hxxp://80[.]66[.]75[.]37/a-Lyrdbmzywx[.]exe

Modify Registry

Processes:

instup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArDisk\ImagePath = "system32\\drivers\\aswArDisk.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswKbd\ImagePath = "system32\\drivers\\aswKbd.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswNetHub\ImagePath = "system32\\drivers\\aswNetHub.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswStm\ImagePath = "system32\\drivers\\aswStm.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSnx\ImagePath = "system32\\drivers\\aswSnx.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRdr\ImagePath = "system32\\drivers\\aswRdr2.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswElam\ImagePath = "system32\\drivers\\aswElam.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswMonFlt\ImagePath = "system32\\drivers\\aswMonFlt.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswRvrt\ImagePath = "system32\\drivers\\aswRvrt.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswSP\ImagePath = "system32\\drivers\\aswSP.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbuniv\ImagePath = "system32\\drivers\\aswbuniv.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsdriver\ImagePath = "system32\\drivers\\aswbidsdriver.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswbidsh\ImagePath = "system32\\drivers\\aswbidsh.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswVmm\ImagePath = "system32\\drivers\\aswVmm.sys"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\aswArPot\ImagePath = "system32\\drivers\\aswArPot.sys"	instup.exe

Executes dropped EXE 31 IoCs

Processes:

avast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeAvEmUpdate.exeavBugReport.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeAvastNM.exeSetupInf.exeoverseer.exeengsup.exewsc_proxy.exewsc_proxy.exeengsup.exe

pid	process
5852	avast_free_antivirus_setup_online.exe
6744	avast_free_antivirus_setup_online_x64.exe
6112	instup.exe
5732	instup.exe
4020	aswOfferTool.exe
1440	aswOfferTool.exe
5416	aswOfferTool.exe
5420	aswOfferTool.exe
5100	aswOfferTool.exe
7080	aswOfferTool.exe
5508	aswOfferTool.exe
3460	sbr.exe
6372	SetupInf.exe
7064	SetupInf.exe
3756	SetupInf.exe
5868	SetupInf.exe
956	SetupInf.exe
6464	AvEmUpdate.exe
6304	AvEmUpdate.exe
516	avBugReport.exe
3436	RegSvr.exe
1992	RegSvr.exe
7040	RegSvr.exe
3044	RegSvr.exe
5880	AvastNM.exe
5292	SetupInf.exe
3232	overseer.exe
5912	engsup.exe
3388	wsc_proxy.exe
6148	wsc_proxy.exe
3700	engsup.exe

Loads dropped DLL 12 IoCs

Processes:

avast_free_antivirus_setup_online.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeRegSvr.exeRegSvr.exe

pid	process
5852	avast_free_antivirus_setup_online.exe
6112	instup.exe
6112	instup.exe
6112	instup.exe
6112	instup.exe
5732	instup.exe
5416	aswOfferTool.exe
5100	aswOfferTool.exe
7080	aswOfferTool.exe
5508	aswOfferTool.exe
3436	RegSvr.exe
1992	RegSvr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Registers COM server for autorun 1 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

RegSvr.exeRegSvr.exeinstup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\asOutExt.dll"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32\ThreadingModel = "Apartment"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ThreadingModel = "Both"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ThreadingModel = "Apartment"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB904E4E-D2C7-4C8D-8492-B620BB9896B1}\InprocServer32\ = "C:\\Program Files\\Avast Software\\Avast\\aswAMSI.dll"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C5422B3-D1E2-449E-A736-809C934C2F80}\InprocServer32\ThreadingModel = "Both"	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\InprocServer32	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ReleaseName = "C:\\Program Files\\Avast Software\\Avast\\ashShell.dll"	instup.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

Processes:

instup.exewsc_proxy.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av	instup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\PROVIDER\AV\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}	wsc_proxy.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\SECURITY CENTER\PROVIDER\AV\{8EA8924E-BC81-DC44-8BB0-8BAE75D86EBF}	wsc_proxy.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

instup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvRepair = "\"C:\\Program Files\\Avast Software\\Avast\\setup\\instup.exe\" /instop:repair /wait"	instup.exe

