	GoogleUpdate.exe
4384	GoogleUpdate.exe
4384	GoogleUpdate.exe
3032	GoogleUpdate.exe
3032	GoogleUpdate.exe
2072	GoogleUpdate.exe
2072	GoogleUpdate.exe
2072	GoogleUpdate.exe
2072	GoogleUpdate.exe
2072	GoogleUpdate.exe
2072	GoogleUpdate.exe
4200	GoogleUpdate.exe
4200	GoogleUpdate.exe
5004	software_reporter_tool.exe
5004	software_reporter_tool.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

chrome.exe

pid	process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

Processes:

control.execontrol.exerundll32.exefirefox.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleCrashHandler.exeGoogleUpdate.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeShutdownPrivilege	2628	control.exe
Token: SeCreatePagefilePrivilege	2628	control.exe
Token: SeShutdownPrivilege	1660	control.exe
Token: SeCreatePagefilePrivilege	1660	control.exe
Token: SeSystemtimePrivilege	3972	rundll32.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: SeDebugPrivilege	4884	GoogleUpdate.exe
Token: SeDebugPrivilege	4884	GoogleUpdate.exe
Token: SeDebugPrivilege	4884	GoogleUpdate.exe
Token: SeDebugPrivilege	4884	GoogleUpdate.exe
Token: SeDebugPrivilege	4868	GoogleUpdate.exe
Token: SeDebugPrivilege	4208	GoogleUpdate.exe
Token: 33	2392	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	2392	GoogleCrashHandler.exe
Token: SeDebugPrivilege	4384	GoogleUpdate.exe
Token: 33	4536	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	4536	GoogleCrashHandler64.exe
Token: SeDebugPrivilege	3032	GoogleUpdate.exe
Token: SeDebugPrivilege	2072	GoogleUpdate.exe
Token: SeDebugPrivilege	2072	GoogleUpdate.exe
Token: SeDebugPrivilege	2072	GoogleUpdate.exe
Token: SeDebugPrivilege	4200	GoogleUpdate.exe
Token: SeDebugPrivilege	3232	firefox.exe
Token: 33	4992	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4992	software_reporter_tool.exe
Token: 33	5004	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5004	software_reporter_tool.exe
Token: 33	5112	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5112	software_reporter_tool.exe
Token: 33	4848	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4848	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SendNotifyMessage 37 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe
2696	chrome.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

firefox.exe

pid	process
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe
3232	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2696 wrote to memory of 3548	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3548	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 3452	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 780	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 780	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe
PID 2696 wrote to memory of 1456	2696	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://sapo.sharefilexecutue.xyz/#john.doe@mail.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffa3c7f4f50,0x7ffa3c7f4f60,0x7ffa3c7f4f70
2⤵
PID:3548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1476 /prefetch:2
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2188 /prefetch:8
2⤵
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:2908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:3184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4572 /prefetch:8
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4508 /prefetch:8
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff600e1a890,0x7ff600e1a8a0,0x7ff600e1a8b0
3⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
2⤵
PID:868

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl
3⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
2⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
PID:3232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:3328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5152 /prefetch:8
2⤵
PID:1272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3052 /prefetch:8
2⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
2⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
2⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
2⤵
PID:3212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4100 /prefetch:8
2⤵
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
PID:908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4224 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=772 /prefetch:8
2⤵
PID:2468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
2⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5160 /prefetch:8
2⤵
PID:1276

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DateAndTime
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\timedate.cpl
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2012 /prefetch:8
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4176 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3196 /prefetch:8
2⤵
PID:4100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=860 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3348 /prefetch:8
2⤵
PID:4364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4264 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4924 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1468,8901221154353530351,18218562266318820133,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5788 /prefetch:8
2⤵
PID:5028

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=FvJpDph/wblMeqMOrRDpzTteU/FN5by38IqQ54nA --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=93.269.200 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7c5349300,0x7ff7c5349310,0x7ff7c5349320
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4992

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5004_SQQRKQDFLQWLOYFD" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=8981668199152288832 --mojo-platform-channel-handle=692 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5112

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_5004_SQQRKQDFLQWLOYFD" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=12836894264832161698 --mojo-platform-channel-handle=912
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1404

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:3824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3652

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.0.433295525\122567292" -parentBuildID 20200403170909 -prefsHandle 1116 -prefMapHandle 1340 -prefsLen 1 -prefMapSize 219631 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 1600 gpu
3⤵
PID:680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.3.2055070019\1605041379" -childID 1 -isForBrowser -prefsHandle 2260 -prefMapHandle 2252 -prefsLen 122 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 2292 tab
3⤵
PID:1628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.13.2111144345\872458663" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 6979 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 3420 tab
3⤵
PID:500

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.20.1738025930\1209694370" -childID 3 -isForBrowser -prefsHandle 3836 -prefMapHandle 3832 -prefsLen 6979 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 3824 tab
3⤵
PID:4108

