3c4ca8b2f94f0c445cb5b9337b199e298b547ae9567178327ba886ebb9047f8b

Analysis

max time kernel
2119s
max time network
2138s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-02-2023 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Auto Forge and mod downloader.exe
Size

7.0MB
MD5

9805f2e2c5d2dfb27f9435f4f6efd3dd
SHA1

5a2a2735e72cd2a8a1e6eff977bb622452bca4fc
SHA256

a27b9580607ca860dc78c19450cf06b0c66c0a3b8b36334909112fa6c275317e
SHA512

f0056a15b6f16ed781e5c03d3e48ac1e5e29cc710a4d39e6fd84d6a66afa9f3ddaa0c67bc60ee37b44ad0768caf61bacaff08c608a0622a990cec81905c8b69f
SSDEEP

196608:Mplk5be+eNOx+yAiWfGHpdoGXgktifyDE:ulIbeBQ7QfWpSktiEE

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

ChromeRecovery.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
2712	ChromeRecovery.exe
2324	software_reporter_tool.exe
2628	software_reporter_tool.exe
2240	software_reporter_tool.exe
552	software_reporter_tool.exe

Loads dropped DLL 18 IoCs

Processes:

Auto Forge and mod downloader.exechrome.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

pid	process
944	Auto Forge and mod downloader.exe
1284
1284
1284
1284
1284
1284
1284
1284
2884	chrome.exe
2324	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe
2240	software_reporter_tool.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 7 IoCs

Processes:

elevation_service.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\manifest.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\manifest.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\ChromeRecoveryCRX.crx	elevation_service.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\ChromeRecovery.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\ChromeRecovery.exe	elevation_service.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exetaskmgr.exechrome.exechrome.exechrome.exechrome.exechrome.exesoftware_reporter_tool.exe

pid	process
296	chrome.exe
1584	chrome.exe
1584	chrome.exe
2860	chrome.exe
2808	chrome.exe
1584	chrome.exe
1584	chrome.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2884	chrome.exe
2884	chrome.exe
1952	chrome.exe
2608	chrome.exe
2732	chrome.exe
2812	chrome.exe
2884	chrome.exe
2884	chrome.exe
2324	software_reporter_tool.exe
2324	software_reporter_tool.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Auto Forge and mod downloader.exetaskmgr.exe

pid process

944 Auto Forge and mod downloader.exe
2416 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

AUDIODG.EXEtaskmgr.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: 33	364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	364	AUDIODG.EXE
Token: 33	364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	364	AUDIODG.EXE
Token: SeDebugPrivilege	2416	taskmgr.exe
Token: 33	2628	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2628	software_reporter_tool.exe
Token: 33	2324	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2324	software_reporter_tool.exe
Token: 33	2240	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	2240	software_reporter_tool.exe
Token: 33	552	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	552	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

notepad.exechrome.exetaskmgr.exe

pid	process
1864	notepad.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
1584	chrome.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe
2416	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Auto Forge and mod downloader.exechrome.exe

description	pid	process	target process
PID 1276 wrote to memory of 944	1276	Auto Forge and mod downloader.exe	Auto Forge and mod downloader.exe
PID 1276 wrote to memory of 944	1276	Auto Forge and mod downloader.exe	Auto Forge and mod downloader.exe
PID 1276 wrote to memory of 944	1276	Auto Forge and mod downloader.exe	Auto Forge and mod downloader.exe
PID 1584 wrote to memory of 2012	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 2012	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 2012	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 1120	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 296	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 296	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 296	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe
PID 1584 wrote to memory of 616	1584	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Auto Forge and mod downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Auto Forge and mod downloader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\Auto Forge and mod downloader.exe
"C:\Users\Admin\AppData\Local\Temp\Auto Forge and mod downloader.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:944

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x184
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:1864

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\_MEI12762\injection-obfuscated.js
1⤵
PID:728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef51d4f50,0x7fef51d4f60,0x7fef51d4f70
2⤵
PID:2012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
2⤵
PID:1120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1436 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8
2⤵
PID:616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:1
2⤵
PID:2044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
2⤵
PID:1560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3320 /prefetch:2
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3552 /prefetch:8
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3640 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:8
2⤵
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
2⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
2⤵
PID:2568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1588 /prefetch:1
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:8
2⤵
PID:2964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5724 /prefetch:8
2⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
2⤵
PID:3040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
PID:3068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:2072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
PID:2080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6168 /prefetch:8
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6264 /prefetch:8
2⤵
PID:2400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3268 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=532 /prefetch:8
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1352 /prefetch:1
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
PID:3064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:2436

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13f66a890,0x13f66a8a0,0x13f66a8b0
3⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6420 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:8
2⤵
PID:2904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6044 /prefetch:8
2⤵
PID:1692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5860 /prefetch:8
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
2⤵
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1048,2108332480145041356,16118548724309409465,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3136 /prefetch:8
2⤵
PID:956

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef51d4f50,0x7fef51d4f60,0x7fef51d4f70
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1028 /prefetch:2
2⤵
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1520 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1796 /prefetch:8
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2028 /prefetch:1
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3328 /prefetch:2
2⤵
PID:544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
2⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3556 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 /prefetch:8
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1992 /prefetch:8
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2004 /prefetch:8
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1484 /prefetch:8
2⤵
PID:2344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1492 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1476 /prefetch:8
2⤵
PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=964 /prefetch:8
2⤵
PID:2848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1584 /prefetch:8
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 /prefetch:8
2⤵
PID:1168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2416 /prefetch:8
2⤵
PID:1848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1992 /prefetch:8
2⤵
PID:3016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1492 /prefetch:8
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1700 /prefetch:8
2⤵
PID:904

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\107.294.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=jZWTSsM2mt9gfLW+om+O2TtxueOTRiqgJcCPJsUG --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=Off
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=107.294.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13fa85960,0x13fa85970,0x13fa85980
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2324_BANGVBPSVBWTDHLQ" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=16252835414550215165 --mojo-platform-channel-handle=460 --engine=2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2240

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\107.294.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_2324_BANGVBPSVBWTDHLQ" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=6401311492568230205 --mojo-platform-channel-handle=640
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2000 /prefetch:8
2⤵
PID:2872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1016,2225593004597687247,13435617575365063369,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2408 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2656

C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\ChromeRecovery.exe
"C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2656_39442347\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={ad4e4115-18c2-4c1d-8f55-e79fac3a97b5} --system
2⤵
- Executes dropped EXE
PID:2712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
13996aa3ec9f8dbe7e64bc0730e33763

SHA1
57b69eeb6c656a4caad21b86b67815a5729e3ab1

SHA256
a2baaec15a6ad1d0ca97f0644ec9a54b636327f34b76f37f6988fd1cf43f17d0

SHA512
70c988c4441a6ff4f40e84e825c916b3c850712acc23d83d866959af4b22aa95918d654293ad1ae8cbc1d431a763ba7e6f8e764aa93758b2a2eba3994d13e076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5d095ce690d0fe4bdc1c5298901f9131

SHA1
251f99610b5c77660dbc12c904c697d6c940dca5

SHA256
dd9b6755065c1c7bd534631bf028113979514b8929882ff7f6e98c79ab4d0eb5

SHA512
401d57a2b07a0761c28f0dd13a21626393cf41e786fecc8531ff68572ff5e15297501ab46fdf7e053aafae1567497235e55554e1d3f5522b9783dea03a26e772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
114KB

MD5
2f7ce56b3b885a36b9378add4835de02

SHA1
2ce1d34d325829dc6dad96d1ed97bd9780909e50

SHA256
5ba5567efbf75501e0987a639fdf84d242757ab518948f5841e4e91eb8f52e62

SHA512
8f1e29a130601e141a55f60c06eb05b29f7ea913f861d59aa416e0906d2590c0f36f6fdd26069f8365b24cde6a099f8c08a9b6cad7bb3541e441a7001891be6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
7737c8ebf7a7c7612eb7cb3525309fd8

SHA1
58106ffef7eb671e76a1e1885cde9af17a4a2018

SHA256
5d13119ece74adcd0a246eb59f67d795cc3cd3f3726772ad8e483603de908f7f

SHA512
3fd449fd12f6ead78d6429c72a0220e69299988c5303b2a20801721415d3d1e9e81d764a53eef09fa77de327fab7b665b2658d176e81ebf8187dfa30e1549613

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\Camera
Filesize
28KB

MD5
546170e5009b8dfdd1c6d0a83ad1f6eb

SHA1
e3be111bbe736f39e02ef43210a17c3b497511de

SHA256
52b9e339f35b8f079c14a2cb3bcb22ae2c0224493081063f42759e379ba3d902

SHA512
d0c2a2311e2d70b07ab2e3c7d269e85cb3b21e0dad4cc13eb43d8e45a28a1dd0ff99ef69f1547c41a083cb995373d54204fb686d42b152bf3eda2dcc104f702b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\injection-obfuscated.js
Filesize
32KB

MD5
f421db9f34f345d816206f6554d11c29

SHA1
ecfc28673328191acbfaa1aa6e7588963e9da04c

SHA256
b99e8f5b7f4f7adfba03ea429478a2b21ff4fe481e8820768ab4f04ba8e5b3ba

SHA512
b29a302a372c0d352bfde27d14dbd5ac3f5a438371ee2c9cafb6030a47209b706c9bae65ade55d23c4114ce63204ff003e27059bf9a99cc731b80b2288c33905

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\??\pipe\crashpad_1584_UYZDVROGGNBEJHTC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll
Filesize
1.5MB

MD5
f8588acfbe613c10995ce5e1f81d630d

SHA1
632657d4b0e83dfdfa41d36e770c43e1c097847a

SHA256
59076f6db6590a0aaa7a98abc05080387db9f3aba2b47512bf1101a502b955b7

SHA512
0a33e145575e332022b2a54d2478e292c10ce276bbcd9716649cf6875cfea065bf449455b140a109c7a841cd45714330c1df250d05ed32228f82e4294874559b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll
Filesize
606KB

MD5
13fd19b44ce28ee50116cfe7a4801fb4

SHA1
70c3ad674d161051a6f2081cbeb13587bf4c146a

SHA256
8401d3ff11a0f9114a5e308405e0433d3d404725d40b3ecaf6db313e0373cedf

SHA512
32bd4b3528fe9e8c1d00bad935666fc2699840c0b9a29547b49d97a275f039c6142d668073b8145f7771f59c465bd152e72b79ce5b844fc3a600527965456f5b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll
Filesize
606KB

MD5
13fd19b44ce28ee50116cfe7a4801fb4

SHA1
70c3ad674d161051a6f2081cbeb13587bf4c146a

SHA256
8401d3ff11a0f9114a5e308405e0433d3d404725d40b3ecaf6db313e0373cedf

SHA512
32bd4b3528fe9e8c1d00bad935666fc2699840c0b9a29547b49d97a275f039c6142d668073b8145f7771f59c465bd152e72b79ce5b844fc3a600527965456f5b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll
Filesize
606KB

MD5
13fd19b44ce28ee50116cfe7a4801fb4

SHA1
70c3ad674d161051a6f2081cbeb13587bf4c146a

SHA256
8401d3ff11a0f9114a5e308405e0433d3d404725d40b3ecaf6db313e0373cedf

SHA512
32bd4b3528fe9e8c1d00bad935666fc2699840c0b9a29547b49d97a275f039c6142d668073b8145f7771f59c465bd152e72b79ce5b844fc3a600527965456f5b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll
Filesize
606KB

MD5
13fd19b44ce28ee50116cfe7a4801fb4

SHA1
70c3ad674d161051a6f2081cbeb13587bf4c146a

SHA256
8401d3ff11a0f9114a5e308405e0433d3d404725d40b3ecaf6db313e0373cedf

SHA512
32bd4b3528fe9e8c1d00bad935666fc2699840c0b9a29547b49d97a275f039c6142d668073b8145f7771f59c465bd152e72b79ce5b844fc3a600527965456f5b

Download Submit
memory/552-123-0x0000000000000000-mapping.dmp

Download
memory/944-59-0x000007FEF5AB0000-0x000007FEF5F1F000-memory.dmp

Filesize
4.4MB

Download
memory/944-55-0x0000000000000000-mapping.dmp

Download
memory/1276-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/2076-71-0x0000000000000000-mapping.dmp

Download
memory/2240-124-0x0000000000B80000-0x0000000000BC0000-memory.dmp

Filesize
256KB

Download
memory/2240-125-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/2240-105-0x0000000000000000-mapping.dmp

Download
memory/2324-86-0x0000000000000000-mapping.dmp

Download
memory/2416-77-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-78-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2416-70-0x0000000000000000-mapping.dmp

Download
memory/2628-87-0x0000000000000000-mapping.dmp

Download
memory/2712-85-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/2712-84-0x0000000000000000-mapping.dmp

Download