Checks for any installed AV software in registry 1 TTPs 64 IoCs

Security Software Discovery

T1063

Processes:

wsc_proxy.exeinstup.exeSetupInf.exeRegSvr.exeengsup.exeAvEmUpdate.exeSetupInf.exeSetupInf.exeavBugReport.exeengsup.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeRegSvr.exewsc_proxy.exeRegSvr.exeAvastNM.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{EC4ECEDA-3E3B-4027-ABFE-29A5122D64D6}	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder	instup.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{2243A056-84B3-4327-8E46-5FE41F72EE91}\TaskSensitivity = "100"	wsc_proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{FDC844BC-62CE-4A58-A28B-77AA70274062}\ActionOnPackedFile = "filearchive"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder	instup.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	instup.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{19EA8BF0-A12F-1AF0-FB25-293AD7155932}\Job = "Scan"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	engsup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Scanner	wsc_proxy.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{2243A056-84B3-4327-8E46-5FE41F72EE91}	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\avast! Antivirus	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder = "C:\\Program Files\\Avast Software\\Avast"	instup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MicroUpdates = 3300310037003d00310036003700390037003600330038003200350000003400330039003d00310036003700390037003600330038003200350000003400390034003d00310036003700390037003600330038003200350000003500320038003d00310036003700390037003600330038003200360000003700330034003d00310036003700390037003600330038003200380000003700360032003d00310036003700390037003600330038003300300000003700370036003d00310036003700390037003600330038003300330000000000	AvEmUpdate.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CC13CA7D-229B-4D0A-8D27-E26129CDDF10}\VirusAction = "fix"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\PassiveMode	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Common	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\IDP\Setting\enabled = "1"	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupVersion	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast	SetupInf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}\Label = "*@1015"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\AlphaMigrationFlag	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LastAppliedPatchId	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Volatile	avBugReport.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{19EA8BF0-A12F-1AF0-FB25-293AD7155932}\DefaultTask = "1"	wsc_proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{FDC844BC-62CE-4A58-A28B-77AA70274062}\SuspiciousAction = "fix"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder	engsup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{D93EF81A-B92F-27FE-AF54-9278EA8BF910}\DefaultTask = "1"	wsc_proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{FDC844BC-62CE-4A58-A28B-77AA70274062}\ScanAreas = "SystemDisk;*RTK-SUPERQUICK;QuickStartup"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\Software\AVAST Software\Avast\properties	SetupInf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{2243A056-84B3-4327-8E46-5FE41F72EE91}\ScanType = "Content"	wsc_proxy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{EC4ECEDA-3E3B-4027-ABFE-29A5122D64D6}	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CB6AE6F8-D9A8-4794-B2BF-53A84058C58F}	wsc_proxy.exe
Delete value	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\InstallerPhase2	AvEmUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\UpdateVersion = "734"	AvEmUpdate.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	engsup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\CrashGuard	wsc_proxy.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder	SetupInf.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages	instup.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\StreamBack	avBugReport.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{A9682249-08E7-4BBF-B870-EFBC63AA2888}\ScanType = "Content"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder	engsup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{A9682249-08E7-4BBF-B870-EFBC63AA2888}\ScanExclusions	wsc_proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{A9682249-08E7-4BBF-B870-EFBC63AA2888}\ScanPackers = "All"	wsc_proxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{CB6AE6F8-D9A8-4794-B2BF-53A84058C58F}\Comment = "*@1011"	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\IDP	instup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\Languages	instup.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder	AvastNM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{FDC844BC-62CE-4A58-A28B-77AA70274062}\TaskSensitivity = "40"	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings\{2243A056-84B3-4327-8E46-5FE41F72EE91}	wsc_proxy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 19 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

instup.exewsc_proxy.exeavast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeSetupInf.exewsc_proxy.exeinstup.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeoverseer.exeSetupInf.exeSetupInf.exeSetupInf.exeavBugReport.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	wsc_proxy.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online.exe
File opened for modification	\??\PhysicalDrive0	avast_free_antivirus_setup_online_x64.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	RegSvr.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	wsc_proxy.exe
File opened for modification	\??\PhysicalDrive0	instup.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	AvEmUpdate.exe
File opened for modification	\??\PhysicalDrive0	overseer.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	SetupInf.exe
File opened for modification	\??\PhysicalDrive0	avBugReport.exe

Drops file in System32 directory 3 IoCs

Processes:

instup.exeSetupInf.exe

description	ioc	process
File opened for modification	C:\Windows\system32\asw96a0af5db33af0b7.tmp	instup.exe
File created	C:\Windows\system32\asw96a0af5db33af0b7.tmp	instup.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	SetupInf.exe

Drops file in Program Files directory 64 IoCs

Processes:

instup.exeAvEmUpdate.exeengsup.exeengsup.exe

description	ioc	process
File opened for modification	C:\Program Files\Avast Software\Avast\aswChLic.exe	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Setup\d3765d85-9460-4967-8509-15e4892ec359\CFF88BC414900FD057BF71BAB5C3BB2F.rmt	AvEmUpdate.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\23032499\db_cmd.sig.sum	instup.exe
File created	C:\Program Files\Avast Software\Avast\defs\23032499\db_o7.map	engsup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\WebRep\IE	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw1e5de19636460359.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\Licenses\asw4570981e6928d9a1.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\defs\23032499\asw868e7cffc13870b7.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\Licenses\aswf4441e66454a1260.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw412ccc1d5e6b87d9.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\dnd_helper.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\wsc_proxy.exe.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\config.def.vpx	instup.exe
File created	C:\Program Files\Avast Software\Avast\RescueDisk\asw8ec58ee63429021b.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\Licenses\asw230f1524468e2fe0.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-crt-heap-l1-1-0.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswRunDll.exe.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswWrcIEBroker32.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\event_manager_rpc.dll	instup.exe
File created	C:\Program Files\Avast Software\Avast\Setup\f770c014-6f5d-4ec8-91cf-7502fe3bf64d.ini	AvEmUpdate.exe
File created	C:\Program Files\Avast Software\Avast\setup\part-setup_ais-170217a5.vpx	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\23032499\engsup.ini	engsup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\23032499\db_w6.sig.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-crt-private-l1-1-0.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\iplugins-*.vpx	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\1033\avast.local_vc142.crt\aswfda5782f463253b9.tmp	instup.exe
File created	\??\c:\program files\avast software\avast\setup\6b162af9-600d-45f5-b97e-1f6f5973c301\8E32D405FB925A7688BE6793CA6CA7BFCE9B0792DFDA619086BF253745864E4B	AvEmUpdate.exe
File created	C:\Program Files\Avast Software\Avast\setup\Inf\x64\asw47cb8e49bb4104b4.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\defs\23032499\aswa73bbf40effed9cd.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw813a02434a619e1c.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw76bbcf0274b6d947.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswPropertyAv.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswW8ntf.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswbidsh.sys	instup.exe
File created	C:\Program Files\Avast Software\Avast\aswedec874d8e591964.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\aswbeec01622f92d243.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw478fb44cab895782.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\1033\avast.local_vc142.crt\asw8e10984301c3783a.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw5f365c61a8aa691d.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\instup.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\aswRdr2.inf	instup.exe
File created	C:\Program Files\Avast Software\Avast\setup\aswe0eee4d08610b8e7.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw0c811625ea533f60.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\setup\aswe9db6d333c4ed899.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-core-heap-l1-1-0.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll.sum	instup.exe
File created	C:\Program Files\Avast Software\Avast\asw77052db4983f8ba0.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\aswSqLt.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\api-ms-win-crt-time-l1-1-0.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\api-ms-win-core-memory-l1-1-0.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\1033\BCULangRes_1033.dll	instup.exe
File created	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw83a154fdb2c9b641.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\msvcp140_atomic_wait.dll.sum	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\asw65164f400ecc7828.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\asw7bc70001a1eccb66.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avast.local_vc142.crt\asw5c16db3b784ccd37.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\avastIP.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Edge_Renderer.dll	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Setup\d3765d85-9460-4967-8509-15e4892ec359\55F6C02FCCE1EC4C3F2A4CA6158C299F437A33299BA55C2722D9F040C7F01831.sum	AvEmUpdate.exe
File created	C:\Program Files\Avast Software\Avast\defs\23032499\aswc590558d521f7038.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\setup\Inf\x64\aswRvrt.sys	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\Licenses\asw1b8d477cfb86a3d8.tmp	instup.exe
File created	C:\Program Files\Avast Software\Avast\x86\avast.local_vc142.crt\asw6fc98a09c45a709a.tmp	instup.exe
File opened for modification	C:\Program Files\Avast Software\Avast\defs\23032499\Sf2.dll.sum	instup.exe

Drops file in Windows directory 2 IoCs

Processes:

instup.exe

description	ioc	process
File opened for modification	C:\Windows\ELAMBKUP\asw4d5316bcae8812c3.tmp	instup.exe
File created	C:\Windows\ELAMBKUP\asw4d5316bcae8812c3.tmp	instup.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

instup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	instup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	instup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	instup.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

RegSvr.exeRegSvr.exeengsup.exeinstup.exeinstup.exeRegSvr.exeSetupInf.exewsc_proxy.exeAvEmUpdate.exeAvEmUpdate.exeRegSvr.exeavast_free_antivirus_setup_online_x64.exeSetupInf.exeSetupInf.exeengsup.exeSetupInf.exeSetupInf.exewsc_proxy.exeAvastNM.exeSetupInf.exeavBugReport.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	engsup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegSvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RegSvr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegSvr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	engsup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	engsup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wsc_proxy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	AvastNM.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	engsup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wsc_proxy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	AvastNM.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SetupInf.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AvEmUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupInf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	avBugReport.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	AvEmUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	avast_free_antivirus_setup_online_x64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	SetupInf.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	RegSvr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	engsup.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

Processes:

instup.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\Bios	instup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosReleaseDate	instup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

Processes:

RegSvr.exeRegSvr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80}	RegSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Validation\{3C5422B3-D1E2-449E-A736-809C934C2F80}	RegSvr.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133242363152537573"	chrome.exe

Modifies registry class 64 IoCs

Processes:

instup.exeinstup.exeRegSvr.exeRegSvr.exechrome.exechrome.exechrome.exechrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: vps_tools_64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: uiext.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_ap2.dat"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-file-l2-1-0.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\WebRep\\IE"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "79"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "40"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CD2CE11F-5C26-4217-A773-914FADDA6FD9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F64B349A-BD50-415F-9F99-72E00C161493}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	RegSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B342E21B-AD7E-4568-AE3F-D0D844537A7A}\ = "Addin Class"	RegSvr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "69"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: VisthAux.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\Edge_Renderer.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Common Files\\AV\\avast! Antivirus\\upgrade.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswUtil.dll"	instup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: PCRE.txt"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\network_notifications.dll"	instup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\avast	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "43"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\x86\\AvastEmUpdate.exe"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\dnsdoh.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswWrcIEBroker32.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\ProgramData\\Avast Software\\Avast\\log\\*.log.9"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\Inf\\aswVmm.inf"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\ngiodriver_x64_ais-*.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: msvcp140_1.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: ucrtbase.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: ais_gen_core_x64-895.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswQcr.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\setup\\config.def.vpx"	instup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "94"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Deleting file: C:\\Program Files\\Avast Software\\Avast\\aswsecapix.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswPropertyAv.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-synch-l1-1-0.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: PushPin.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswbidsh.sys"	instup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "73"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: CommonRes.dll"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Installing kernel driver: aswKbd"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "45"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: config.def.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-crt-string-l1-1-0.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Main = "31"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "30"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: aswScan.dll"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "26"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "34"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_as.dat"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: db_wh2.dat"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}\InProcServer32\ReleaseName = "C:\\Program Files\\Avast Software\\Avast\\x86\\ashShell.dll"	instup.exe
Key created	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_UpdateSetup_Syncer = "14"	instup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Installation_Syncer = "39"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: ais_cmp_cleanup_x64"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "File downloaded: vps_binaries-87.vpx"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: Xerces.txt"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: libevent.txt"	instup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\InstupProgress_Description = "Extracting file: api-ms-win-core-console-l1-1-0.dll"	instup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exechrome.exeavast_free_antivirus_setup_online_x64.exeinstup.exe