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3232.27.1734753258\105687063" -childID 4 -isForBrowser -prefsHandle 3248 -prefMapHandle 2100 -prefsLen 10528 -prefMapSize 219631 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3232 "\\.\pipe\gecko-crash-server-pipe.3232" 1328 tab
3⤵
PID:3804

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:716

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={9b88e14c-0c72-46de-a433-13b4549d10fa} --system
2⤵
- Executes dropped EXE
PID:4956

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\GoogleUpdateSetup.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\GoogleUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4996

C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM71B1.tmp\GoogleUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5052

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4756

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5104

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3856

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4128

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDY0RDY2RTYtMTkwRS00NjE5LUIxMjUtRjU0NjdBM0MzNjc4fSIgdXNlcmlkPSJ7RDAyODI5QTAtOEU3Ny00Rjc4LUFBQzEtMEYzNzA1MTBDQzhGfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0MzMzJCNTA5LTQ1NjYtNDIwNS1CQUFFLUUxMEZDRTAyRUJDOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMzI4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /machine /installsource chromerecovery
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Program Files (x86)\Google\Update\Install\{7FABB9B0-0653-48D7-97B7-C324D08D5C23}\GoogleUpdateSetup.exe
"C:\Program Files (x86)\Google\Update\Install\{7FABB9B0-0653-48D7-97B7-C324D08D5C23}\GoogleUpdateSetup.exe" /update /sessionid "{DCFF1C8E-76F2-4335-8667-04D75777BD8E}"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2148

C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUMD83B.tmp\GoogleUpdate.exe" /update /sessionid "{DCFF1C8E-76F2-4335-8667-04D75777BD8E}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4396

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4136

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4644

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4688

C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.112\GoogleUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4284

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RENGRjFDOEUtNzZGMi00MzM1LTg2NjctMDRENzU3NzdCRDhFfSIgdXNlcmlkPSJ7RDAyODI5QTAtOEU3Ny00Rjc4LUFBQzEtMEYzNzA1MTBDQzhGfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QzgzRDNBRkEtMUQzQS00MjQxLTk2Q0EtMkFCOTk1QTM2QTIzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIwIiBzc2U0MT0iMCIgc3NlNDI9IjAiIGF2eD0iMCIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMTExIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjExMiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MlIiIGluc3RhbGxhZ2U9IjYiIGluc3RhbGxkYXRlPSI1NDA0IiBjb2hvcnQ9IjE6OWNvOiIgY29ob3J0bmFtZT0iRXZlcnlvbmUgRWxzZSI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjwvYXBwPjwvcmVxdWVzdD4
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.111\GoogleCrashHandler64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMTEiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RENGRjFDOEUtNzZGMi00MzM1LTg2NjctMDRENzU3NzdCRDhFfSIgdXNlcmlkPSJ7RDAyODI5QTAtOEU3Ny00Rjc4LUFBQzEtMEYzNzA1MTBDQzhGfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0Q0QUM0RDdFLURGQzEtNEQ2Ni1BNzdFLUZFODNCQjk2RUVCNX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjExMSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMTIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDJSIiBpbnN0YWxsYWdlPSI2IiBpaWQ9Ins4RDhCMTQ2MC0zMDc1LTRGMjctRDgzMS04QzAxNTdCQjM2NjB9IiBjb2hvcnQ9IjE6OWNvOiIgY29ob3J0bmFtZT0iRXZlcnlvbmUgRWxzZSI-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9lZGdlZGwubWUuZ3Z0MS5jb20vZWRnZWRsL3JlbGVhc2UyL3VwZGF0ZTIvYWR4bW9tZnRya29pb2RrN2F3eXZhM216NnV0YV8xLjMuMzYuMTEyL0dvb2dsZVVwZGF0ZVNldHVwLmV4ZSIgZG93bmxvYWRlZD0iMTM0MTI3MiIgdG90YWw9IjEzNDEyNzIiIGRvd25sb2FkX3RpbWVfbXM9IjQ4NSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMTQyUiIgaW5zdGFsbGFnZT0iNiIgaWlkPSJ7OEQ4QjE0NjAtMzA3NS00RjI3LUQ4MzEtOEMwMTU3QkIzNjYwfSI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjkiIGVycm9yY29kZT0iLTE2MDYyMTk3NDgiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir716_655098955\ChromeRecovery.exe
MD5
4f68f78a0266c5d78a15b2c4da3c49e2

SHA1
caf0c6817fd09118209425d0a1661952292ea825

SHA256
e0f4d7e3939abac66e93004b7f1a3fb6b4932157809f32e13fa0cca55ef4e3bb

SHA512
370327442f7ee6f2adbe6c9097a1cb18fc0393a7f8b60568420d020676f42635b52a50dad4835e54efa322b410a40de938ad49e0308c54e44a89a6e20cdb8b58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.111\Recovery.crx3
MD5
7ebbe06233c74d47bdb914d8afa24308

