djvu | d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27

Resubmissions

30-01-2023 13:52

230130-q6j3csaf45 10

30-01-2023 13:41

230130-qzkejsaf27 10

Analysis

max time kernel
960s
max time network
962s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2023 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
Size

670KB
MD5

d4119bd2e05d30c83481f9f2f8fa45d8
SHA1

ca9417ec27fd4b4fd94697642c3a0f5ab0e81934
SHA256

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27
SHA512

22fad9880248c2a55a906bca74b6b264795a3be4bc4b9a0f7df053e43c83963ddf91e2cf3da3f97c54acb3bafa388ade890e8a4d227e6d87e7b6971195a3a8ab
SSDEEP

12288:FmNW9Bh+YibooLU/lvuyhQtMicow49EARpPw+8+mn0JyS+4rrPU00I2lz:sWfh9ibGuyhLib395RpPJmn0JN+Mr0Im

Score

10^/10

djvu vidar 15 19 discovery persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\_readme.txt

Family

djvu

Ransom Note

ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-uZxWxoKbU5 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0635JOsieHU1v8ga5VvWXVnHnASsCWOqB8HCs5L8baCBXLDQB

Emails

[email protected]

URLs

https://we.tl/t-uZxWxoKbU5

Extracted

Family

djvu

http://drampik.com/test1/get.php

Attributes

extension
.mzqw
offline_id
ex4uvTKsM2vEkIcr3MjXi2C6v27h1mS682iUXGt1
payload_url
http://uaery.top/dl/build2.exe
http://drampik.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-uZxWxoKbU5 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0635JOsie

rsa_pubkey.plain

Extracted

Family

vidar

Version

2.2

Botnet

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
19

Extracted

Family

vidar

Version

2.2

Botnet

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815

Attributes

profile_id
15

Signatures

Detected Djvu ransomware 12 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4560-133-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4560-134-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4344-137-0x00000000049D0000-0x0000000004AEB000-memory.dmp	family_djvu
behavioral1/memory/4560-136-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4560-138-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4560-142-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4480-146-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4480-147-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4480-148-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/4480-168-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5644-297-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/5644-298-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 17 IoCs

Processes:

build2.exebuild3.exebuild2.exemstsca.exeSoftware.exeChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeSoftware.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

pid	process
2120	build2.exe
1384	build3.exe
8	build2.exe
5052	mstsca.exe
1352	Software.exe
5396	ChromeRecovery.exe
2288	software_reporter_tool.exe
4008	software_reporter_tool.exe
5984	software_reporter_tool.exe
4760	software_reporter_tool.exe
2572	Software.exe
1592	software_reporter_tool.exe
396	software_reporter_tool.exe
5256	software_reporter_tool.exe
6048	software_reporter_tool.exe
3536	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
5644	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SuspendMeasure.tif => C:\Users\Admin\Pictures\SuspendMeasure.tif.mzqw	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
File renamed	C:\Users\Admin\Pictures\ApproveConfirm.tif => C:\Users\Admin\Pictures\ApproveConfirm.tif.mzqw	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
File renamed	C:\Users\Admin\Pictures\DebugStop.crw => C:\Users\Admin\Pictures\DebugStop.crw.mzqw	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
File opened for modification	C:\Users\Admin\Pictures\OutSkip.tiff	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
File renamed	C:\Users\Admin\Pictures\OutSkip.tiff => C:\Users\Admin\Pictures\OutSkip.tiff.mzqw	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
File renamed	C:\Users\Admin\Pictures\ReceiveNew.tif => C:\Users\Admin\Pictures\ReceiveNew.tif.mzqw	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exebuild2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	build2.exe

Loads dropped DLL 18 IoCs

Processes:

build2.exesoftware_reporter_tool.exeSoftware.exesoftware_reporter_tool.exe

pid	process
8	build2.exe
8	build2.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
5984	software_reporter_tool.exe
2572	Software.exe
2572	Software.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe
5256	software_reporter_tool.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