pid	process
2484	chrome.exe
2484	chrome.exe
3440	chrome.exe
3440	chrome.exe
6744	avast_free_antivirus_setup_online_x64.exe
6744	avast_free_antivirus_setup_online_x64.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe

Suspicious behavior: LoadsDriver 13 IoCs

Processes:

pid process

632
632
632
632
632
632
632
632
632
632
632
632
632

pid	process
632
632
632
632
632
632
632
632
632
632
632
632
632

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

Processes:

chrome.exe

pid	process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe
Token: SeShutdownPrivilege	2484	chrome.exe
Token: SeCreatePagefilePrivilege	2484	chrome.exe

Suspicious use of FindShellTrayWindow 52 IoCs

Processes:

chrome.exeinstup.exe

pid	process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
5732	instup.exe
5732	instup.exe
5732	instup.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

chrome.exeinstup.exe

pid	process
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
2484	chrome.exe
5732	instup.exe
5732	instup.exe

Suspicious use of SetWindowsHookEx 37 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeavast_free_antivirus_setup_online.exeavast_free_antivirus_setup_online_x64.exeinstup.exeinstup.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exeaswOfferTool.exesbr.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeSetupInf.exeAvEmUpdate.exeAvEmUpdate.exeavBugReport.exeRegSvr.exeRegSvr.exeRegSvr.exeRegSvr.exeAvastNM.exeSetupInf.exeoverseer.exeengsup.exeengsup.exe

pid	process
4400	chrome.exe
5880	chrome.exe
5152	chrome.exe
3520	chrome.exe
696	chrome.exe
1000	chrome.exe
5852	avast_free_antivirus_setup_online.exe
6744	avast_free_antivirus_setup_online_x64.exe
6112	instup.exe
6112	instup.exe
5732	instup.exe
5732	instup.exe
4020	aswOfferTool.exe
1440	aswOfferTool.exe
5416	aswOfferTool.exe
5420	aswOfferTool.exe
7080	aswOfferTool.exe
5508	aswOfferTool.exe
5732	instup.exe
3460	sbr.exe
6372	SetupInf.exe
7064	SetupInf.exe
3756	SetupInf.exe
5868	SetupInf.exe
956	SetupInf.exe
6464	AvEmUpdate.exe
6304	AvEmUpdate.exe
516	avBugReport.exe
3436	RegSvr.exe
1992	RegSvr.exe
7040	RegSvr.exe
3044	RegSvr.exe
5880	AvastNM.exe
5292	SetupInf.exe
3232	overseer.exe
5912	engsup.exe
3700	engsup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2484 wrote to memory of 2496	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 2496	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4132	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4844	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 4844	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe
PID 2484 wrote to memory of 3704	2484	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://80.66.75.37/a-Lyrdbmzywx.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc968c9758,0x7ffc968c9768,0x7ffc968c9778
2⤵
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1964 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:2
2⤵
PID:4132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:3704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2712 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2704 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4880 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4896 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5152 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5000 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5312 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3380 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5776 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3792 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5112 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3360 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2760 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3120 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5720 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5468 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2012 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5644 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5632 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4412 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6152 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=2204 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=2228 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=1516 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5844 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5668 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7196 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7360 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7328 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7064 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6624 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6784 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6484 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6480 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=5132 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=3284 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7776 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8172 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=8464 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=8184 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7888 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=7188 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6752 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=4696 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=8044 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=8912 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=8968 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=8940 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=6776 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=7344 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=6988 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=9280 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=9456 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9524 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=8608 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=10384 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=7500 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=3380 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=6344 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=10548 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=10568 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11248 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=10676 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=8520 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=9628 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=10016 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=9896 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=9880 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=8500 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=11600 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=11612 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=81 --mojo-platform-channel-handle=10468 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=82 --mojo-platform-channel-handle=11572 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=83 --mojo-platform-channel-handle=11888 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=84 --mojo-platform-channel-handle=11952 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=85 --mojo-platform-channel-handle=8884 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=87 --mojo-platform-channel-handle=9360 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=86 --mojo-platform-channel-handle=9244 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=88 --mojo-platform-channel-handle=11764 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=89 --mojo-platform-channel-handle=11844 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=90 --mojo-platform-channel-handle=8712 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=91 --mojo-platform-channel-handle=7176 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=92 --mojo-platform-channel-handle=5712 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=93 --mojo-platform-channel-handle=8656 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=94 --mojo-platform-channel-handle=11332 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=95 --mojo-platform-channel-handle=8220 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=96 --mojo-platform-channel-handle=11000 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=97 --mojo-platform-channel-handle=6212 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6172 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3792 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7716 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=102 --mojo-platform-channel-handle=3676 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=103 --mojo-platform-channel-handle=3792 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11028 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2736 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=106 --mojo-platform-channel-handle=10728 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=107 --mojo-platform-channel-handle=5984 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=108 --mojo-platform-channel-handle=6184 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=109 --mojo-platform-channel-handle=12236 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=110 --mojo-platform-channel-handle=4936 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6216 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7692 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=113 --mojo-platform-channel-handle=8628 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=114 --mojo-platform-channel-handle=6868 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=115 --mojo-platform-channel-handle=10344 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=117 --mojo-platform-channel-handle=7204 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=118 --mojo-platform-channel-handle=6800 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10124 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9904 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:4608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=121 --mojo-platform-channel-handle=7928 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=122 --mojo-platform-channel-handle=3792 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=123 --mojo-platform-channel-handle=11296 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=124 --mojo-platform-channel-handle=4492 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=125 --mojo-platform-channel-handle=6832 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=126 --mojo-platform-channel-handle=4372 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=127 --mojo-platform-channel-handle=7504 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=128 --mojo-platform-channel-handle=7016 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=129 --mojo-platform-channel-handle=1736 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=130 --mojo-platform-channel-handle=6756 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=131 --mojo-platform-channel-handle=776 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=132 --mojo-platform-channel-handle=7772 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:7156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Suspicious use of SetWindowsHookEx
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=134 --mojo-platform-channel-handle=9844 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=135 --mojo-platform-channel-handle=9108 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11104 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2476 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=138 --mojo-platform-channel-handle=10516 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=139 --mojo-platform-channel-handle=8660 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=140 --mojo-platform-channel-handle=12296 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=141 --mojo-platform-channel-handle=6180 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=142 --mojo-platform-channel-handle=11500 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=143 --mojo-platform-channel-handle=1608 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=144 --mojo-platform-channel-handle=9732 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=145 --mojo-platform-channel-handle=5352 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=146 --mojo-platform-channel-handle=6640 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=147 --mojo-platform-channel-handle=10600 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=148 --mojo-platform-channel-handle=9300 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=149 --mojo-platform-channel-handle=7796 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=150 --mojo-platform-channel-handle=1588 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=151 --mojo-platform-channel-handle=6920 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=152 --mojo-platform-channel-handle=8448 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=158 --mojo-platform-channel-handle=12308 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=157 --mojo-platform-channel-handle=5820 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=156 --mojo-platform-channel-handle=8104 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=155 --mojo-platform-channel-handle=10604 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=154 --mojo-platform-channel-handle=7652 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=153 --mojo-platform-channel-handle=10140 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=159 --mojo-platform-channel-handle=12096 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=160 --mojo-platform-channel-handle=11960 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=161 --mojo-platform-channel-handle=10468 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=162 --mojo-platform-channel-handle=9568 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=163 --mojo-platform-channel-handle=8540 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=164 --mojo-platform-channel-handle=8524 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=165 --mojo-platform-channel-handle=12092 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=166 --mojo-platform-channel-handle=7592 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=167 --mojo-platform-channel-handle=6604 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=168 --mojo-platform-channel-handle=11896 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10256 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=170 --mojo-platform-channel-handle=10464 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9816 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=172 --mojo-platform-channel-handle=11304 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=173 --mojo-platform-channel-handle=9144 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:4128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=174 --mojo-platform-channel-handle=8992 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9224 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Suspicious use of SetWindowsHookEx
PID:696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=176 --mojo-platform-channel-handle=7100 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6644 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=178 --mojo-platform-channel-handle=8560 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=179 --mojo-platform-channel-handle=11480 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=180 --mojo-platform-channel-handle=11804 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=181 --mojo-platform-channel-handle=11624 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10228 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10760 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=184 --mojo-platform-channel-handle=7700 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=185 --mojo-platform-channel-handle=10524 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=186 --mojo-platform-channel-handle=5956 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10620 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=11500 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10176 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:3852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10212 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2200 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7716 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:1004