SHA1
de79a98572a9599fbfbae8ce2ebe12d9b434f20d

SHA256
36a56323ca678c7070637c765fbe1c52eaccc8234afe126a9160246e1542e7a9

SHA512
a61bf368b6ce4fc33eaefbbece39e626befb7f06d10f846cfa4e0135a401b58ed8e8d0755195d4932a036d3fc110e2112e1a6a87e1ba84879314cf9580382d2b

Download Submit
\??\pipe\crashpad_2696_OWVNCDRGWKVBXRGQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/716-127-0x00000202F8F90000-0x00000202F8F92000-memory.dmp

Filesize
8KB

Download
memory/716-126-0x00000202F8F90000-0x00000202F8F92000-memory.dmp

Filesize
8KB

Download
memory/1540-116-0x0000000000000000-mapping.dmp

Download
memory/1540-117-0x000001F0EDEA0000-0x000001F0EDEA2000-memory.dmp

Filesize
8KB

Download
memory/1540-118-0x000001F0EDEA0000-0x000001F0EDEA2000-memory.dmp

Filesize
8KB

Download
memory/1660-121-0x0000029CB3E40000-0x0000029CB3E42000-memory.dmp

Filesize
8KB

Download
memory/1660-124-0x0000000000000000-mapping.dmp

Download
memory/1660-120-0x0000029CB3E40000-0x0000029CB3E42000-memory.dmp

Filesize
8KB

Download
memory/1660-119-0x0000000000000000-mapping.dmp

Download
memory/2072-144-0x0000000000000000-mapping.dmp

Download
memory/2148-140-0x0000000000000000-mapping.dmp

Download
memory/2368-123-0x0000000000000000-mapping.dmp

Download
memory/2392-141-0x0000000000000000-mapping.dmp

Download
memory/2628-122-0x0000000000000000-mapping.dmp

Download
memory/3032-143-0x0000000000000000-mapping.dmp

Download
memory/3856-136-0x0000000000000000-mapping.dmp

Download
memory/3972-125-0x0000000000000000-mapping.dmp

Download
memory/4128-137-0x0000000000000000-mapping.dmp

Download
memory/4136-146-0x0000000000000000-mapping.dmp

Download
memory/4200-150-0x0000000000000000-mapping.dmp

Download
memory/4208-139-0x0000000000000000-mapping.dmp

Download
memory/4284-149-0x0000000000000000-mapping.dmp

Download
memory/4396-145-0x0000000000000000-mapping.dmp

Download
memory/4536-142-0x0000000000000000-mapping.dmp

Download
memory/4644-147-0x0000000000000000-mapping.dmp

Download
memory/4688-148-0x0000000000000000-mapping.dmp

Download
memory/4756-134-0x0000000000000000-mapping.dmp

Download
memory/4848-165-0x000001A509810000-0x000001A509812000-memory.dmp

Filesize
8KB

Download
memory/4848-163-0x000001A509881000-0x000001A509882000-memory.dmp

Filesize
4KB

Download
memory/4848-164-0x0000000000000000-mapping.dmp

Download
memory/4848-166-0x000001A509810000-0x000001A509812000-memory.dmp

Filesize
8KB

Download
memory/4868-138-0x0000000000000000-mapping.dmp

Download
memory/4884-132-0x0000000000000000-mapping.dmp

Download
memory/4956-129-0x0000000000000000-mapping.dmp

Download
memory/4992-154-0x0000000000000000-mapping.dmp

Download
memory/4992-155-0x0000017F6EC70000-0x0000017F6EC72000-memory.dmp

Filesize
8KB

Download
memory/4992-156-0x0000017F6EC70000-0x0000017F6EC72000-memory.dmp

Filesize
8KB

Download
memory/4996-131-0x0000000000000000-mapping.dmp

Download
memory/5004-151-0x0000000000000000-mapping.dmp

Download
memory/5004-153-0x000001493ACD0000-0x000001493ACD2000-memory.dmp

Filesize
8KB

Download
memory/5004-152-0x000001493ACD0000-0x000001493ACD2000-memory.dmp

Filesize
8KB

Download
memory/5052-133-0x0000000000000000-mapping.dmp

Download
memory/5104-135-0x0000000000000000-mapping.dmp

Download
memory/5112-159-0x000002BD000E0000-0x000002BD000E2000-memory.dmp

Filesize
8KB

Download
memory/5112-162-0x00007FFA48CF0000-0x00007FFA48CF1000-memory.dmp

Filesize
4KB

Download
memory/5112-161-0x00007FFA481C0000-0x00007FFA481C1000-memory.dmp

Filesize
4KB

Download
memory/5112-160-0x000002BD000E0000-0x000002BD000E2000-memory.dmp

Filesize
8KB

Download
memory/5112-157-0x000002BD1BA02000-0x000002BD1BA03000-memory.dmp

Filesize
4KB

Download
memory/5112-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads