Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
09-10-2021 11:54
General
-
Target
ShippingDocs.exe
-
Size
55KB
-
MD5
a3e458f7e2e1f940b0c62042afe607d3
-
SHA1
6fb0a031365530ebb273f47f034181a530e31b70
-
SHA256
1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028
-
SHA512
9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8
Score
10/10
Malware Config
Extracted
Family
remcos
Version
3.3.0 Pro
Botnet
remUSD31k
C2
yedaibi.com:8760
Attributes
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
zoom-FKG2PK
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Executes dropped EXE 4 IoCs
-
Patched UPX-packed file 3 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe"C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exeC:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\ShippingDocs.exeC:\Users\Admin\AppData\Local\Temp\ShippingDocs.exe2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe3⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7fff94344f50,0x7fff94344f60,0x7fff94344f702⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1948 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1540 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2680 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2668 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5200 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5148 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5432 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4256 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5312 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5516 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4300 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=1728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2104 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2152 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4344 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3260 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1348 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4948 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3724 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6008 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4368 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4964 /prefetch:82⤵
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=iof/ZaWs2Uciw1pgR9FPLgNvGubXgzaUdKpheink --registry-suffix=ESET --enable-crash-reporting --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=93.269.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6e9139300,0x7ff6e9139310,0x7ff6e91393203⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4752_BISPQQPKMDNMWAPU" --sandboxed-process-id=2 --init-done-notifier=708 --sandbox-mojo-pipe-token=8112093405894416889 --mojo-platform-channel-handle=684 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\93.269.200\software_reporter_tool.exe" --enable-crash-reporting --use-crash-handler-with-id="\\.\pipe\crashpad_4752_BISPQQPKMDNMWAPU" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=10486173171912909658 --mojo-platform-channel-handle=9123⤵
- Executes dropped EXE
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4980 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4464 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2340 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5356 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4316 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,14047519222483376564,9529352778043063348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5912 /prefetch:82⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exeMD5
56b213ab01d46f2064880ec2dd95e3ea
SHA1f0b392a3c53a0784f017499ec0f4c6d4ace721e3
SHA256473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6
SHA5120a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exeMD5
56b213ab01d46f2064880ec2dd95e3ea
SHA1f0b392a3c53a0784f017499ec0f4c6d4ace721e3
SHA256473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6
SHA5120a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\software_reporter_tool.exeMD5
56b213ab01d46f2064880ec2dd95e3ea
SHA1f0b392a3c53a0784f017499ec0f4c6d4ace721e3
SHA256473d0f9cf295446f00f632ff7b291fe4dbca6ddf0fba50255546b8ab62fbc5e6
SHA5120a61a809398deaab7ee5e18dcba733386a583659dd0d6e851d5cfbcf212e66f7434277cde71c6fbd19c11cdf1e78beea5787d361a15ad87cc1ce84b078278ca2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
1712dab0a1bf4e9e3ff666b9c431550d
SHA134d1dec8fa95f62c72cb3f92a22c13ad9eece10f
SHA2567184a35390c8d6549ef4ddf2909c8fc3446572229bb1788fe178332d80ebfa97
SHA5126ae29c37c11c851ed337afee3c3ad654593063e76df88a6974933e449ac8d86bfa005b9bf2e0ee29aad4647b8f8f32ac753587077fd745424be7f9765688e7b7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
1c33ff599b382b705675229c91fc2f99
SHA1c20086746c14c5d57be9a3df47bd75fa77abe7e0
SHA256d46b6790776328125154bb8231deafcc7786911bea48fbcd2742c05fa1c4da0a
SHA5125b975f6b0d5407d8d43975c0fd0c26ecb155f6ee9b7416e39478f84e97deea590d1eb0cf2a972adcf96eba6745fdef472f6fcf51d85cd53c2da9b4c550ee413c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
fad4355f38eca7bf226fc32e9ed6b64b
SHA11109d7885622777add1aedbec5cb1b0fda5d79ea
SHA256e8e7c9a8e685437b8229d610e0001ff0885baf1f0c5652782f30aa30fef6c97e
SHA5128d074146c48b235348cfddf0d6d56e59e6a6d3390965c357160389593f98f3972963dfc80106c0474eacaf438f243c9b391e9be33a63df656c7294e30a0e1519
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
79adea0d0682981ccbf83b92f6814896
SHA116bbb4c49a0f246c6748545ffd4e88b39efd4499
SHA256bcc693ab7b29cbacacfb5ba1fc5447bfd3148e157d7a15763ef45cd01d9eea78
SHA51237bdf10c1b10b1fbc5c78004ee02944bc044bc0685eb18b1ced96dc3630af1f7d4a58da730985cd6ef9c1f0c3d48d5c39c281d3d5813a06b5bafe78868b459d3
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
e6d32d99cbf15ee43075ec0066d8f99a
SHA15aeca31ee8efb42b671beff6768923064a6d1588
SHA2561704680422499d827ca907e9d638910f4b3a5f798144b254f8867c6df243683c
SHA512037d5b8a8ce59814fdee4709a658aecef9155ce6c92c88ebf2d7cc3d4e5750e81c96f5209d3c44c660f15f42251e741adfd50fe3bdc19a32049526fcf93172c2
-
\??\c:\users\admin\appdata\local\Google\Software Reporter Tool\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\crashpad_852_APZSPBLCKEQUZOJYMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\edls_64.dllMD5
e9a7c44d7bda10b5b7a132d46fcdaf35
SHA15217179f094c45ba660777cfa25c7eb00b5c8202
SHA25635351366369a7774f9f30f38dc8aa3cd5e087acd8eae79e80c24526cd40e95a1
SHA512e76308eee65bf0bf31e58d754e07b63092a4109ef3d44df7b746da99d44be6112bc5f970123c4e82523b6d301392e09c2cfc490e304550b42d152cdb0757e774
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em000_64.dllMD5
d0cf72186dbaea05c5a5bf6594225fc3
SHA10e69efd78dc1124122dd8b752be92cb1cbc067a1
SHA256225d4f7e3ab4687f05f817435b883f6c3271b6c4d4018d94fe4398a350d74907
SHA5128122a9a9205cfa67ff87cb4755089e5ed1acf8f807467216c98f09f94704f98497f7aa57ad29e255efa4d7206c577c4cf7fed140afb046499fc2e57e03f55285
-
\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\93.269.200\em001_64.dllMD5
d6385decf21bcfec1ab918dc2a4bcfd9
SHA1aa0a7cc7a68f2653253b0ace7b416b33a289b22e
SHA256c26081f692c7446a8ef7c9dec932274343faab70427c1861afef260413d79535
SHA512bbb82176e0d7f8f151e7c7b0812c6897bfacf43f93fd04599380d4f30e2e18e7812628019d7dba5c4b26cbe5a28dc0798c339273e59eee9ee814a66e55d08246
-
memory/2384-115-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/2384-1629-0x0000000001070000-0x0000000001071000-memory.dmpFilesize
4KB
-
memory/2512-126-0x0000000007D40000-0x0000000007D41000-memory.dmpFilesize
4KB
-
memory/2512-128-0x0000000007B80000-0x0000000007B81000-memory.dmpFilesize
4KB
-
memory/2512-139-0x0000000009180000-0x00000000091B3000-memory.dmpFilesize
204KB
-
memory/2512-146-0x0000000008520000-0x0000000008521000-memory.dmpFilesize
4KB
-
memory/2512-151-0x0000000009530000-0x0000000009531000-memory.dmpFilesize
4KB
-
memory/2512-152-0x000000007EBA0000-0x000000007EBA1000-memory.dmpFilesize
4KB
-
memory/2512-153-0x00000000096F0000-0x00000000096F1000-memory.dmpFilesize
4KB
-
memory/2512-208-0x0000000004923000-0x0000000004924000-memory.dmpFilesize
4KB
-
memory/2512-563-0x0000000004926000-0x0000000004928000-memory.dmpFilesize
8KB
-
memory/2512-130-0x00000000083C0000-0x00000000083C1000-memory.dmpFilesize
4KB
-
memory/2512-129-0x0000000008470000-0x0000000008471000-memory.dmpFilesize
4KB
-
memory/2512-132-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/2512-127-0x0000000004922000-0x0000000004923000-memory.dmpFilesize
4KB
-
memory/2512-125-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/2512-124-0x0000000007440000-0x0000000007441000-memory.dmpFilesize
4KB
-
memory/2512-123-0x00000000073D0000-0x00000000073D1000-memory.dmpFilesize
4KB
-
memory/2512-122-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/2512-121-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/2512-120-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/2512-117-0x0000000000000000-mapping.dmp
-
memory/2512-119-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/2512-118-0x0000000000E00000-0x0000000000E01000-memory.dmpFilesize
4KB
-
memory/3312-1643-0x0000000000000000-mapping.dmp
-
memory/3772-1638-0x0000000000400000-0x0000000000479000-memory.dmpFilesize
484KB
-
memory/3772-1633-0x000000000042FC39-mapping.dmp
-
memory/3996-1635-0x0000000000405D3E-mapping.dmp
-
memory/4572-1649-0x0000000000000000-mapping.dmp
-
memory/4572-1665-0x0000013880660000-0x0000013880661000-memory.dmpFilesize
4KB
-
memory/4572-1666-0x0000013880660000-0x00000138806A0000-memory.dmpFilesize
256KB
-
memory/4752-1639-0x0000000000000000-mapping.dmp
-
memory/4792-1046-0x00000000070C6000-0x00000000070C7000-memory.dmpFilesize
4KB
-
memory/4792-677-0x0000000000000000-mapping.dmp
-
memory/4792-691-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/4792-692-0x00000000070C2000-0x00000000070C3000-memory.dmpFilesize
4KB
-
memory/4792-796-0x00000000070C3000-0x00000000070C4000-memory.dmpFilesize
4KB
-
memory/4792-798-0x00000000070C4000-0x00000000070C6000-memory.dmpFilesize
8KB
-
memory/4808-1660-0x0000000000000000-mapping.dmp
-
memory/4988-1274-0x0000000006693000-0x0000000006694000-memory.dmpFilesize
4KB
-
memory/4988-1154-0x0000000000000000-mapping.dmp
-
memory/4988-1163-0x0000000006690000-0x0000000006691000-memory.dmpFilesize
4KB
-
memory/4988-1164-0x0000000006692000-0x0000000006693000-memory.dmpFilesize
4KB
-
memory/4988-1514-0x0000000006696000-0x0000000006697000-memory.dmpFilesize
4KB
-
memory/4988-1276-0x0000000006694000-0x0000000006696000-memory.dmpFilesize
8KB