384 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
384	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\048dc53c-4fcb-42c8-9510-240ee716eb5e\\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe\" --AutoStart"	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.2ip.ua
15 api.2ip.ua
20 api.2ip.ua
434 api.2ip.ua
435 api.2ip.ua

flow	ioc
14	api.2ip.ua
15	api.2ip.ua
20	api.2ip.ua
434	api.2ip.ua
435	api.2ip.ua

Suspicious use of SetThreadContext 5 IoCs

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exebuild2.exeSoftware.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

description	pid	process	target process
PID 4344 set thread context of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 set thread context of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 2120 set thread context of 8	2120	build2.exe	build2.exe
PID 1352 set thread context of 2572	1352	Software.exe	Software.exe
PID 3536 set thread context of 5644	3536	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\ChromeRecovery.exe	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\manifest.json	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2696 5768 WerFault.exe
3624 4884 WerFault.exe
3980 4976 WerFault.exe
5548 2572 WerFault.exe Software.exe

pid	pid_target	process	target process
2696	5768	WerFault.exe
3624	4884	WerFault.exe
3980	4976	WerFault.exe
5548	2572	WerFault.exe	Software.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exetaskmgr.exetaskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Software.exetaskmgr.exebuild2.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Software.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	build2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	build2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Software.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2584 schtasks.exe
4612 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2068 timeout.exe

pid	process
2584	schtasks.exe
4612	schtasks.exe

pid	process
2068	timeout.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 4 IoCs

Processes:

taskmgr.exechrome.exechrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2971393436-602173351-1645505021-1000\{D17A053B-D26B-42C3-BF77-7055658C7052}	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2196 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

1196 vlc.exe

pid	process
2196	NOTEPAD.EXE

pid	process
1196	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exebuild2.exetaskmgr.exechrome.exechrome.exechrome.exechrome.exe

pid	process
4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
8	build2.exe
8	build2.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2968	chrome.exe
2968	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
3988	chrome.exe
3988	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
5624	chrome.exe
5624	chrome.exe
5684	chrome.exe
5684	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

taskmgr.exevlc.exe

pid process

2712 taskmgr.exe
1196 vlc.exe

pid	process
2712	taskmgr.exe
1196	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exechrome.exe

pid	process
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe
2724	chrome.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

taskmgr.exetaskmgr.exe7zG.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesdiagnhost.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exeAUDIODG.EXEvlc.exesvchost.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2868	taskmgr.exe
Token: SeSystemProfilePrivilege	2868	taskmgr.exe
Token: SeCreateGlobalPrivilege	2868	taskmgr.exe
Token: 33	2868	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2868	taskmgr.exe
Token: SeDebugPrivilege	2712	taskmgr.exe
Token: SeSystemProfilePrivilege	2712	taskmgr.exe
Token: SeCreateGlobalPrivilege	2712	taskmgr.exe
Token: SeRestorePrivilege	1008	7zG.exe
Token: 35	1008	7zG.exe
Token: SeSecurityPrivilege	1008	7zG.exe
Token: SeSecurityPrivilege	1008	7zG.exe
Token: 33	4008	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4008	software_reporter_tool.exe
Token: 33	2288	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2288	software_reporter_tool.exe
Token: 33	5984	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5984	software_reporter_tool.exe
Token: 33	4760	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	4760	software_reporter_tool.exe
Token: SeDebugPrivilege	3116	sdiagnhost.exe
Token: 33	396	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	396	software_reporter_tool.exe
Token: 33	1592	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1592	software_reporter_tool.exe
Token: 33	5256	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5256	software_reporter_tool.exe
Token: 33	6048	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	6048	software_reporter_tool.exe
Token: 33	2712	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2712	taskmgr.exe
Token: 33	856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	856	AUDIODG.EXE
Token: 33	1196	vlc.exe
Token: SeIncBasePriorityPrivilege	1196	vlc.exe
Token: SeBackupPrivilege	2176	svchost.exe
Token: SeRestorePrivilege	2176	svchost.exe
Token: SeSecurityPrivilege	2176	svchost.exe
Token: SeTakeOwnershipPrivilege	2176	svchost.exe
Token: 35	2176	svchost.exe
Token: SeDebugPrivilege	4944	taskmgr.exe
Token: SeSystemProfilePrivilege	4944	taskmgr.exe
Token: SeCreateGlobalPrivilege	4944	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
3988	chrome.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe
2868	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