C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe
"C:\Users\Admin\Downloads\avast_free_antivirus_setup_online.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5852

C:\Windows\Temp\asw.cb077c1ad87e6dd3\avast_free_antivirus_setup_online_x64.exe
"C:\Windows\Temp\asw.cb077c1ad87e6dd3\avast_free_antivirus_setup_online_x64.exe" /cookie:mmm_ava_003_999_a7c_m:dlid_FAV-ONLINE-HP /ga_clientid:21045c52-1626-4742-9d75-93167326a42f /edat_dir:C:\Windows\Temp\asw.cb077c1ad87e6dd3
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6744

C:\Windows\Temp\asw.5d575330eda1d487\instup.exe
"C:\Windows\Temp\asw.5d575330eda1d487\instup.exe" /sfx:lite /sfxstorage:C:\Windows\Temp\asw.5d575330eda1d487 /edition:1 /prod:ais /guid:43c823a9-6ea4-4fad-9043-dfa75f524252 /ga_clientid:21045c52-1626-4742-9d75-93167326a42f /cookie:mmm_ava_003_999_a7c_m:dlid_FAV-ONLINE-HP /ga_clientid:21045c52-1626-4742-9d75-93167326a42f /edat_dir:C:\Windows\Temp\asw.cb077c1ad87e6dd3
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6112

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\instup.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\instup.exe" /sfx /sfxstorage:C:\Windows\Temp\asw.5d575330eda1d487 /edition:1 /prod:ais /guid:43c823a9-6ea4-4fad-9043-dfa75f524252 /ga_clientid:21045c52-1626-4742-9d75-93167326a42f /cookie:mmm_ava_003_999_a7c_m:dlid_FAV-ONLINE-HP /edat_dir:C:\Windows\Temp\asw.cb077c1ad87e6dd3 /online_installer
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Windows security modification
- Adds Run key to start application
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5732

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" -checkGToolbar -elevated
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4020

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" /check_secure_browser
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1440

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5416

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5420

C:\Users\Public\Documents\aswOfferTool.exe
"C:\Users\Public\Documents\aswOfferTool.exe" -checkChromeReactivation -bc=AVFC
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5100

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" -checkChromeReactivation -elevated -bc=AVFC
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:7080

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\aswOfferTool.exe" -checkChrome -elevated
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5508

C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\sbr.exe
"C:\Windows\Temp\asw.5d575330eda1d487\New_170217a5\sbr.exe" 5732 "Avast Antivirus setup" "Avast Antivirus is being installed. Do not shut down your computer!"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswRdr2.cat
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6372

