blacknet | hxxps://github[.]com

max time kernel
560s
max time network
2677s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2022, 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com

Score

10^/10

blacknet darkcomet guest16 persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe

Executes dropped EXE 12 IoCs

pid	Process
4712	ChromeRecovery.exe
4740	svshost.exe
1512	jusched.exe
1308	WinlockerBuilderv5.exe
388	upx_compresser.exe
4840	upx_compresser.exe
3300	svshost.exe
1620	taskhost.exe
4856	taskhost.exe
1004	WinlockerBuilderv5.exe
1908	upx_compresser.exe
4624	upx_compresser.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-174-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1004-186-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1308-188-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1004-190-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1004-193-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1308-194-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svshost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	upx_compresser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	jusched.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	svshost.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\Desktop\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AudioDriver = "C:\\Users\\Admin\\Documents\\AudioDriver\\taskhost.exe"	upx_compresser.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	jusched.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	pgwebrenderer.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 388 set thread context of 4840	388	upx_compresser.exe	144
PID 1620 set thread context of 4856	1620	taskhost.exe	147
PID 1908 set thread context of 4624	1908	upx_compresser.exe	150

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecovery.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4100	4116	WerFault.exe	205
3932	1728	WerFault.exe	217

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
5760	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	upx_compresser.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2888	chrome.exe
2888	chrome.exe
2564	chrome.exe
2564	chrome.exe
5056	chrome.exe
5056	chrome.exe
2512	chrome.exe
2512	chrome.exe
1224	chrome.exe
1224	chrome.exe
4828	chrome.exe
4828	chrome.exe
4296	chrome.exe
4296	chrome.exe
5116	chrome.exe
5116	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2604	chrome.exe
2900	chrome.exe
2900	chrome.exe
4888	chrome.exe
4888	chrome.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
388	upx_compresser.exe
388	upx_compresser.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe
1512	jusched.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
388	upx_compresser.exe
1620	taskhost.exe
1908	upx_compresser.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	3556	WinlockerBuilderv5.exe
Token: SeIncreaseQuotaPrivilege	4840	upx_compresser.exe
Token: SeSecurityPrivilege	4840	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	4840	upx_compresser.exe
Token: SeLoadDriverPrivilege	4840	upx_compresser.exe
Token: SeSystemProfilePrivilege	4840	upx_compresser.exe
Token: SeSystemtimePrivilege	4840	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	4840	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	4840	upx_compresser.exe
Token: SeCreatePagefilePrivilege	4840	upx_compresser.exe
Token: SeBackupPrivilege	4840	upx_compresser.exe
Token: SeRestorePrivilege	4840	upx_compresser.exe
Token: SeShutdownPrivilege	4840	upx_compresser.exe
Token: SeDebugPrivilege	4840	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	4840	upx_compresser.exe
Token: SeChangeNotifyPrivilege	4840	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	4840	upx_compresser.exe
Token: SeUndockPrivilege	4840	upx_compresser.exe
Token: SeManageVolumePrivilege	4840	upx_compresser.exe
Token: SeImpersonatePrivilege	4840	upx_compresser.exe
Token: SeCreateGlobalPrivilege	4840	upx_compresser.exe
Token: 33	4840	upx_compresser.exe
Token: 34	4840	upx_compresser.exe
Token: 35	4840	upx_compresser.exe
Token: 36	4840	upx_compresser.exe
Token: SeDebugPrivilege	1512	jusched.exe
Token: SeIncreaseQuotaPrivilege	4624	upx_compresser.exe
Token: SeSecurityPrivilege	4624	upx_compresser.exe
Token: SeTakeOwnershipPrivilege	4624	upx_compresser.exe
Token: SeLoadDriverPrivilege	4624	upx_compresser.exe
Token: SeSystemProfilePrivilege	4624	upx_compresser.exe
Token: SeSystemtimePrivilege	4624	upx_compresser.exe
Token: SeProfSingleProcessPrivilege	4624	upx_compresser.exe
Token: SeIncBasePriorityPrivilege	4624	upx_compresser.exe
Token: SeCreatePagefilePrivilege	4624	upx_compresser.exe
Token: SeBackupPrivilege	4624	upx_compresser.exe
Token: SeRestorePrivilege	4624	upx_compresser.exe
Token: SeShutdownPrivilege	4624	upx_compresser.exe
Token: SeDebugPrivilege	4624	upx_compresser.exe
Token: SeSystemEnvironmentPrivilege	4624	upx_compresser.exe
Token: SeChangeNotifyPrivilege	4624	upx_compresser.exe
Token: SeRemoteShutdownPrivilege	4624	upx_compresser.exe
Token: SeUndockPrivilege	4624	upx_compresser.exe
Token: SeManageVolumePrivilege	4624	upx_compresser.exe
Token: SeImpersonatePrivilege	4624	upx_compresser.exe
Token: SeCreateGlobalPrivilege	4624	upx_compresser.exe
Token: 33	4624	upx_compresser.exe
Token: 34	4624	upx_compresser.exe
Token: 35	4624	upx_compresser.exe
Token: 36	4624	upx_compresser.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe
2564	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3556	WinlockerBuilderv5.exe
3556	WinlockerBuilderv5.exe
1512	jusched.exe
1512	jusched.exe
1308	WinlockerBuilderv5.exe
1004	WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1964	2564	chrome.exe	78
PID 2564 wrote to memory of 1964	2564	chrome.exe	78
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 4004	2564	chrome.exe	82
PID 2564 wrote to memory of 2888	2564	chrome.exe	83
PID 2564 wrote to memory of 2888	2564	chrome.exe	83
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84
PID 2564 wrote to memory of 4540	2564	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://github.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd79014f50,0x7ffd79014f60,0x7ffd79014f70
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1668 /prefetch:2
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1988 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4292 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=908 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14660418424399108183,2158737426390409522,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
1⤵
PID:4244

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:3032
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={30ac608f-b063-4ee9-a7b3-a35d8831e020} --system
  2⤵
  - Executes dropped EXE
  PID:4712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1640

C:\Users\Admin\Desktop\WinlockerBuilderv5.exe
"C:\Users\Admin\Desktop\WinlockerBuilderv5.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3556
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1308
- - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
    "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:388
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4840
    - - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        
        PID:1620
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:4856
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1512
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    PID:3300
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xf8,0x128,0x7ffd79014f50,0x7ffd79014f60,0x7ffd79014f70
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2916 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:2140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  PID:3556
- C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe
  "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\104.289.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=HzZLV1WIyqtHIfugNXQ1HQWXYRXyzqBSAmPRiaN3 --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
  2⤵
  PID:3424
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=104.289.200 --initial-client-data=0x2a0,0x2a4,0x2a8,0x27c,0x2ac,0x7ff7ef3b2d20,0x7ff7ef3b2d30,0x7ff7ef3b2d40
    3⤵
    PID:4896
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3424_KVKOQIQTPOJGNWYT" --sandboxed-process-id=2 --init-done-notifier=804 --sandbox-mojo-pipe-token=16874830622180331594 --mojo-platform-channel-handle=780 --engine=2
    3⤵
    PID:4948
- - \??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe
    "c:\users\admin\appdata\local\google\chrome\user data\swreporter\104.289.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_3424_KVKOQIQTPOJGNWYT" --sandboxed-process-id=3 --init-done-notifier=1028 --sandbox-mojo-pipe-token=2641629539227878389 --mojo-platform-channel-handle=1020
    3⤵
    PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3796 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4028 /prefetch:2
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2996 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1604,507319576754547662,2209318455361477266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:2612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1912

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 4116 -ip 4116
1⤵
PID:3472

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4116 -s 2908
1⤵
- Program crash
PID:4100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 1728 -ip 1728
1⤵
PID:3760

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1728 -s 2928
1⤵
- Program crash
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd79014f50,0x7ffd79014f60,0x7ffd79014f70
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1992 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1608 /prefetch:2
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2796 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1956
- C:\Users\Admin\Downloads\PartyPokerSetup.exe
  "C:\Users\Admin\Downloads\PartyPokerSetup.exe"
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\PartyPokerSetup.exe_Installer\SmartInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\PartyPokerSetup.exe_Installer\SmartInstaller.exe"
    3⤵
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\SIInvoker.exe
      "C:\Users\Admin\AppData\Local\Temp\SIInvoker.exe" NavigateURL=http://www1.partypoker.com/pam_images/installer/ni_si.htm?pid=PartyPoker&lid=en_US&sid=4&uid=&AbortStatus=0&OS=Microsoft Professional(build 9200), 64-bit&tduid=&wmid=4442638&AdminUser=1
      4⤵
      PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\SIInvoker.exe
      "C:\Users\Admin\AppData\Local\Temp\SIInvoker.exe" NavigateURL=http://www1.partypoker.com/pam_images/installer/ni_si.htm?pid=PartyPoker&lid=en_US&sid=7&uid=&AbortStatus=0&OS=Microsoft Professional(build 9200), 64-bit&tduid=&wmid=4442638&AdminUser=1
      4⤵
      PID:5620
  - - C:\Programs\PartyGaming\PartyGaming.exe
      "C:\Programs\PartyGaming\PartyGaming.exe" -P=PartyPoker
      4⤵
      PID:5644
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=gpu-process --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --no-sandbox --log-severity=error --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file=cef_debug.log --mojo-platform-channel-handle=2656 /prefetch:2
        5⤵
        
        PID:3388
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --service-sandbox-type=utility --no-sandbox --log-severity=error --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file=cef_debug.log --mojo-platform-channel-handle=2864 /prefetch:8
        5⤵
        
        PID:3136
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=error --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --log-file=cef_debug.log --mojo-platform-channel-handle=2888 /prefetch:8
        5⤵
        
        PID:3556
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3108 /prefetch:1
        5⤵
        
        PID:3820
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3116 /prefetch:1
        5⤵
        
        PID:2148
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=3728 /prefetch:1
        5⤵
        
        PID:3056
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3864 /prefetch:1
        5⤵
        
        PID:4964
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        
        PID:5024
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4760 /prefetch:1
        5⤵
        
        PID:5396
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=4820 /prefetch:1
        5⤵
        
        PID:4872
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=4648 /prefetch:1
        5⤵
        Adds Run key to start application
        
        PID:1512
    - - C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe
        
        "C:\Programs\PartyGaming\EBEngine\GGC5\pgwebrenderer.exe" --type=renderer --log-severity=error --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --log-file=cef_debug.log --js-flags=--gc_global --field-trial-handle=2552,15892340526356972758,18321773770913752192,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --mojo-platform-channel-handle=4900 /prefetch:1
        5⤵
        
        PID:5304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SelfDestruct.bat" "C:\Users\Admin\AppData\Local\Temp\PartyPokerSetup.exe_Installer\""
      4⤵
      PID:5520
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c Tasklist /NH /FI "IMAGENAME EQ SmartInstaller.exe"
        5⤵
        
        PID:5740
      - C:\Windows\SysWOW64\tasklist.exe
        
        Tasklist /NH /FI "IMAGENAME EQ SmartInstaller.exe"
        6⤵
        Enumerates processes with tasklist
        
        PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7100 /prefetch:2
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=patch.mojom.FilePatcher --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=patch.mojom.FilePatcher --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=patch.mojom.FilePatcher --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3316 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3100 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1580 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1600,17251446340923018770,14425643882676426028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:5212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir3032_1531015159\ChromeRecovery.exe

Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3

Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\Desktop\ApproveComplete.pot

Filesize
1.1MB

MD5
25d593edf9f70aea3703f29976a00466

SHA1
4005c68e65cd27897296d7763d13ac896e1e193f

SHA256
ca265550fbc22585a0f6b399974c9b6f7f10bd2be44ab797539cbd2b7e5a0776

SHA512
9da2aab8d5d899a2e37b236768788c2ce92e5f24264b62dfeca6ca7c6455884fc1b5409f3fe6a1e491ea8600771f2d7f5db0d3c2bcd0147e1bb9ee5c2858361b

Download Submit
C:\Users\Admin\Desktop\BackupConvertTo.3gp

Filesize
482KB

MD5
18e25b187771d83307c13e9d0e9d8249

SHA1
121f5e99a000db6aadce70f8db7d7f115ad8720b

SHA256
e73625227d802ec3aa04cb5f7f2756b373fb2c55e862d586e83baf24088be975

SHA512
acef8306882453c286694b6d0ca080dc5e54004f2ac6ee45fdc9dc3291905bcea4e62427925f38a5fcadaac09a459e63621bf135290a7a86e658529f1f6d7229

Download Submit
C:\Users\Admin\Desktop\BackupPop.vsdx

Filesize
562KB

MD5
226e59853eb1271588a86b204b9c1347

SHA1
9b9c0810b7d96053124104dbb3d569afeb49a3ac

SHA256
17a00440f5e6b8a21227ac3a75e5148cf69fb680fcb193327572f98010c3ed1b

SHA512
b228053ee08e20ad233dcc05afb99c6aad81b45b064efa8bf1c0cb6b153408cc559cc1c3656884dda5d5044c3848463a01b5832e0e1b0bb1afe5e5d807ad9cd3

Download Submit
C:\Users\Admin\Desktop\ConvertFromEnable.mpg

Filesize
803KB

MD5
c29cc7ecc899625d7e28dad5e45e7b05

SHA1
014cea25aec18988b8f912f6dc6c2f6fd2a06e64

SHA256
530563b092d86ddbb585065454396e296892c2ee9b51e97a4ccee41bb7d870f0

SHA512
45a8105159a9d1b986281855d5cd6888d384af823a007115e43445a462d7278c32465b4cbf2bd30799cf2a95c2ede1401ea6cfbd550e54a93852496d5eee982f

Download Submit
C:\Users\Admin\Desktop\ConvertGrant.pptx

Filesize
763KB

MD5
bf18e5cc302f62d6976986f844978e3b

SHA1
0d5c76c6b97b4242250f51fde4ee969c00d95514

SHA256
4294a4f640eecdc49bb1a3b2977013dafffa076ce5c72fe628140a52856879ae

SHA512
4e7313fcd33ef19301e2a2b52940ee35510596743f02710297f8c8524c8cc8aa61f0f547ecb2f7f357beed11139ce0ce2ad2196ac46f4b6891ca88fb8a886898

Download Submit
C:\Users\Admin\Desktop\DenyRegister.dwg

Filesize
683KB

MD5
c1e707841e0c7d403800bb5b08aa65e5

SHA1
9b5aa2c3f849f69a9d1b067e86a7f4706f088b8c

SHA256
51c04dbb44bf7190605e45d869950e77883c6d14d256b404ab547b7fc253dcac

SHA512
43858b1c3be0f509fcec6333eb15af988a79160a54d58b6a7a56f23fe38affebd5ab58e64af0eba1641498ece2afb9e18c10b47f4ca7897a28cc5664eb2dead1

Download Submit
C:\Users\Admin\Desktop\DenySubmit.mpeg

Filesize
602KB

MD5
3e0cb04137cbe9fc768c1668239f1781

SHA1
ac23ddfebac0d0c5cc3387f56d77d88319ff35bf

SHA256
2834f988a49a1b6aed1b8beac2a56ebbe9506c7f46e206aeebca8a5f5ba23b48

SHA512
f4468fd2756c04ca6c0d16c0e93e1c5262c035f498b8cd297e4df3324b6a281d8bcc274d865890b334e14587f439500924cd25db507bbb3562937bf340fc7c0a

Download Submit
C:\Users\Admin\Desktop\EnterSwitch.vbs

Filesize
1.7MB

MD5
ed769b50cc66a2fd402946597074525a

SHA1
388ca1bcd4a952e9d2a51927bd4174c315425092

SHA256
ec793e42835f80f7f3c67f8dd796bcd8328437493badb5e90e087e3cca123527

SHA512
54371cd555ffc035cd6937d43435d2a575b41db7320801f6573b3017f77ba436a7b09512cf0f8e73d912c60b0313c6abe9c43db41a4305668663cd334cf373dd

Download Submit
C:\Users\Admin\Desktop\FindStop.DVR

Filesize
522KB

MD5
4b71178572f9909e802ae2227f1eccb2

SHA1
97f33954d0d5af366856398e49607661c8fb34d0

SHA256
1d1c219653e575f31a5d37a9a2790283b829ee96675432aa0f46dfd4e1dbd4e4

SHA512
8e344211330434fd187f868de8ff4686e55fdf7ff70dddcb4b323ab82eaae86e62da2d709dc74ac0815997ac70eca2fecc0910d13e31469e5a3c649adea6f156

Download Submit
C:\Users\Admin\Desktop\FindSubmit.ttf

Filesize
1004KB

MD5
3efe6aa7182988a1a3ef6324cf63e3ff

SHA1
25ed262230b7646301533e3d6792c171ee6b8f6a

SHA256
7734bd8c8fdc783ea10ca5fd52ddc2c45158b0d2b0b6fd31911f46fe19e95258

SHA512
536f600fffb0fe39bacb0cec38c2b19312c84cbbb91f44c510fb98974333fb897be5b53b29e8ada0128cf5194039ab0fc5f8cb39e7c9bfa536c6617b0a5aed78

Download Submit
C:\Users\Admin\Desktop\ImportInitialize.mht

Filesize
442KB

MD5
5f27bf1e159c1e2b77f86cfc694d90d7

SHA1
641b6fe7cb0de2ba659f413328c0aaed8c04a3dc

SHA256
e9f38a7695e7e63e2d82920e30fc29148672ef3105c8c762d5f365a2d1de20dc

SHA512
14b55b17f4b666a412204fa4ec33067e9e692e6d6034a4ff95b0f3ec9013eedc95a0e5e149a7631efdb9258ad5fd87b9743fcb1ada775ad023e24ff120e98f7c

Download Submit
C:\Users\Admin\Desktop\InvokeDismount.raw

Filesize
924KB

MD5
4a25e322b4980011efbeb45afa8d05f3

SHA1
4743d44bcfe49f6c67858e5a4f4d169000d88d03

SHA256
e6da35b17e9360012f73b4253fb1a9ff7f38a08d80d43baeffdc60f56d7bb49a

SHA512
8682260bf2a4bdc3cbd741a89cfd78d2b02f75445ff8d5da3685d6d04cf93d1f15ad89982be172da1a7f1754712d6324d50d8aaceb30124545370e64f7cee2d2

Download Submit
C:\Users\Admin\Desktop\OpenDebug.wmf

Filesize
844KB

MD5
67cf39008185ae38b68c88d8ef9c7a69

SHA1
54dde63320b94d0d13bdd32323724c83c7220499

SHA256
e6e1a49a6d7193ec74167e1b1214f26def7b96837efc904b1d4e3b8f94362918

SHA512
58292998296fe38880b75addfbe7cb87eff8d82ee4ede8de8a51cb46f51132b4e685fe75ddf705437c35dbc98f0561733a4b97ba2c8dfc86971935d309306662

Download Submit
C:\Users\Admin\Desktop\OutUnpublish.rar

Filesize
1.1MB

MD5
a6af5aeb3aca9dbb4b303ee197b8022b

SHA1
5cf66ffaf29942b1e9de6c578745f582418949f4

SHA256
34ae4fe13c0624f4e8f8246475c875672d86ad226567f3ea127930ab1cd32385

SHA512
23b3236ad662bd1aa357260b1cd877c721da18d1bed907b60b3e82cfd4c104182c1b1ac7dcf13bc1b9d99a5110fcc6b1b54ddf8cf62f24645104c9cad39f5b93

Download Submit
C:\Users\Admin\Desktop\ProtectStart.m3u

Filesize
884KB

MD5
b72bc3a5b26bbe0341d3b56f661597c0

SHA1
8398be714d98ec2efd6087403d209ec25546d6f6

SHA256
9629c4fd63896a93cf9d72f05926b843dee9d400909e4850dbb1f409ac241502

SHA512
126d731323cd64d3bfc0d1ecb919a2e591216624d1056c279297b4abeaae34ee925951ec191503a88a4abf7a248abad6de5f3cee89c9444144d5233e33c94936

Download Submit
C:\Users\Admin\Desktop\RepairRead.bat

Filesize
964KB

MD5
ae1e1aae447378646e6776e427ff6e96

SHA1
b002ea4187411c9ee34ca4a162e1c087eac37889

SHA256
9964efa16bfa6c155d01b33f54e8ed80fcb2caeffada01b9a8bb48e190230136

SHA512
677dbf9907267d8880cab3f95c43d57e8c940a0e123fcb946fe0f947f31e84e492087bbde2e67e33b16a88575125b536cdb7d6d6194ff1f92c7071bbcb79985a

Download Submit
C:\Users\Admin\Desktop\SaveSearch.csv

Filesize
643KB

MD5
5a653bd8e879235d678493489a402904

SHA1
fb13be5ad3eca93b31d6c95bce4fcca481028ffc

SHA256
406854563e1277d28243cd06c771d6e447b2ece083e2321371eeaa175cd50310

SHA512
c370369a5b7381c48985ea2e335f098dbd6a9cb85b98fe8cf6597d4a5cc0c3719fc2cb1006b9433b25d549458878cde23a0ac31607be6c075cb2f4dbc10103d8

Download Submit
C:\Users\Admin\Desktop\SendResize.xlsx

Filesize
1.2MB

MD5
ec500fa334b799fc3b3c9b82692f74e7

SHA1
4649297863309c495949e395e796bf84208a3866

SHA256
44b7ab59747a617f1642f098d49e023fe11ef384b685f6a2654e55f2cf540705

SHA512
bf933b6eea12ebf562d95030e7cba5a116336ae1909f411c1ee4a6745d880160acc567c2ab17ec8df5aa727b0b70b0e29f5cbf5b0de602eed8a1997720c24a8a

Download Submit
C:\Users\Admin\Desktop\TraceUninstall.raw

Filesize
723KB

MD5
4905a9ff662dbb325af431f96b289a68

SHA1
5242428611363f6419eb259d4b2506331844fab8

SHA256
963093d0a834134dc5f3cb20687f2415fd42e9b5f36b5a65237f0ebb8986bae0

SHA512
dab79c8fc557d53fc6cae4189c52ad8299881917c88f725229ab317c6ccb5eb36ce7727ac4e4d0534037071d53947abf9b93e22ffcc74f3de97b90cde76bec44

Download Submit
C:\Users\Admin\Desktop\UnblockSkip.mpv2

Filesize
1.2MB

MD5
0ac2cfa1a64df8fc384b6f161976ebea

SHA1
2d8aaf48fd25f77b5e477c2c2193a0939c60ebc6

SHA256
60dce51c485d1a37d4d433a772cca057ee25b609b8c5762a3c23bf503cba0d55

SHA512
6bbe49151016658d6d9dca4a1a6c4c8e5111737d3ea5045be7239b3cf4fb5e16aa09a315fe032f6d0d032f34143b8d7bf21dc716bac2dd1c64ecf04bb41832d8

Download Submit
C:\Users\Admin\Desktop\UnregisterBlock.wm

Filesize
1.0MB

MD5
6baa7bb81c468ed4d6625b3156ff56e6

SHA1
a755756fe869db9e932f59aa0257e8aa7cacb337

SHA256
08b0398ed10ccca08e4721a41b1f4cc620226a56b0882082c45ec3f034f816c0

SHA512
ee5e1a26baf3d5de40286246a3820dfeba54118da89bb8b99b4285649a5ef704f2f8c449002248d2f42f176f0748745d678e6c2d1a19dbec5f68638f779d80e5

Download Submit
C:\Users\Admin\Desktop\UpdateDebug.clr

Filesize
1.1MB

MD5
257e924fd29aa6c6d32aa25eb6e9c55a

SHA1
2a4a7772584fdd6f190d6c208da0edc8f636b7af

SHA256
d78969bad39aeb757a90e027bcfde2e6db310ea66f5ea264195f22321a40a850

SHA512
066fd44a90bd18368c4d91afd9d8cad196780e430b196f0115b74f27a4a246fb80db6799cb17e600e6b2d61e58725b740e7ae66261b2699cdcf10f7417fccdeb

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
22b9770809478f4b7938f463e6697e24

SHA1
0f444dfd78b31d831c0b9a59ebc30c04db1a324e

SHA256
cd9249f2aa782d026346ed4bcd7bfa7b8e8a21b3aa596a24fcb5924664545ae5

SHA512
143b10440147bbb3bb2bab7fbf81e146810d1bfac8fb9af7e1a52707e61d06ab4e92129db67e8cd0e79785a9fb92ac8193e0811359b2f712f1dfe36c3915e65f

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
debd38c15bbee4ae9c96eddc03924287

SHA1
f61b97b8829897bcd9af7fbcd13882b82eae8e2d

SHA256
917a5ab064fa271ab2e1ee3f4fd1ee5774a7d075769a422346f96923b243e905

SHA512
00ca595b2440e30f149eec984f724096671eefe8ead3d7679fbd70bf69a5b205c2e913e3d13679a47c8d3932afd0ebb63051999296aadc8309150ffa1d55e5e2

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
3d33dc109439aaee99755699a39d7af2

SHA1
5c6d5f13110d9b17e37c9fdf43e72c3772c7dca8

SHA256
807fd0a98d5c652c6479babf5ba94573645e343a3db23eb9bbaa19d38f71fd80

SHA512
79741bdb34a18ba643445318ef45347fafa31d36f48557ecec987e09e3164a0499a25974926dde8f1920157936a43a32f66a08215e32fb03cfc3ca32a5205ac0

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
0a33c8cc5f3c6777886b53f6fcb7896f

SHA1
9ff1adc6dc48c89aa8f3e84aae76d59e8967bac1

SHA256
13a17d18561f559df873eacb07b6809ea2153dbb2bcacb2ac8b41707e56ae37a

SHA512
aa95202af6a3dc6ae5878c3f21e9a1139cebd859c13dbeb9e004b092baf19a6d8955b629dfb2d3e061329f24298d1bf94cd9a5021d8b11d7cffd2e5cfb90e181

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
2290d3b29d2cccef99e913346032f835

SHA1
b5a7b250a09abd96d0e4a57c5563402bbd751e72

SHA256
72dedc6e7728ac16956b0e426b5b049c84656a44c745d074223378cd21df59ec

SHA512
80d17473046a1087f41ae03778e37634f98ff063b69dd32db1a2fc96747891c7fcdb2e4f6b215987210be9059c733d686546683801e063bb56410abbb902d7f6

Download Submit
memory/388-176-0x0000000000610000-0x0000000000619000-memory.dmp

Filesize
36KB

Download
memory/1004-190-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1004-193-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1004-186-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1308-194-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1308-188-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1308-174-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1512-189-0x0000000001A9A000-0x0000000001A9F000-memory.dmp

Filesize
20KB

Download
memory/1512-178-0x0000000001A9A000-0x0000000001A9F000-memory.dmp

Filesize
20KB

Download
memory/1512-170-0x00007FFD72C30000-0x00007FFD73666000-memory.dmp

Filesize
10.2MB

Download
memory/3556-164-0x00007FFD72C30000-0x00007FFD73666000-memory.dmp

Filesize
10.2MB

Download
memory/3556-165-0x000000000151A000-0x000000000151F000-memory.dmp

Filesize
20KB

Download
memory/3556-171-0x000000000151A000-0x000000000151F000-memory.dmp

Filesize
20KB

Download
memory/3852-223-0x0000000000560000-0x0000000000587000-memory.dmp

Filesize
156KB

Download
memory/3852-224-0x0000000000561000-0x000000000057E000-memory.dmp

Filesize
116KB

Download
memory/4624-185-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4840-177-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4856-187-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4856-191-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4948-215-0x000001C8818A0000-0x000001C8818E0000-memory.dmp

Filesize
256KB

Download
memory/4948-204-0x000001C880390000-0x000001C8803D0000-memory.dmp

Filesize
256KB

Download
memory/4948-214-0x000001C880480000-0x000001C8804C0000-memory.dmp

Filesize
256KB

Download
memory/4948-212-0x000001C8818A0000-0x000001C8818E0000-memory.dmp

Filesize
256KB

Download
memory/4948-216-0x000001C880000000-0x000001C880040000-memory.dmp

Filesize
256KB

Download
memory/4948-217-0x000001C880480000-0x000001C8804C0000-memory.dmp

Filesize
256KB

Download
memory/4948-218-0x000001C880270000-0x000001C8802B0000-memory.dmp

Filesize
256KB

Download
memory/4948-219-0x000001C880470000-0x000001C8804B0000-memory.dmp

Filesize
256KB

Download
memory/4948-220-0x000001C880270000-0x000001C8802B0000-memory.dmp

Filesize
256KB

Download
memory/4948-211-0x000001C880260000-0x000001C8802A0000-memory.dmp

Filesize
256KB

Download
memory/4948-209-0x000001C880110000-0x000001C880150000-memory.dmp

Filesize
256KB

Download
memory/4948-210-0x000001C8818A0000-0x000001C8818E0000-memory.dmp

Filesize
256KB

Download
memory/4948-208-0x000001C880390000-0x000001C8803D0000-memory.dmp

Filesize
256KB

Download
memory/4948-201-0x000001C880470000-0x000001C8804B0000-memory.dmp

Filesize
256KB

Download
memory/4948-202-0x000001C880470000-0x000001C8804B0000-memory.dmp

Filesize
256KB

Download
memory/4948-203-0x000001C880260000-0x000001C8802A0000-memory.dmp

Filesize
256KB

Download
memory/4948-213-0x000001C880000000-0x000001C880040000-memory.dmp

Filesize
256KB

Download
memory/4948-205-0x000001C880110000-0x000001C880150000-memory.dmp

Filesize
256KB

Download
memory/4948-206-0x000001C880260000-0x000001C8802A0000-memory.dmp

Filesize
256KB

Download
memory/4948-207-0x000001C880260000-0x000001C8802A0000-memory.dmp

Filesize
256KB

Download
memory/5644-230-0x0000000000881000-0x0000000000885000-memory.dmp

Filesize
16KB

Download
memory/5644-237-0x00000000045E1000-0x0000000004715000-memory.dmp

Filesize
1.2MB

Download
memory/5644-246-0x000000000BED0000-0x000000000C50C000-memory.dmp

Filesize
6.2MB

Download
memory/5644-247-0x000000000C510000-0x000000000C529000-memory.dmp

Filesize
100KB

Download
memory/5644-229-0x0000000000D70000-0x0000000000E9E000-memory.dmp

Filesize
1.2MB

Download
memory/5644-240-0x0000000006050000-0x00000000063D0000-memory.dmp

Filesize
3.5MB

Download
memory/5644-239-0x0000000003D21000-0x0000000003D25000-memory.dmp

Filesize
16KB

Download
memory/5644-238-0x00000000045E0000-0x000000000483B000-memory.dmp

Filesize
2.4MB

Download