chrome.exevlc.exe

pid process

2724 chrome.exe
2724 chrome.exe
1196 vlc.exe
1196 vlc.exe

pid	process
2724	chrome.exe
2724	chrome.exe
1196	vlc.exe
1196	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exed4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exebuild3.exebuild2.exebuild2.execmd.exemstsca.exechrome.exe

description	pid	process	target process
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4344 wrote to memory of 4560	4344	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4560 wrote to memory of 384	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	icacls.exe
PID 4560 wrote to memory of 384	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	icacls.exe
PID 4560 wrote to memory of 384	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	icacls.exe
PID 4560 wrote to memory of 212	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4560 wrote to memory of 212	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4560 wrote to memory of 212	4560	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 212 wrote to memory of 4480	212	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
PID 4480 wrote to memory of 2120	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build2.exe
PID 4480 wrote to memory of 2120	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build2.exe
PID 4480 wrote to memory of 2120	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build2.exe
PID 4480 wrote to memory of 1384	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build3.exe
PID 4480 wrote to memory of 1384	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build3.exe
PID 4480 wrote to memory of 1384	4480	d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe	build3.exe
PID 1384 wrote to memory of 2584	1384	build3.exe	schtasks.exe
PID 1384 wrote to memory of 2584	1384	build3.exe	schtasks.exe
PID 1384 wrote to memory of 2584	1384	build3.exe	schtasks.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 2120 wrote to memory of 8	2120	build2.exe	build2.exe
PID 8 wrote to memory of 4676	8	build2.exe	cmd.exe
PID 8 wrote to memory of 4676	8	build2.exe	cmd.exe
PID 8 wrote to memory of 4676	8	build2.exe	cmd.exe
PID 4676 wrote to memory of 2068	4676	cmd.exe	timeout.exe
PID 4676 wrote to memory of 2068	4676	cmd.exe	timeout.exe
PID 4676 wrote to memory of 2068	4676	cmd.exe	timeout.exe
PID 5052 wrote to memory of 4612	5052	mstsca.exe	schtasks.exe
PID 5052 wrote to memory of 4612	5052	mstsca.exe	schtasks.exe
PID 5052 wrote to memory of 4612	5052	mstsca.exe	schtasks.exe
PID 3988 wrote to memory of 1844	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 1844	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe
PID 3988 wrote to memory of 4776	3988	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
"C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
"C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:384

C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
"C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe" --Admin IsNotAutoStart IsNotTask
3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
"C:\Users\Admin\AppData\Local\Temp\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe" --Admin IsNotAutoStart IsNotTask
4⤵
- Modifies extensions of user files
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe
"C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe
"C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe" & exit
7⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
8⤵
- Delays execution with timeout.exe
PID:2068

C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build3.exe
"C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build3.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
6⤵
- Creates scheduled task(s)
PID:2584

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
2⤵
- Creates scheduled task(s)
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4e924f50,0x7ffd4e924f60,0x7ffd4e924f70
2⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
2⤵
PID:1304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:3400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:2140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
2⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4940 /prefetch:8
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
PID:5812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:5976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1616 /prefetch:8
2⤵
PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:8
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5100 /prefetch:8
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
PID:5368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5204 /prefetch:8
2⤵
PID:5232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:3372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:5112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:2876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
PID:5552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 /prefetch:8
2⤵
PID:5600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
PID:5548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:8
2⤵
PID:5584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
2⤵
PID:5788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1564 /prefetch:8
2⤵
PID:5808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2940 /prefetch:1
2⤵
PID:5932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3296 /prefetch:8
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
2⤵
PID:3272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
2⤵
PID:5996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:1
2⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3956 /prefetch:8
2⤵
- Modifies registry class
PID:2100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
2⤵
PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4956 /prefetch:8
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4480 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:8
2⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
2⤵
PID:5516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:8
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
2⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
2⤵
PID:4460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6776 /prefetch:8
2⤵
PID:5236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6788 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
2⤵
PID:1384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6852 /prefetch:8
2⤵
PID:5736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6864 /prefetch:8
2⤵
PID:5972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6832 /prefetch:8
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6784 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6192 /prefetch:2
2⤵
PID:3936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:8
2⤵
PID:5740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:1552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
2⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5608 /prefetch:8
2⤵
PID:3124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6336 /prefetch:8
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3912 /prefetch:8
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6360 /prefetch:8
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:5388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3784 /prefetch:8
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6020 /prefetch:8
2⤵
PID:5528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
2⤵
PID:3280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6224 /prefetch:8
2⤵
PID:3160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6984 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=896 /prefetch:1
2⤵
PID:1636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:8
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
2⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
2⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:6032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
2⤵
PID:5684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
2⤵
PID:5576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:2868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6460 /prefetch:8
2⤵
PID:5416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
2⤵
PID:5356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:1
2⤵
PID:5592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:6116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1624,9657544729923716962,12577918302658894723,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7528 /prefetch:8
2⤵
PID:1088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x498
1⤵
PID:3384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4e924f50,0x7ffd4e924f60,0x7ffd4e924f70
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1624 /prefetch:2
2⤵
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
2⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2376 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
2⤵
PID:4324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4424 /prefetch:8
2⤵
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4860 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5028 /prefetch:8
2⤵
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2896 /prefetch:1
2⤵
PID:5192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:4136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
2⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
2⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1944 /prefetch:1
2⤵
PID:5772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
2⤵
PID:5524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:1
2⤵
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
2⤵
PID:5376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:5988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5932 /prefetch:8
2⤵
PID:2276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 /prefetch:8
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3092 /prefetch:8
2⤵
PID:3320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3836 /prefetch:8
2⤵
PID:4320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3364 /prefetch:8
2⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
PID:2256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5556 /prefetch:8
2⤵
PID:4752

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=++yMrW6c8HhUJnfWsPQTW4niWUo96Punix1hUv0G --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2288

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x278,0x27c,0x280,0x258,0x284,0x7ff698b55960,0x7ff698b55970,0x7ff698b55980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2288_KEFBXERECOEEVEVB" --sandboxed-process-id=2 --init-done-notifier=744 --sandbox-mojo-pipe-token=9808599651629090696 --mojo-platform-channel-handle=720 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5984

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2288_KEFBXERECOEEVEVB" --sandboxed-process-id=3 --init-done-notifier=988 --sandbox-mojo-pipe-token=1655553912423487422 --mojo-platform-channel-handle=984
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
2⤵
PID:5756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=892 /prefetch:8
2⤵
PID:644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3836 /prefetch:2
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6220 /prefetch:8
2⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6164 /prefetch:8
2⤵
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4296 /prefetch:8
2⤵
PID:1072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5920 /prefetch:8
2⤵
PID:4796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5920 /prefetch:8
2⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6148 /prefetch:8
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
2⤵
PID:5260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
2⤵
PID:5468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
2⤵
PID:5624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,13160469951998669482,2051967486427359160,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
2⤵
PID:1028

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\Decrypt Software.avi"
2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5436

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap8931:134:7zEvent3255
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\Desktop\Software.exe
"C:\Users\Admin\Desktop\Software.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1352

C:\Users\Admin\Desktop\Software.exe
"C:\Users\Admin\Desktop\Software.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1708
3⤵
- Program crash
PID:5548

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:5060

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir5060_617723352\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={1486b5f2-0b0e-4d34-9ae5-aef016287594} --system
2⤵
- Executes dropped EXE
PID:5396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 5768 -ip 5768
1⤵
PID:396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5768 -s 2908
1⤵
- Program crash
PID:2696

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 4884 -ip 4884
1⤵
PID:5336

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4884 -s 2920
1⤵
- Program crash
PID:3624

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -id NetworkDiagnosticsNetworkAdapter -ep NetworkDiagnosticsPNI
1⤵
PID:4328

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3116

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter AdapterGuid={81A557FB-E561-4F85-9DF5-6480B1E81B3C}
2⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultbfd073e6hda2fh4e63h87abh2913ae56cb8e
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd23eb46f8,0x7ffd23eb4708,0x7ffd23eb4718
2⤵
PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6865530363403305087,3458781291949742305,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6865530363403305087,3458781291949742305,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
2⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6865530363403305087,3458781291949742305,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:3412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 4976 -ip 4976
1⤵
PID:3624

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4976 -s 3696
1⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2572 -ip 2572
1⤵
PID:1788

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff698b55960,0x7ff698b55970,0x7ff698b55980
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:396

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1592_OJIKSJPCTRCCGVYH" --sandboxed-process-id=2 --init-done-notifier=768 --sandbox-mojo-pipe-token=14655816589495727745 --mojo-platform-channel-handle=744 --engine=2
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5256

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_1592_OJIKSJPCTRCCGVYH" --sandboxed-process-id=3 --init-done-notifier=984 --sandbox-mojo-pipe-token=12529563934039078657 --mojo-platform-channel-handle=1016
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe --Task
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3536

C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe --Task
2⤵
- Executes dropped EXE
PID:5644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:4040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\_readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:6032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffd4e924f50,0x7ffd4e924f60,0x7ffd4e924f70
2⤵
PID:5436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x498
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
2KB

MD5
c2ed2c633828a1bcf603a04772f6bc6f

SHA1
a2d3abb39d5551c5b594d30d0dcdd05fa5a50085

SHA256
7e8561e47f6e0af457bca0ff0ea2fa11f64942e80e2d20e5a9611a9915049808

SHA512
5ab5dc3bfbf196b4eeaa40ee06e94c452f271046c7e0b656cf944ab1cdc109130f40d18388adcc4b5eb15de08f996f8650f136f1fa53e2ae8efe1bb0715ea83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
9bf10855213d2d2b26123cd2a04220b8

SHA1
231d2ed3b9098617f196e89cee3c2a82b38b5d40

SHA256
a508e5bc0086119681076c2b05889d6f70047f971342d65792776ab7b53ca1e9

SHA512
df78a9f4ed0296f9a16d17672758411306e1b3664e9c6aece1ec738da350e2ee703f5c4f30167c4d5b54de8d154a7a4dc7250420c024e26063c8521a333e3dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize
488B

MD5
9331be18f9f3479733454b69fa3d7771

SHA1
a3cd97c2cc011b8f19e8394ed557603e0a93e099

SHA256
f28b7a6e088238ca5825277b585f26855a5582e706a31f23865f635bc9d2c97d

SHA512
e293e466828ce52c8bd95bc703a97b4e73388e670721bbddd8d147475bc6d380b8ab57bbd838d80ffb5ce588b4476b076f396cdb4aa23e23d2c67bcb013f9c9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
d3bbb0978e18c23ec7c09fe7ecdcee20

SHA1
916b92c837e546614e1ef09b44a920b21107a598

SHA256
f1345abb39b1e483380f8bfe4411f001934bd49f9181aab22df58e9f0f4e657d

SHA512
40b5eafda0f965486a41d16f0a2d05cd9eedb94b47360ab0d942008f4abe0fe25273b2167405357d92f1b26f0d9523100435c110b1ec02403ab7f795ce3bbad4

Download Submit
C:\Users\Admin\AppData\Local\048dc53c-4fcb-42c8-9510-240ee716eb5e\d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27.exe
Filesize
670KB

MD5
d4119bd2e05d30c83481f9f2f8fa45d8

SHA1
ca9417ec27fd4b4fd94697642c3a0f5ab0e81934

SHA256
d4a66c8b4f2672ff9119191d1b92eb872d2d5f093483682676484246c7720a27

SHA512
22fad9880248c2a55a906bca74b6b264795a3be4bc4b9a0f7df053e43c83963ddf91e2cf3da3f97c54acb3bafa388ade890e8a4d227e6d87e7b6971195a3a8ab

Download Submit
C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build2.exe
Filesize
437KB

MD5
5bc3c0c24790b3738ab85b644a1c6fc9

SHA1
c68547eb157a77f30e88a6c4666f6024765b70d8

SHA256
c37e19ba7ca31d3984004ec6534551197c1e4ab710bf26f822924168f17cbe7e

SHA512
f7aafcc10e5d1513e523bf7a1aee42316141862ba0d54f5b75ccc18f65a6cd14361728cb4a6a6ea795569431a0bc03792b132269293ba240bd3d9fa1e012c3ab

Download Submit
C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\4075382e-7729-43bd-8a4e-8a208eae5185\build3.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
28KB

MD5
9faef25d13e4dc7e0ab153899592b795

SHA1
704a974cbb9f7a89fe83066ad3a4ecd88e2d04af

SHA256
68633034f6429e76465e207223f15b640979a9b7146229f583e26c06800b8516

SHA512
be3e165e47bcc1ca60492d9009229eb7284a18c6e35a6d36b8033bb71d0bbba6e94973c6866ea70e2c84702bfa018035283e2c138c4d51bdb6544e2c2f5647f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Filesize
9KB

MD5
9ead10c08e72ae41921191f8db39bc16

SHA1
abe3bce01cd34afc88e2c838173f8c2bd0090ae1

SHA256
8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0

SHA512
aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a

Download Submit
\??\pipe\crashpad_3988_NEOYFMEFHLMYCDCL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-165-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/8-167-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/8-161-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/8-169-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/8-191-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/8-164-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/8-160-0x0000000000000000-mapping.dmp

Download
memory/212-145-0x0000000004902000-0x0000000004993000-memory.dmp

Filesize
580KB

Download
memory/212-141-0x0000000000000000-mapping.dmp

Download
memory/384-139-0x0000000000000000-mapping.dmp

Download
memory/396-247-0x0000000000000000-mapping.dmp

Download
memory/1196-302-0x0000000000000000-mapping.dmp

Download
memory/1336-212-0x0000000000000000-mapping.dmp

Download
memory/1352-199-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/1352-218-0x0000000007200000-0x000000000729C000-memory.dmp

Filesize
624KB

Download
memory/1352-200-0x0000000004DA0000-0x0000000004E32000-memory.dmp

Filesize
584KB

Download
memory/1352-202-0x00000000027D0000-0x00000000027DA000-memory.dmp

Filesize
40KB

Download
memory/1352-198-0x0000000000390000-0x00000000004AA000-memory.dmp

Filesize
1.1MB

Download
memory/1384-156-0x0000000000000000-mapping.dmp

Download
memory/2068-192-0x0000000000000000-mapping.dmp

Download
memory/2120-153-0x0000000000000000-mapping.dmp

Download
memory/2120-163-0x000000000076D000-0x000000000079E000-memory.dmp

Filesize
196KB

Download
memory/2120-166-0x00000000006D0000-0x0000000000726000-memory.dmp

Filesize
344KB

Download
memory/2288-203-0x0000000000000000-mapping.dmp

Download
memory/2572-219-0x0000000000000000-mapping.dmp

Download
memory/2572-220-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2572-223-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2572-221-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2572-244-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2572-222-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2584-159-0x0000000000000000-mapping.dmp

Download
memory/3116-210-0x00007FFD39DB0000-0x00007FFD3A871000-memory.dmp

Filesize
10.8MB

Download
memory/3116-209-0x000001A90B620000-0x000001A90B642000-memory.dmp

Filesize
136KB

Download
memory/3116-224-0x00007FFD39DB0000-0x00007FFD3A871000-memory.dmp

Filesize
10.8MB

Download
memory/3412-217-0x0000000000000000-mapping.dmp

Download
memory/4008-204-0x0000000000000000-mapping.dmp

Download
memory/4344-135-0x000000000493D000-0x00000000049CE000-memory.dmp

Filesize
580KB

Download
memory/4344-137-0x00000000049D0000-0x0000000004AEB000-memory.dmp

Filesize
1.1MB

Download
memory/4480-168-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4480-148-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4480-147-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4480-146-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4480-143-0x0000000000000000-mapping.dmp

Download
memory/4560-138-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4560-132-0x0000000000000000-mapping.dmp

Download
memory/4560-133-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4560-142-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4560-134-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4560-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4612-195-0x0000000000000000-mapping.dmp

Download
memory/4676-190-0x0000000000000000-mapping.dmp

Download
memory/4752-215-0x0000000000000000-mapping.dmp

Download
memory/4760-208-0x0000000000000000-mapping.dmp

Download
memory/5256-288-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-281-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-286-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-285-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-287-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-249-0x0000000000000000-mapping.dmp

Download
memory/5256-276-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-292-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-290-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-291-0x00000202D8820000-0x00000202D8860000-memory.dmp

Filesize
256KB

Download
memory/5256-289-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-272-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-273-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-277-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-278-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-284-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-283-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-262-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-282-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5256-280-0x00000202D8820000-0x00000202D8860000-memory.dmp

Filesize
256KB

Download
memory/5256-279-0x00000202D87E0000-0x00000202D8820000-memory.dmp

Filesize
256KB

Download
memory/5396-201-0x0000000000000000-mapping.dmp

Download
memory/5644-298-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5644-295-0x0000000000000000-mapping.dmp

Download
memory/5644-297-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5980-211-0x0000000000000000-mapping.dmp

Download
memory/5984-257-0x000002781FDE0000-0x000002781FE20000-memory.dmp

Filesize
256KB

Download
memory/5984-260-0x000002781D8C0000-0x000002781D900000-memory.dmp

Filesize
256KB

Download
memory/5984-270-0x000002781E340000-0x000002781E380000-memory.dmp

Filesize
256KB

Download
memory/5984-274-0x000002781E340000-0x000002781E380000-memory.dmp

Filesize
256KB

Download
memory/5984-275-0x000002781DAD0000-0x000002781DB10000-memory.dmp

Filesize
256KB

Download
memory/5984-269-0x000002781D8C0000-0x000002781D900000-memory.dmp

Filesize
256KB

Download
memory/5984-268-0x000002781E450000-0x000002781E490000-memory.dmp

Filesize
256KB

Download
memory/5984-267-0x000002781F980000-0x000002781F9C0000-memory.dmp

Filesize
256KB

Download
memory/5984-266-0x000002781F990000-0x000002781F9D0000-memory.dmp

Filesize
256KB

Download
memory/5984-265-0x000002781E470000-0x000002781E4B0000-memory.dmp

Filesize
256KB

Download
memory/5984-264-0x000002781DAD0000-0x000002781DB10000-memory.dmp

Filesize
256KB

Download
memory/5984-263-0x000002781E340000-0x000002781E380000-memory.dmp

Filesize
256KB

Download
memory/5984-261-0x000002781DAD0000-0x000002781DB10000-memory.dmp

Filesize
256KB

Download
memory/5984-271-0x000002781DAD0000-0x000002781DB10000-memory.dmp

Filesize
256KB

Download
memory/5984-259-0x000002781E450000-0x000002781E490000-memory.dmp

Filesize
256KB

Download
memory/5984-258-0x000002781F980000-0x000002781F9C0000-memory.dmp

Filesize
256KB

Download
memory/5984-245-0x000002781EB10000-0x000002781EB50000-memory.dmp

Filesize
256KB

Download
memory/5984-256-0x000002781F990000-0x000002781F9D0000-memory.dmp

Filesize
256KB

Download
memory/5984-255-0x000002781E470000-0x000002781E4B0000-memory.dmp

Filesize
256KB

Download
memory/5984-254-0x000002781E470000-0x000002781E4B0000-memory.dmp

Filesize
256KB

Download
memory/5984-253-0x000002781E550000-0x000002781E590000-memory.dmp

Filesize
256KB

Download
memory/5984-252-0x000002781E340000-0x000002781E380000-memory.dmp

Filesize
256KB

Download
memory/5984-246-0x000002781E340000-0x000002781E380000-memory.dmp

Filesize
256KB

Download
memory/5984-206-0x0000000000000000-mapping.dmp

Download
memory/6048-251-0x0000000000000000-mapping.dmp

Download
memory/6116-214-0x0000000000000000-mapping.dmp

Download