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswHwid.cat
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:7064

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswVmm.cat
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3756

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /uninstall /catalog:aswRvrt.cat
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5868

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /elaminst C:\Windows\system32\drivers\aswElam.sys
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:956

C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer /reg
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6464

C:\Program Files\Avast Software\Avast\AvEmUpdate.exe
"C:\Program Files\Avast Software\Avast\AvEmUpdate.exe" /installer1
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:6304

C:\Program Files\Avast Software\Avast\avBugReport.exe
"C:\Program Files\Avast Software\Avast\avBugReport.exe" --send "dumps|report" --silent --path "C:\ProgramData\Avast Software\Avast" --logpath "C:\ProgramData\Avast Software\Avast\log" --guid 43c823a9-6ea4-4fad-9043-dfa75f524252
7⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:516

C:\Program Files\Avast Software\Avast\x86\RegSvr.exe
"C:\Program Files\Avast Software\Avast\x86\RegSvr.exe" "C:\Program Files\Avast Software\Avast\x86\aswAMSI.dll"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3436

C:\Program Files\Avast Software\Avast\RegSvr.exe
"C:\Program Files\Avast Software\Avast\RegSvr.exe" "C:\Program Files\Avast Software\Avast\aswAMSI.dll"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Program Files\Avast Software\Avast\x86\RegSvr.exe
"C:\Program Files\Avast Software\Avast\x86\RegSvr.exe" "C:\Program Files\Avast Software\Avast\x86\asOutExt.dll"
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7040

C:\Program Files\Avast Software\Avast\RegSvr.exe
"C:\Program Files\Avast Software\Avast\RegSvr.exe" "C:\Program Files\Avast Software\Avast\asOutExt.dll"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\Avast Software\Avast\AvastNM.exe
"C:\Program Files\Avast Software\Avast\AvastNM.exe" /install
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5880

C:\Program Files\Avast Software\Avast\SetupInf.exe
"C:\Program Files\Avast Software\Avast\SetupInf.exe" /catinstall:"C:\Program Files\Avast Software\Avast\setup\crts.cat" /basename:pkg_{af98c830-4f53-4176-a7b0-ec21fc603adc}.cat /crtid:FA726DE39EFE3E15CEE91CD7BCFA28756CD72153
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe
"C:\Program Files\Common Files\Avast Software\Overseer\overseer.exe" /skip_uptime /skip_remediations
6⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Program Files\Avast Software\Avast\defs\23032499\engsup.exe
"C:\Program Files\Avast Software\Avast\defs\23032499\engsup.exe" /prepare_definitions_folder
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:5912

C:\Program Files\Avast Software\Avast\wsc_proxy.exe
"C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /svc /register /ppl_svc
6⤵
- Executes dropped EXE
- Windows security modification
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
PID:3388

C:\Program Files\Avast Software\Avast\defs\23032499\engsup.exe
"C:\Program Files\Avast Software\Avast\defs\23032499\engsup.exe" /get_latest_ga_client_id /get_latest_landingpageid_cookie /get_latest_pagedownloadid_cookie
6⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=193 --mojo-platform-channel-handle=9272 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=194 --mojo-platform-channel-handle=2292 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9612 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:6400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6620 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=197 --mojo-platform-channel-handle=5732 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=198 --mojo-platform-channel-handle=2200 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=199 --mojo-platform-channel-handle=8360 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:6752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=11300 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8268 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=202 --mojo-platform-channel-handle=5208 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:2784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=203 --mojo-platform-channel-handle=10356 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:5884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=204 --mojo-platform-channel-handle=5812 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:1
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1748,i,1001589670347497949,11105863324100897260,131072 /prefetch:8
2⤵
PID:5184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4952

C:\Program Files\Avast Software\Avast\wsc_proxy.exe
"C:\Program Files\Avast Software\Avast\wsc_proxy.exe" /runassvc /rpcserver
1⤵
- Executes dropped EXE
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
PID:6148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Security Software Discovery

T1063

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery