privateloader | hxxps://steamcomunntiy[.]com/events/discord

Resubmissions

11-09-2022 19:50

220911-ykk2jafhaj 10

06-09-2022 03:39

220906-d7pb9aedb4 10

06-09-2022 03:28

220906-d1sfbsecc5 10

06-09-2022 03:21

220906-dwt4csebe6 10

Analysis

max time kernel
1155s
max time network
1157s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06-09-2022 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://steamcomunntiy.com/events/discord

Score

10^/10

privateloader raccoon 7cc7e20e8fb40a79ad7a928b913d97ac 7fbece336766d588acded4ed81e9b654 discovery evasion loader spyware stealer themida

Malware Config

Extracted

Family

raccoon

Botnet

7fbece336766d588acded4ed81e9b654

http://89.208.104.89/

rc4.plain

Extracted

Family

raccoon

Botnet

7cc7e20e8fb40a79ad7a928b913d97ac

http://45.142.213.24/

http://45.133.216.198/

rc4.plain

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Install.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Install.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Install.exe

Executes dropped EXE 13 IoCs

Processes:

setup.tmpsetup.tmpsetup.tmpsetup.tmpC_eXGnpKoe9XCZQvD2sYfjWY.exeBId7Z70u.exeBId7Z70u.exeeventvwr.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeeventvwr.exe

pid	process
2012	setup.tmp
1656	setup.tmp
1332	setup.tmp
4396	setup.tmp
996	C_eXGnpKoe9XCZQvD2sYfjWY.exe
5056	BId7Z70u.exe
3732	BId7Z70u.exe
1692	eventvwr.exe
1180	software_reporter_tool.exe
4324	software_reporter_tool.exe
4348	software_reporter_tool.exe
1708	software_reporter_tool.exe
372	eventvwr.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Install.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.tmpsetup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	setup.tmp

Loads dropped DLL 14 IoCs

Processes:

setup.tmpsetup.tmpsetup.tmpsetup.tmpSetup.exesoftware_reporter_tool.exe

pid	process
2012	setup.tmp
1656	setup.tmp
1332	setup.tmp
4396	setup.tmp
2572	Setup.exe
2572	Setup.exe
2572	Setup.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe
4348	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3680-195-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-196-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-197-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-200-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-198-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-201-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-202-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-203-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-204-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida
behavioral1/memory/3680-207-0x0000000000880000-0x0000000000ED0000-memory.dmp	themida

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	130.61.117.123
Destination IP	130.61.117.123
Destination IP	130.61.117.123
Destination IP	130.61.117.123
Destination IP	130.61.117.123
Destination IP	130.61.117.123

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

306 ipinfo.io
307 ipinfo.io

flow	ioc
306	ipinfo.io
307	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

Install.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	Install.exe
File opened for modification	C:\Windows\System32\GroupPolicy	Install.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	Install.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Install.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

Install.exeBId7Z70u.exeBId7Z70u.exeeventvwr.exeeventvwr.exe

pid	process
3680	Install.exe
5056	BId7Z70u.exe
5056	BId7Z70u.exe
3732	BId7Z70u.exe
3732	BId7Z70u.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe
1692	eventvwr.exe
372	eventvwr.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

setup.tmpsetup.tmpC_eXGnpKoe9XCZQvD2sYfjWY.exe

description	pid	process	target process
PID 1656 set thread context of 4712	1656	setup.tmp	explorer.exe
PID 4396 set thread context of 1972	4396	setup.tmp	explorer.exe
PID 996 set thread context of 1892	996	C_eXGnpKoe9XCZQvD2sYfjWY.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4564	4712	WerFault.exe	explorer.exe
1300	1972	WerFault.exe	explorer.exe
2444	1892	WerFault.exe	vbc.exe
4984	5056	WerFault.exe	BId7Z70u.exe
2120	3732	WerFault.exe	BId7Z70u.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5092 schtasks.exe
1772 schtasks.exe
4300 schtasks.exe
2304 schtasks.exe
3576 schtasks.exe
4236 schtasks.exe

pid	process
5092	schtasks.exe
1772	schtasks.exe
4300	schtasks.exe
2304	schtasks.exe
3576	schtasks.exe
4236	schtasks.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

Processes:

taskmgr.exeInstall.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Install.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1416 NOTEPAD.EXE

pid	process
1416	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exetaskmgr.exe

pid	process
3760	chrome.exe
3760	chrome.exe
2408	chrome.exe
2408	chrome.exe
4484	chrome.exe
4484	chrome.exe
5076	chrome.exe
5076	chrome.exe
3480	chrome.exe
3480	chrome.exe
5012	chrome.exe
5012	chrome.exe
2700	chrome.exe
2700	chrome.exe
4244	chrome.exe
4244	chrome.exe
2120	chrome.exe
2120	chrome.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2256 taskmgr.exe

pid	process
2256	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 55 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4800	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
4552	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe
1416	chrome.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

taskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeDebugPrivilege	2256	taskmgr.exe
Token: SeSystemProfilePrivilege	2256	taskmgr.exe
Token: SeCreateGlobalPrivilege	2256	taskmgr.exe
Token: 33	2256	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2256	taskmgr.exe
Token: SeDebugPrivilege	2564	taskmgr.exe
Token: SeSystemProfilePrivilege	2564	taskmgr.exe
Token: SeCreateGlobalPrivilege	2564	taskmgr.exe
Token: 33	2564	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2564	taskmgr.exe
Token: SeDebugPrivilege	1160	taskmgr.exe
Token: SeSystemProfilePrivilege	1160	taskmgr.exe
Token: SeCreateGlobalPrivilege	1160	taskmgr.exe
Token: 33	1160	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1160	taskmgr.exe
Token: SeDebugPrivilege	3944	taskmgr.exe
Token: SeSystemProfilePrivilege	3944	taskmgr.exe
Token: SeCreateGlobalPrivilege	3944	taskmgr.exe
Token: 33	3944	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3944	taskmgr.exe
Token: 33	4324	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4324	software_reporter_tool.exe
Token: 33	1180	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1180	software_reporter_tool.exe
Token: 33	4348	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4348	software_reporter_tool.exe
Token: 33	1708	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1708	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe
2256	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Install.exeBId7Z70u.exeBId7Z70u.exeeventvwr.exeeventvwr.exe

pid process

3680 Install.exe
5056 BId7Z70u.exe
3732 BId7Z70u.exe
1692 eventvwr.exe
372 eventvwr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2408 wrote to memory of 988	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 988	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4968	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 3760	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 3760	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe
PID 2408 wrote to memory of 4004	2408	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://steamcomunntiy.com/events/discord
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ca34f50,0x7ffe4ca34f60,0x7ffe4ca34f70
2⤵
PID:988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:4004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
2⤵
PID:2292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5240 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
2⤵
PID:3984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5652 /prefetch:8
2⤵
PID:860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:1676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8
2⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
2⤵
PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3732 /prefetch:8
2⤵
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
2⤵
PID:996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:8
2⤵
PID:2892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1584,1064957178403185867,12343456364132085045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:2552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4676

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\unknown\password.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1416

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2256

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\is-32FD7.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-32FD7.tmp\setup.tmp" /SL5="$20476,1071024,832512,C:\Users\Admin\Desktop\setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:2012

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe" /VERYSILENT
3⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\is-JC5JR.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JC5JR.tmp\setup.tmp" /SL5="$202E2,1071024,832512,C:\Users\Admin\Desktop\setup.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1656

C:\Windows\SysWOW64\explorer.exe
explorer.exe 100
5⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 1272
6⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4712 -ip 4712
1⤵
PID:2020

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe"
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\is-VODV0.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VODV0.tmp\setup.tmp" /SL5="$C0116,1071024,832512,C:\Users\Admin\Desktop\setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:1332

C:\Users\Admin\Desktop\setup.exe
"C:\Users\Admin\Desktop\setup.exe" /VERYSILENT
3⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\is-V9AGN.tmp\setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V9AGN.tmp\setup.tmp" /SL5="$30350,1071024,832512,C:\Users\Admin\Desktop\setup.exe" /VERYSILENT
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:4396

C:\Windows\SysWOW64\explorer.exe
explorer.exe 100
5⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1252
6⤵
- Program crash
PID:1300

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1972 -ip 1972
1⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ffe4ca34f50,0x7ffe4ca34f60,0x7ffe4ca34f70
2⤵
PID:372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1288 /prefetch:8
2⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2820 /prefetch:1
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
2⤵
PID:2536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
2⤵
PID:4200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:8
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
PID:3760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4704 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:1336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
2⤵
PID:4964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
2⤵
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
2⤵
PID:1040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:1
2⤵
PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
2⤵
PID:1156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
2⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
2⤵
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5396 /prefetch:8
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,15679881006614046014,2968467195180696327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
2⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Users\Admin\Desktop\File\Install.exe
"C:\Users\Admin\Desktop\File\Install.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Users\Admin\Pictures\Minor Policy\C_eXGnpKoe9XCZQvD2sYfjWY.exe
"C:\Users\Admin\Pictures\Minor Policy\C_eXGnpKoe9XCZQvD2sYfjWY.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 220
4⤵
- Program crash
PID:2444

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1892 -ip 1892
1⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4ca34f50,0x7ffe4ca34f60,0x7ffe4ca34f70
2⤵
PID:536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1604 /prefetch:2
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
PID:5092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2400 /prefetch:8
2⤵
PID:3172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2740 /prefetch:1
2⤵
PID:3308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
2⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4652 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:1180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
2⤵
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:2996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --disable-databases --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
2⤵
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3256 /prefetch:8
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,18216741934864823987,4761366405588905887,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 /prefetch:8
2⤵
PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

C:\Users\Admin\Desktop\Pass_1234_Setup\Setup.exe
"C:\Users\Admin\Desktop\Pass_1234_Setup\Setup.exe"
1⤵
- Loads dropped DLL
PID:2572

C:\Users\Admin\AppData\Roaming\BId7Z70u.exe
"C:\Users\Admin\AppData\Roaming\BId7Z70u.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
3⤵
- Creates scheduled task(s)
PID:3576

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
3⤵
PID:3768

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
3⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 720
3⤵
- Program crash
PID:4984

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5056 -ip 5056
1⤵
PID:5096

C:\Users\Admin\AppData\Roaming\BId7Z70u.exe
"C:\Users\Admin\AppData\Roaming\BId7Z70u.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
2⤵
- Creates scheduled task(s)
PID:5092

C:\Windows\SysWOW64\schtasks.exe
/C /Query /XML /TN "Event Viewer Snap-in Launcher (29762912)"
2⤵
PID:4836

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /tn "Event Viewer Snap-in Launcher (29762912)" /XML "C:\Users\Admin\AppData\Roaming\EventViewer\tfnme73946158264.tmp"
2⤵
- Creates scheduled task(s)
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 528
2⤵
- Program crash
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3732 -ip 3732
1⤵
PID:1756

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
"C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
2⤵
- Creates scheduled task(s)
PID:4300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ffe4ca34f50,0x7ffe4ca34f60,0x7ffe4ca34f70
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
2⤵
PID:4084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1896 /prefetch:8
2⤵
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
2⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
2⤵
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
2⤵
PID:316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4588 /prefetch:8
2⤵
PID:1924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
2⤵
PID:2936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4812 /prefetch:8
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4668 /prefetch:8
2⤵
PID:456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:4376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:4944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2404 /prefetch:1
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3764 /prefetch:8
2⤵
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
2⤵
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=884 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=892 /prefetch:8
2⤵
PID:4300

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.288.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=3hfqqGLL8Wqmng7E+Xjho/pAnDxZjSLnkiQNybu0 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.288.200 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff753b72d20,0x7ff753b72d30,0x7ff753b72d40
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1180_IZVWFHGEZYECJISV" --sandboxed-process-id=2 --init-done-notifier=776 --sandbox-mojo-pipe-token=7459184289173927154 --mojo-platform-channel-handle=752 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4348

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.288.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_1180_IZVWFHGEZYECJISV" --sandboxed-process-id=3 --init-done-notifier=1000 --sandbox-mojo-pipe-token=15983142419799121048 --mojo-platform-channel-handle=996
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:1496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:8
2⤵
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5480 /prefetch:2
2⤵
PID:60

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
2⤵
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2768 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4620 /prefetch:8
2⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
2⤵
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1544,12547719464915937730,9677635540514429239,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5484 /prefetch:8
2⤵
PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1536

C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:372

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 5 /tn "Event Viewer Snap-in Launcher (29762912)" /tr "C:\Users\Admin\AppData\Roaming\EventViewer\eventvwr.exe"
2⤵
- Creates scheduled task(s)
PID:2304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
60cd6e50a74c45f9514c2ec70fe16a0d

SHA1
4d09cb4351688681c28912f89869703fc3a98c0a

SHA256
32fc80412bdafb44620e9694a7a9e1328c6067977021068d93061ee7753522d1

SHA512
cbab6f727cfedfeddd32fb9763479530530b79df262d09f319fecac9f89d9e08a5f38331f85f26930a35bf6e5bac01821b8edea4bd2b3abec5db55ff4468857e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons
Filesize
32KB

MD5
a9cce0e6ee3bcbc76b45ac702770eb42

SHA1
e96a5b2eeea61cc6e289f0d05809ff1f0f793b64

SHA256
3764b510ced8d29677ede8436d0b66e23c5190a73ea73c96682f07c31a7bab5a

SHA512
07babfb3e967f6e7b0a9784e76f3edd6978bef40665c7175265625aa6aa8ec4f942e729d83667f6eba900a5bace87ec6d02b06570606b8139a80cee58efadf03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History
Filesize
116KB

MD5
3e1723be6a9a55a0e799a8701edc506a

SHA1
26fa28c1de557a8c9429fe127c1a47bff701f2ff

SHA256
a856ab0ba930d895ae83d5fbeedd91d4b7f9fe5692281c83b35efe1a64bd7608

SHA512
620c264d91a39253634799323cf94b7ba9afbbfa959673753b66ba337d98f4276ad8cbf17a163ad7f28dbc5adf2934c87d7bd2e488f7cee4aa7e9b62eb402c40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
ec33fe3f2e02dbbc646cd3449ae77517

SHA1
386e6e19a911b36a17db474004f4c3e5a8a8fc54

SHA256
67d5e2210b4d95567ce7df9fde78d80d707bcc3985b7eaec51fc2626e34ab1d1

SHA512
21a54bd81dfeb698fb6510560245610856b387d5d1bdbbacc61860313301e24954ead02846efd6dd79ac1113aa4494cb89852b0f5a381c6c5d54752da6156fcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
17KB

MD5
c2085b2a6a2bf851a8192dc81a0d6f04

SHA1
24cd4913600f9c83cc54018363b7da162c15b6ef

SHA256
c2e7f350b552dea775dc425db9a3556580a04363c3b058b898290cf3345c1f46

SHA512
85bab37d21773d6e78b1d798e662eaa68aa4ca654b1b6185db54efae876e27278eeb226e011fa7cd16eedaa7e49863c1a92ca5972a6aa0297a157c0b45e386e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG
Filesize
348B

MD5
9d49a0fbf72e9b76b7dcc713f6e560bb

SHA1
01b98f392c881a9d18ec49b665988429aa4045de

SHA256
83bf905ff65dbbdc6339943d8f721fa2de9d122bb15236ea9c6a25cabe9c6591

SHA512
fb3d35622bde227d20c6b06cf817951a5061128d76a3539f0ed9fa7736ac1901a9ccb5887cd6069c9536d9cf8c37b45a877cdabd68ac3f2493db35376c19ba65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links
Filesize
128KB

MD5
58fc2dd48a8f32e3439a663b786d2d54

SHA1
d2e928722f64f3f2d4722e2721f445fd995b41ba

SHA256
9edde369e48ce407f63fa7ffaea0e580316e602a21d9e69e84ad659f52c9fa57

SHA512
4c71ccf22bb317336785326b9cdbc92cda4b3760b5f8ca9ad7e0e51182d9b037468568db71a6dc36fb76ce03f993262919425535c3a74d42144482037420acb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
182KB

MD5
7df808fc78b4f3cd6d97406bc07f5fd7

SHA1
391b75ff309a4ddf07bea8c70f1ca4c38fa8762c

SHA256
21487e74c7bf28ff3e88a81b953209dc7ad56fee715ab59f56392eb9cac99abb

SHA512
752c5824301ae0807f73786c7e028e93f79b8cbbe0a531e7a0998cdaff20d6108e6bd8f1da242db78544485c368f5325a99fcf00a365ba2615903f70957ec4ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
3330be50b50cf4d18c917802524396b8

SHA1
6da2be4e569bd1e63f956b2821847a98b6836708

SHA256
22c7fec80f53ba041407c5d8ea1e330e6e3c6f74bc03fe068dcc1ec1768074f3

SHA512
d81354a5f09c69c3f1a2edca8aca5ddab8b1a76e4f6b13a0dc18a8cd3625e0413b756f3f980af7c3e17153b9958422cb4394beef3f6e873aad45c21ffe0da8a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32FD7.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-32FD7.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JC5JR.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JC5JR.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K64BF.tmp\settmp.dll
Filesize
329KB

MD5
3fd5af5b02c466f71b114ce79b5ee112

SHA1
5ffe56bc49d3a6788a4f7969d60082da9360544e

SHA256
fc48e7315574eab2ffa444ac26912f38c837618980fff32455cc4b933f4c38de

SHA512
ffa3b3c56e47a246337ff1152bf278296662e89fdd23cc01df07b9df505ab5f5afd5c84576b7870882cd4cbc6c32cef0199ad7015146619aaad219a6f7af1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KGVBU.tmp\settmp.dll
Filesize
329KB

MD5
3fd5af5b02c466f71b114ce79b5ee112

SHA1
5ffe56bc49d3a6788a4f7969d60082da9360544e

SHA256
fc48e7315574eab2ffa444ac26912f38c837618980fff32455cc4b933f4c38de

SHA512
ffa3b3c56e47a246337ff1152bf278296662e89fdd23cc01df07b9df505ab5f5afd5c84576b7870882cd4cbc6c32cef0199ad7015146619aaad219a6f7af1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PMC6L.tmp\settmp.dll
Filesize
329KB

MD5
3fd5af5b02c466f71b114ce79b5ee112

SHA1
5ffe56bc49d3a6788a4f7969d60082da9360544e

SHA256
fc48e7315574eab2ffa444ac26912f38c837618980fff32455cc4b933f4c38de

SHA512
ffa3b3c56e47a246337ff1152bf278296662e89fdd23cc01df07b9df505ab5f5afd5c84576b7870882cd4cbc6c32cef0199ad7015146619aaad219a6f7af1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-Q45BH.tmp\settmp.dll
Filesize
329KB

MD5
3fd5af5b02c466f71b114ce79b5ee112

SHA1
5ffe56bc49d3a6788a4f7969d60082da9360544e

SHA256
fc48e7315574eab2ffa444ac26912f38c837618980fff32455cc4b933f4c38de

SHA512
ffa3b3c56e47a246337ff1152bf278296662e89fdd23cc01df07b9df505ab5f5afd5c84576b7870882cd4cbc6c32cef0199ad7015146619aaad219a6f7af1b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V9AGN.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VODV0.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
\??\c:\users\admin\appdata\local\temp\is-v9agn.tmp\setup.tmp
Filesize
3.0MB

MD5
4a22a3c1e22de3fafd0001d1f76abb3b

SHA1
92031efe9a4687d607fa0a73f8ec32466a4c7fa9

SHA256
171bd85dc981c8017b75be805fd4df308dd05fc73267a76ec4204e58056fcfed

SHA512
f5dbf504e3357004f5b4bbb58621f8a5bec3b405c02f084c5190eeb9c6d14ebb6a8b510dad531010fb6f5aa6af973efc6a23635be28c09461556ed4353f70d40

Download Submit
\??\pipe\crashpad_2408_ILSZQLRRJPTZUANE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-276-0x000000007EBB0000-0x000000007EF81000-memory.dmp

Filesize
3.8MB

Download
memory/372-275-0x0000000000810000-0x000000000117A000-memory.dmp

Filesize
9.4MB

Download
memory/996-205-0x0000000000000000-mapping.dmp

Download
memory/996-209-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/996-206-0x0000000000DF0000-0x0000000000E56000-memory.dmp

Filesize
408KB

Download
memory/1180-241-0x0000000000000000-mapping.dmp

Download
memory/1188-148-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1188-136-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1188-134-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1332-161-0x0000000000000000-mapping.dmp

Download
memory/1656-151-0x0000000000A87000-0x0000000000AC2000-memory.dmp

Filesize
236KB

Download
memory/1656-144-0x0000000000000000-mapping.dmp

Download
memory/1656-156-0x0000000000A87000-0x0000000000AC2000-memory.dmp

Filesize
236KB

Download
memory/1692-238-0x0000000000810000-0x000000000117A000-memory.dmp

Filesize
9.4MB

Download
memory/1692-240-0x0000000000810000-0x000000000117A000-memory.dmp

Filesize
9.4MB

Download
memory/1692-239-0x000000007F510000-0x000000007F8E1000-memory.dmp

Filesize
3.8MB

Download
memory/1708-246-0x0000000000000000-mapping.dmp

Download
memory/1892-212-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/1892-216-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/1892-220-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/1892-210-0x0000000000000000-mapping.dmp

Download
memory/1972-181-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1972-184-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1972-180-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/1972-178-0x0000000000000000-mapping.dmp

Download
memory/2012-137-0x0000000000000000-mapping.dmp

Download
memory/2304-273-0x0000000000000000-mapping.dmp

Download
memory/2460-157-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2460-150-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2460-147-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2460-141-0x0000000000000000-mapping.dmp

Download
memory/2460-142-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2572-225-0x0000000000490000-0x0000000001023000-memory.dmp

Filesize
11.6MB

Download
memory/2572-223-0x0000000000490000-0x0000000001023000-memory.dmp

Filesize
11.6MB

Download
memory/2572-221-0x0000000000490000-0x0000000001023000-memory.dmp

Filesize
11.6MB

Download
memory/3248-183-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3248-177-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3248-166-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3248-165-0x0000000000000000-mapping.dmp

Download
memory/3248-170-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3576-226-0x0000000000000000-mapping.dmp

Download
memory/3680-203-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-197-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-202-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-207-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-208-0x0000000077830000-0x00000000779D3000-memory.dmp

Filesize
1.6MB

Download
memory/3680-201-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-198-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-199-0x0000000077830000-0x00000000779D3000-memory.dmp

Filesize
1.6MB

Download
memory/3680-200-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-204-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-196-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3680-195-0x0000000000880000-0x0000000000ED0000-memory.dmp

Filesize
6.3MB

Download
memory/3732-234-0x0000000000240000-0x0000000000BAA000-memory.dmp

Filesize
9.4MB

Download
memory/3732-236-0x0000000000240000-0x0000000000BAA000-memory.dmp

Filesize
9.4MB

Download
memory/3732-235-0x000000007EB70000-0x000000007EF41000-memory.dmp

Filesize
3.8MB

Download
memory/3768-229-0x0000000000000000-mapping.dmp

Download
memory/4236-230-0x0000000000000000-mapping.dmp

Download
memory/4300-237-0x0000000000000000-mapping.dmp

Download
memory/4324-242-0x0000000000000000-mapping.dmp

Download
memory/4348-248-0x000002EA79670000-0x000002EA796B0000-memory.dmp

Filesize
256KB

Download
memory/4348-256-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-279-0x000002EA77FB0000-0x000002EA77FF0000-memory.dmp

Filesize
256KB

Download
memory/4348-278-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-277-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-274-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-272-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-271-0x000002EA77FF0000-0x000002EA78030000-memory.dmp

Filesize
256KB

Download
memory/4348-270-0x000002EA77FB0000-0x000002EA77FF0000-memory.dmp

Filesize
256KB

Download
memory/4348-269-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-268-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-267-0x000002EA77200000-0x000002EA77240000-memory.dmp

Filesize
256KB

Download
memory/4348-244-0x0000000000000000-mapping.dmp

Download
memory/4348-266-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-247-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-265-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-249-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-250-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-251-0x000002EA79670000-0x000002EA796B0000-memory.dmp

Filesize
256KB

Download
memory/4348-252-0x000002EA796B0000-0x000002EA796F0000-memory.dmp

Filesize
256KB

Download
memory/4348-253-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-254-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-255-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-263-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-257-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-259-0x000002EA77200000-0x000002EA77240000-memory.dmp

Filesize
256KB

Download
memory/4348-258-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-260-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-261-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-262-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4348-264-0x000002EA76DB0000-0x000002EA76DF0000-memory.dmp

Filesize
256KB

Download
memory/4396-182-0x0000000000A42000-0x0000000000A7D000-memory.dmp

Filesize
236KB

Download
memory/4396-168-0x0000000000000000-mapping.dmp

Download
memory/4712-152-0x0000000000000000-mapping.dmp

Download
memory/4712-158-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/4712-155-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/4712-154-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/4712-153-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/4836-233-0x0000000000000000-mapping.dmp

Download
memory/5056-228-0x0000000000240000-0x0000000000BAA000-memory.dmp

Filesize
9.4MB

Download
memory/5056-224-0x0000000000000000-mapping.dmp

Download
memory/5056-231-0x0000000000240000-0x0000000000BAA000-memory.dmp

Filesize
9.4MB

Download
memory/5056-227-0x000000007EB50000-0x000000007EF21000-memory.dmp

Filesize
3.8MB

Download
memory/5076-163-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5076-171-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5076-159-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/5092-232-0x0000000000000000-mapping.dmp

Download